Community Learn Tools Library Leisure
search
English
Home > Database > Mysql Tutorial > body text

Ruby China 的 Mongodb Hash 注入漏洞

WBOY
Release: 2016-06-07 16:41:23
Original
1229 people have browsed it

今天在 Ruby China 上看见一个 帖子,从下面的回复中发现是 Mongodb 的漏洞,然后顺便学习了下。 漏洞详细介绍 以用户登陆而言,需要先根据用户传过来的帐户名从数据库中找到这条记录,然后再验证密码。 用户登陆流程 一个登陆表单 input type= "text" name=

今天在 Ruby China 上看见一个 帖子,从下面的回复中发现是 Mongodb 的漏洞,然后顺便学习了下。

漏洞详细介绍

以用户登陆而言,需要先根据用户传过来的帐户名从数据库中找到这条记录,然后再验证密码。

用户登陆流程

一个登陆表单

<span class="nt"><input> <span class="na">type=</span><span class="s">"text"</span> <span class="na">name=</span><span class="s">"session[account]"</span><span class="nt">></span>
<span class="nt"><input> <span class="na">type=</span><span class="s">"text"</span> <span class="na">name=</span><span class="s">"session[password]"</span><span class="nt">></span>
</span></span>
Copy after login

当提交后,服务端得到的数据是这样的(去除其它 token 等信息)。

<span class="p">{</span>
  <span class="s2">"session"</span> <span class="o">=></span> <span class="p">{</span>
    <span class="s2">"account"</span>  <span class="o">=></span> <span class="s2">"username"</span><span class="p">,</span>
    <span class="s2">"password"</span> <span class="o">=></span> <span class="s2">"password"</span>
  <span class="p">}</span>
<span class="p">}</span>
Copy after login

然后服务端通过帐户名从数据库中取得记录

<span class="no">User</span><span class="o">.</span><span class="n">find_by</span><span class="p">(</span><span class="ss">account</span><span class="p">:</span> <span class="n">params</span><span class="o">[</span><span class="ss">:session</span><span class="o">][</span><span class="ss">:account</span><span class="o">]</span><span class="p">)</span>
<span class="c1"># => User.find_by(account: "username")</span>
Copy after login

看起来很正常,但是问题就出现在这一步。

上面的查询语句转换成 Mongodb 查询语句是这样的

<span class="nx">db</span><span class="p">.</span><span class="nx">users</span><span class="p">.</span><span class="nx">find</span><span class="p">({</span> <span class="nx">account</span> <span class="o">:</span> <span class="nx">params</span><span class="p">[</span><span class="o">:</span><span class="nx">session</span><span class="p">][</span><span class="o">:</span><span class="nx">account</span><span class="p">]</span> <span class="p">}).</span><span class="nx">limit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span>
Copy after login

如果参数是普通的字符串,那么是没有问题的,但是如果它是一个 Hash 呢?

如果 params[:session][:account] 的值是 { "$ne" => "username" },那么得到的 Mongodb 查询语句就是这样的

<span class="nx">db</span><span class="p">.</span><span class="nx">users</span><span class="p">.</span><span class="nx">find</span><span class="p">({</span> <span class="nx">account</span> <span class="o">:</span> <span class="p">{</span> <span class="nx">$ne</span> <span class="o">:</span> <span class="s2">"username"</span> <span class="p">}</span> <span class="p">}).</span><span class="nx">limit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span>
Copy after login

这段代码什么意思?找到所有 account 不等于 username 的记录。同样 $ne 可以换成其他 Mongodb 支持的操作,比如 $gt, $lt。username 也可以换成一串乱序字符串,这样就能得到用户集合中的所有记录。

注入

想让服务端得到的参数是 Hash 很简单,只需要手动修改一下表单就行了。

原表单

<span class="nt"><input> <span class="na">type=</span><span class="s">"text"</span> <span class="na">name=</span><span class="s">"session[account]"</span><span class="nt">></span>
</span>
Copy after login

修改后的表单

<span class="nt"><input> <span class="na">type=</span><span class="s">"text"</span> <span class="na">name=</span><span class="s">"session[account][$ne]"</span><span class="nt">></span>
</span>
Copy after login

这样,服务端得到的参数就是这个样子的。

<span class="p">{</span>
  <span class="s2">"session"</span> <span class="o">=></span> <span class="p">{</span>
    <span class="s2">"account"</span>  <span class="o">=></span> <span class="p">{</span>
      <span class="s2">"$ne"</span> <span class="o">=></span> <span class="s2">"username"</span>
    <span class="p">},</span>
    <span class="s2">"password"</span> <span class="o">=></span> <span class="s2">"password"</span>
  <span class="p">}</span>
<span class="p">}</span>
Copy after login
Copy after login

解决方法

将参数转化为字符串

Ruby China 的解决方法就是这种。

<span class="n">account</span> <span class="o">=</span> <span class="n">params</span><span class="o">[</span><span class="ss">:session</span><span class="o">][</span><span class="ss">:account</span><span class="o">].</span><span class="n">to_s</span>
<span class="no">User</span><span class="o">.</span><span class="n">find_by</span><span class="p">(</span><span class="ss">account</span><span class="p">:</span> <span class="n">account</span><span class="p">)</span>
Copy after login

