I recently came across a SSL-related problem with noSQLmap. When I try to let it run against an older HTTPS server, I'm getting this error message:
$ python nosqlmap.py --attack 2 --https ON --httpMethod POST --verb ON --postData 'Something,test' --uri '/cgi-bin/mongo/2.2.3/dbparse.py' --webPort 443 --myPort 1234 --myIP 111.222.333.444 --victim 999.888.777.666 --platform MongoDB --injectedParameter 1 --injectSize 43 --injectFormat 1
Web App Attacks (POST)
===============
Checking to see if site at 999.888.777.666:443/cgi-bin/mongo/2.2.3/dbparse.py is up...
Traceback (most recent call last):
File "nosqlmap.py", line 544, in <module>
main(args)
File "nosqlmap.py", line 45, in main
attack(args)
File "nosqlmap.py", line 163, in attack
nsmweb.postApps(victim,webPort,uri,https,verb,postData,requestHeaders, args)
File "/mnt/Tools/NoSQLMap/nsmweb.py", line 428, in postApps
appRespCode = urllib2.urlopen(req).getcode()
File "/usr/lib/python2.7/urllib2.py", line 154, in urlopen
return opener.open(url, data, timeout)
File "/usr/lib/python2.7/urllib2.py", line 429, in open
response = self._open(req, data)
File "/usr/lib/python2.7/urllib2.py", line 447, in _open
'_open', req)
File "/usr/lib/python2.7/urllib2.py", line 407, in _call_chain
result = func(*args)
File "/usr/lib/python2.7/urllib2.py", line 1248, in https_open
context=self._context)
File "/usr/lib/python2.7/urllib2.py", line 1205, in do_open
raise URLError(err)
urllib2.URLError: <urlopen error [SSL: DH_KEY_TOO_SMALL] dh key too small (_ssl.c:727)>
Expected behavior: I would have expected that the script simply runs the checks against the server.
Do you have an idea for a solution?
With a little bit of googling, I was able to find a quick fix by myself by:
Simply create a new OpenSSL file (e.g. called openssl.cnf) with the following contents:
What's the problem (or question)?
I recently came across a SSL-related problem with noSQLmap. When I try to let it run against an older HTTPS server, I'm getting this error message:
Expected behavior: I would have expected that the script simply runs the checks against the server.
Do you have an idea for a solution?
With a little bit of googling, I was able to find a quick fix by myself by:
Simply create a new OpenSSL file (e.g. called
openssl.cnf
) with the following contents:Then export it as an environment variable:
export OPENSSL_CONF=openssl.cnf
After this, the error disappeared for me and the tool worked again. Source: https://askubuntu.com/questions/1233186/ubuntu-20-04-how-to-set-lower-ssl-security-levelI just wanted to publish this here, in case someone else encounters the same problem 🙂
What are the running context details?
git clone
the source code and then usepip
to install all dependencies within a virtualenvKali Linux 2020.4
b199389ce936389ed56817647e375612244c1d1a
Mongo
):Mongo
ModSecurity
orunknown
):no protection