The following will introduce the methods and principles of php+mongodb injection
One of the posts said: login.php?username=admin&passwd[$ne]=1 may be injected. When I first read it, I felt quite puzzled. How could this have an injection vulnerability? Finally, from this The reason was found in this post http://hi.baidu.com/hi_heige/item/ce93ce926dede4f428164747. Because PHP can directly submit arrays, which means that the arrays containing the "$ne" index are submitted, I made a demo:
[php]
$passwd=$_GET["passwd"];
var_dump($passwd);
$passwd=$_GET["passwd"];
var_dump($passwd);
The test results are:
array(1) { ["$ne"]=> string(1) "1" }
In this case
[php]
$collection->find(array(
"username" => "admin",
"passwd" => array("$ne" => 1)
));
$collection->find(array(
"username" => "admin",
"passwd" => array("$ne" => 1)
));
It becomes:
[php]
$collection->find(array( "username" => "admin", "passwd" => array("$ne" => 1) )); $collection->find(array (
"username" => "admin",
"passwd" => array("$ne" => 1)
));
If you change the link to this (username=[$ne]=1&passwd[$ne]=1), then all user information will be obtained
The way to solve this bug is to force the parameters into string type after obtaining the parameters:
[php]
$collection->find(array(
"username" => (string)$_GET['username'],
"passwd" => (string)$_GET['passwd']
));
$collection->find(array(
"username" => (string)$_GET['username'],
"passwd" => (string)$_GET['passwd']
)); This is the same as executing the following mysql statement, both of which are injected with
[php]
mysql_query("SELECT * FROM collection
WHERE username="admin",
AND passwd!=1
mysql_query("SELECT * FROM collection
WHERE username="admin",
AND passwd!=1
I made a demo to test it, and it really works.
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