Strong Parameters

Rails 4 开始提供了 Strong Parameters 用来对 params 参数进行过滤。基本语法是

<span class="k">def</span> <span class="nf">session_params</span>
  <span class="n">params</span><span class="o">.</span><span class="n">require</span><span class="p">(</span><span class="ss">:session</span><span class="p">)</span><span class="o">.</span><span class="n">permit</span><span class="p">(</span><span class="ss">:account</span><span class="p">,</span> <span class="ss">:password</span><span class="p">)</span>
<span class="k">end</span>
Copy after login

然后使用过滤后的数据进行查询数据库。

<span class="no">User</span><span class="o">.</span><span class="n">find_by</span><span class="p">(</span><span class="ss">account</span><span class="p">:</span> <span class="n">session_params</span><span class="o">[</span><span class="ss">:account</span><span class="o">]</span><span class="p">)</span>
Copy after login

Strong Parameters

Strong Parameters 是 Rails 4 中提供的用于过滤用户输入的机制,其核心的两个方法是

  • ActionController::Parameters#require
  • ActionController::Parameters#permit

require 用来获取参数中指定键的值

如果不存在则产生 ParameterMissing 异常

对于以下参数

<span class="p">{</span>
  <span class="s2">"session"</span> <span class="o">=></span> <span class="p">{</span>
    <span class="s2">"account"</span>  <span class="o">=></span> <span class="p">{</span>
      <span class="s2">"$ne"</span> <span class="o">=></span> <span class="s2">"username"</span>
    <span class="p">},</span>
    <span class="s2">"password"</span> <span class="o">=></span> <span class="s2">"password"</span>
  <span class="p">}</span>
<span class="p">}</span>
Copy after login
Copy after login

使用 params.require(:session) 后得到的结果是这样的

<span class="p">{</span>
  <span class="s2">"account"</span>  <span class="o">=></span> <span class="p">{</span>
    <span class="s2">"$ne"</span> <span class="o">=></span> <span class="s2">"username"</span>
  <span class="p">},</span>
  <span class="s2">"password"</span> <span class="o">=></span> <span class="s2">"password"</span>
<span class="p">}</span>
Copy after login

permit 用来对参数进行实际的过滤

对于 { "account" => "username", "password" => "password" },使用 permit(:account, :password) 得到的结果还是原 Hash,因为该 Hash 中的两个键都被 permit 了,而使用 permit(:account) 得到的结果是 { "account" => "username" },由于没有 permit :password,所以结果中 password 被过滤掉了。

如果是 { "account" => { "$ne" => "username" } } 的话,直接 permit(:account) 的结果是 nil

如果需要保留多级参数,需要明确指出。

<span class="n">permit</span><span class="p">(</span><span class="ss">:password</span><span class="p">,</span> <span class="ss">account</span><span class="p">:</span> <span class="p">:</span><span class="vg">$ne</span><span class="p">)</span>
<span class="c1"># 或者多个键</span>
<span class="n">permit</span><span class="p">(</span><span class="ss">:password</span><span class="p">,</span> <span class="ss">account</span><span class="p">:</span> <span class="o">[</span> <span class="p">:</span><span class="vg">$ne</span><span class="p">,</span> <span class="p">:</span><span class="vg">$regexp</span> <span class="o">]</span><span class="p">)</span>
Copy after login

总结

  1. 这个漏洞对于普通的用户表单登陆没有多大影响,因为这里只是查找记录,然后验证密码,所以只会提示用户密码错误而已。但是对于 API 接口就有隐患了,API 接口是通过 token 而不是验证密码登陆的。
  2. 这件事让我更加了解了 Rails 4 中 Strong Parameters 的厉害之处!

本文出自:http://blog.sloger.info/, 原文地址:http://sloger.info/posts/mongodb-hash-injection-bugs, 感谢原作者分享。

Related labels:
China hash mongodb ruby injection loopholes
source:php.cn
Previous article:corosync pacemaker nginx 高可用 安装配置 Next article:MR总结(三)-MapReduce组件自定义
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Latest Articles by Author
Latest Issues
function_exists() cannot determine the custom function Function test () {return true;} if (function_exists ('test')) {echo "test is function...
From 2024-04-29 11:01:01
0
2
1832
How to display the mobile version of Google Chrome Hello teacher, how can I change Google Chrome into a mobile version?
From 2024-04-23 00:22:19
0
10
2004
The child window operates the parent window, but the output does not respond. The first two sentences are executable, but the last sentence cannot be implemented.
From 2024-04-19 15:37:47
0
1
1688
There is no output in the parent window document.onclick = function(){ window.opener.document.write('I am the output of the child ...
From 2024-04-18 23:52:34
0
1
1589
Where is the courseware about CSS mind mapping? Courseware
From 2024-04-16 10:10:18
0
0
1610
Related Topics
More>
Popular Recommendations
Popular Tutorials
More>
Related Tutorials
Popular Recommendations
Latest courses
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template