Php mongodb Injection

 

The following describes the php + mongodb injection methods and principles.

One of the posts said: login. php? Username = admin & passwd [$ ne] = 1 may be injected. At first glance, I was wondering how the injection vulnerability exists, finally refer from this post. Because PHP can directly submit an array, that is to say, it submits an array containing the "$ ne" index. I made a demo:

[Php]
$ Passwd = $ _ GET ["passwd"];
Var_dump ($ passwd );

$ Passwd = $ _ GET ["passwd"];
Var_dump ($ passwd );
Test results:

Array (1) {["$ ne"] => string (1) "1 "}

 

In this case

[Php]
$ Collection-> find (array (
"Username" => "admin ",
"Passwd" => array ("$ ne" => 1)
));

$ Collection-> find (array (
"Username" => "admin ",
"Passwd" => array ("$ ne" => 1)
));
To:

[Php]

$ Collection-> find (array ("username" => "admin", "passwd" => array ("$ ne" => 1 ))); $ collection-> find (array (
"Username" => "admin ",
"Passwd" => array ("$ ne" => 1)
));

If you change the link to this type (username = [$ ne] = 1 & passwd [$ ne] = 1), all user information will be obtained.

The solution to this bug is to forcibly convert the parameters to the string type after obtaining them:

[Php]
$ Collection-> find (array (
"Username" => (string) $ _ GET ['username'],
"Passwd" => (string) $ _ GET ['passwd']
));

$ Collection-> find (array (
"Username" => (string) $ _ GET ['username'],
"Passwd" => (string) $ _ GET ['passwd']
). This is the same as executing the following mysql statement.

[Php]

Mysql_query ("SELECT * FROM collection
WHERE username = "admin ",
AND passwd! = 1

Mysql_query ("SELECT * FROM collection
WHERE username = "admin ",
AND passwd! = 1
I made a demo and tested it.