php mongodb 注入-php手册-php.cn

Home

php教程

php手册

php mongodb 注入

Jun 13, 2016 am 10:56 AM

mongodb php Down under introduce principle and Post method injection of

下面就介绍下php+mongodb注入的方法和原理

其中一篇帖子说：login.php?username=admin&passwd[$ne]=1就有可能注入，刚看的时候，我感觉挺纳闷的，这个怎么就存在注入漏洞了呢，终于从这篇帖子http://hi.baidu.com/hi_heige/item/ce93ce926dede4f428164747中发现了原因。因为PHP是可以直接提交array的，也就是说提交的是含有“$ne”索引的数组，我做了个demo：

[php]
$passwd=$_GET["passwd"];
var_dump($passwd);

$passwd=$_GET["passwd"];
var_dump($passwd);
测试结果为：

array(1) { ["$ne"]=> string(1) "1" }

这样的话

[php]
$collection->find(array(
"username" => "admin",
"passwd" => array("$ne" => 1)
));

$collection->find(array(
"username" => "admin",
"passwd" => array("$ne" => 1)
));
就变为了：

[php]

$collection->find(array(      "username" => "admin",      "passwd" => array("$ne" => 1) )); $collection->find(array(
    "username" => "admin",
    "passwd" => array("$ne" => 1)
));

如果把链接改成这种(username=[$ne]=1&passwd[$ne]=1)的话，那么会把所有的用户信息都获取过来

解决这个bug的方法为在获取参数后都把参数强制转换成string类型下：

[php]
$collection->find(array(
"username" => (string)$_GET['username'],
"passwd" => (string)$_GET['passwd']
));

$collection->find(array(
"username" => (string)$_GET['username'],
"passwd" => (string)$_GET['passwd']
));这个与执行下面的mysql语句是一样的道理了，都注入了

[php]

mysql_query("SELECT * FROM collection
WHERE username="admin",
AND passwd!=1

mysql_query("SELECT * FROM collection
WHERE username="admin",
AND passwd!=1
我做了个demo测试了下，果然好使。

Statement of this Website

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn