Ruby-China Mongodb injection can cause theft of the identity of administrators (Others) to post messages

Ruby-China Mongodb injection can cause theft of the identity of administrators (Others) to post messages

First, mongodb injection will not cause problems if the query string is passed as a variable value.

However, the input parameter name is controllable, and a problem occurs when you obtain the input parameter.

Http://www.baidu.com/index? Username [$ ne] = x

If you get the username and enter the mongodb query, the username value is not x.



 

This is a local test environment. node. js + mongoose + mongodb can be seen and parsed into multi-dimensional arrays. The mongodb operator is also inserted into the final query results, and the username is not the value of x.



Now that the preparations have been completed, start to the topic:

The Ruby-China Post API uses tokens for identity verification. each user has a token value.



Now let's call the posting api and set the post title content and key id tokens to the $ gt operator.


 

If $ gt is greater than or equal to, the token is used to verify the identity, so the token [$ gt] = 123 becomes such a statement.

Db. xxx. find ({"token": {"$ gt": 123}) returns all users whose token value is greater than or equal to 123.

Then, only the first record is used for posting. The first record must be an administrator, so you can steal the identity of the Administrator to post the post.




 

 

 

Solution:

Strictly filter parameters