Phpmongodb injection. Next I will introduce the php + mongodb injection methods and principles. one post says: login. php? Usernameadminpasswd [$ ne] 1 may be injected. when I was reading it, I felt quite puzzled. The following describes the php + mongodb injection methods and principles.
One of the posts said: login. php? Username = admin & passwd [$ ne] = 1 may be injected. at first glance, I was wondering how the injection vulnerability exists, finally refer from this post. Because PHP can directly submit an array, that is to say, it submits an array containing the "$ ne" index. I made a demo:
[Php]
$ Passwd = $ _ GET ["passwd"];
Var_dump ($ passwd );
$ Passwd = $ _ GET ["passwd"];
Var_dump ($ passwd );
Test results:
Array (1) {["$ ne"] => string (1) "1 "}
In this case
[Php]
$ Collection-> find (array (
"Username" => "admin ",
"Passwd" => array ("$ ne" => 1)
));
$ Collection-> find (array (
"Username" => "admin ",
"Passwd" => array ("$ ne" => 1)
));
To:
[Php]
$ Collection-> find (array ("username" => "admin", "passwd" => array ("$ ne" => 1 ))); $ collection-> find (array (
"Username" => "admin ",
"Passwd" => array ("$ ne" => 1)
));
If you change the link to this type (username = [$ ne] = 1 & passwd [$ ne] = 1), all user information will be obtained.
The solution to this bug is to forcibly convert the parameters to the string type after obtaining them:
[Php]
$ Collection-> find (array (
"Username" => (string) $ _ GET ['username'],
"Passwd" => (string) $ _ GET ['passwd']
));
$ Collection-> find (array (
"Username" => (string) $ _ GET ['username'],
"Passwd" => (string) $ _ GET ['passwd']
). This is the same as executing the following mysql statement.
[Php]
Mysql_query ("SELECT * FROM collection
WHERE username = "admin ",
AND passwd! = 1
Mysql_query ("SELECT * FROM collection
WHERE username = "admin ",
AND passwd! = 1
I made a demo and tested it.
One of the posts said: login. php? Username = adminpasswd [$ ne] = 1 may be injected. at first glance, I felt quite puzzled. this...