MongoDB security: Injection Attacks in php

MongoDB security: Injection Attacks in php 15:06:12 Source: 360 Security broadcast author: Mo Bai read: 35 times

Share:

Before discussing MongoDB injection, we must understand what it is and why we prefer it more than other databases. Because MongoDB does not use SQL, it is assumed that it is not vulnerable to any form of injection attacks. But believe me, there is nothing that comes with built-in security protection. We still need to set some logic code to prevent attacks.

What is MongoDB?

To put it simply, MongoDB is an open-source database developed by MongoDB. it can store files in different structures, similar to JSCON documents. The related information is stored together, which facilitates quick search using the MongoDB query language.

Why use MongoDB?

MongoDB is very popular because everyone wants to query it quickly. Its performance is very good (1000 millionsquries/s ). Another reason why it is more popular is that it is good at playing a role in many cases where related databases are not well adapted. For example, unstructured applications, semi-structured and multi-state data, or applications with high scalability requirements and multiple data centers.

So far! If you are running any open-source applications, it is up to this point to prevent bad situations. We provide a free penetration test for open-source projects. Submit the application here and we will evaluate it.

Let's take a look at the injection attack.

In the first case, we have a PHP script that displays the user name and password of a specific ID.

In the preceding script, the database name is secure and the set name is user. The U-id parameter is obtained by The GET algorithm and then passed to the array. then, relevant results are given. Sounds good? We try to put some comparison operators and arrays.

Bad !! The result is the entire database. What is the problem? This is because http: // localhost/mongo/show. php is entered? U_id [$ ne] = 2, created the following MongoDB query, $ qry = array ("id" => array ("$ ne" => 2 )). So it shows all results except id = 2, which can be seen in Screenshot 1.

Let's take another case into consideration. the work content of the script in the early stage is the same, but we will use the findOne method to create a MongoDB query.

First, let's take a look at how findOne works. This method has the following syntax:

Db. collection. findOne (query, projection)

This will return documents that meet the specified query conditions. For example, if we need to find the result related to id = 2, the following command will appear:

Now let's take a look at the source code:

The key point here is to break the query to some extent and then fix it. What will happen if we type the following query?

Http: // localhost/mongo/inject. php? U_name = dummy'}); return {something: 1, something: 2 }}// & u_pass = dummy

This will break the query and return the required parameters. Let's check the output:

This leads to two errors, but is this only because we want to access two nonexistent parameters? This error indirectly indicates that the user name and password are a parameter in the database, and this is what we want.

As long as we enter the correct parameters, the error will be eliminated.

Now we want to find the database name. In MongoDB, the method used to find the database name is db. getName (). Therefore, the query becomes:

To dump this database, we need to first find the name of the set. In MongoDb, the method used to find the set name is db. getCollectionNames ().

So far, we have obtained the name of the database and set. The remaining steps are to find the user name set. the procedure is as follows:

Similarly, we can change the internal function db. users. find () [2] to obtain other user names and passwords, for example:

Since everyone is familiar with MongoDb, you may want to know the relevant preventive measures.

Let's take a look at the first case where parameters are passed in the array. To prevent such injection, we may need to stop executing the comparison operators in the array. Therefore, one of the solutions is to use the implode () function in the following ways:

The value returned by the implode () function is a string array. Therefore, what we get is only the result corresponding to a specific ID, rather than all the results.

In the second case, we can use the addslashes () method to prevent the query from being broken by attackers. It is a good idea to use regular expressions to replace special symbols. You can use the following regular expressions:

$ U_name = preg_replace ('/[^ a-z0-9]/I', '\', $ _ GET ['U _ name']);

In this way, if we try to break the query, it will not repeat the same mistakes.

This article is translated by 360 security broadcasting.