Ruby China 的 Mongodb Hash 注入漏洞-Mysql Tutorial-php.cn

Home

Database

Mysql Tutorial

Ruby China 的 Mongodb Hash 注入漏洞

WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWB

Jun 07, 2016 pm 04:41 PM

Chinahashmongodbrubyinjectionloopholes

今天在 Ruby China 上看见一个帖子，从下面的回复中发现是 Mongodb 的漏洞，然后顺便学习了下。漏洞详细介绍以用户登陆而言，需要先根据用户传过来的帐户名从数据库中找到这条记录，然后再验证密码。用户登陆流程一个登陆表单 input type= "text" name=

今天在 Ruby China 上看见一个帖子，从下面的回复中发现是 Mongodb 的漏洞，然后顺便学习了下。

漏洞详细介绍

以用户登陆而言，需要先根据用户传过来的帐户名从数据库中找到这条记录，然后再验证密码。

用户登陆流程

一个登陆表单

<span class="nt"><input> <span class="na">type=</span><span class="s">"text"</span> <span class="na">name=</span><span class="s">"session[account]"</span><span class="nt">></span>
<span class="nt"><input> <span class="na">type=</span><span class="s">"text"</span> <span class="na">name=</span><span class="s">"session[password]"</span><span class="nt">></span>
</span></span>

当提交后，服务端得到的数据是这样的（去除其它 token 等信息）。

<span class="p">{</span>
  <span class="s2">"session"</span> <span class="o">=></span> <span class="p">{</span>
    <span class="s2">"account"</span>  <span class="o">=></span> <span class="s2">"username"</span><span class="p">,</span>
    <span class="s2">"password"</span> <span class="o">=></span> <span class="s2">"password"</span>
  <span class="p">}</span>
<span class="p">}</span>

然后服务端通过帐户名从数据库中取得记录

<span class="no">User</span><span class="o">.</span><span class="n">find_by</span><span class="p">(</span><span class="ss">account</span><span class="p">:</span> <span class="n">params</span><span class="o">[</span><span class="ss">:session</span><span class="o">][</span><span class="ss">:account</span><span class="o">]</span><span class="p">)</span>
<span class="c1"># => User.find_by(account: "username")</span>

看起来很正常，但是问题就出现在这一步。

上面的查询语句转换成 Mongodb 查询语句是这样的

<span class="nx">db</span><span class="p">.</span><span class="nx">users</span><span class="p">.</span><span class="nx">find</span><span class="p">({</span> <span class="nx">account</span> <span class="o">:</span> <span class="nx">params</span><span class="p">[</span><span class="o">:</span><span class="nx">session</span><span class="p">][</span><span class="o">:</span><span class="nx">account</span><span class="p">]</span> <span class="p">}).</span><span class="nx">limit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span>

如果参数是普通的字符串，那么是没有问题的，但是如果它是一个 Hash 呢？

如果 params[:session][:account] 的值是 { "$ne" => "username" }，那么得到的 Mongodb 查询语句就是这样的

<span class="nx">db</span><span class="p">.</span><span class="nx">users</span><span class="p">.</span><span class="nx">find</span><span class="p">({</span> <span class="nx">account</span> <span class="o">:</span> <span class="p">{</span> <span class="nx">$ne</span> <span class="o">:</span> <span class="s2">"username"</span> <span class="p">}</span> <span class="p">}).</span><span class="nx">limit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span>

这段代码什么意思？找到所有 account 不等于 username 的记录。同样 $ne 可以换成其他 Mongodb 支持的操作，比如 $gt, $lt。username 也可以换成一串乱序字符串，这样就能得到用户集合中的所有记录。

注入

想让服务端得到的参数是 Hash 很简单，只需要手动修改一下表单就行了。

原表单

<span class="nt"><input> <span class="na">type=</span><span class="s">"text"</span> <span class="na">name=</span><span class="s">"session[account]"</span><span class="nt">></span>
</span>

修改后的表单

<span class="nt"><input> <span class="na">type=</span><span class="s">"text"</span> <span class="na">name=</span><span class="s">"session[account][$ne]"</span><span class="nt">></span>
</span>

这样，服务端得到的参数就是这个样子的。

<span class="p">{</span>
  <span class="s2">"session"</span> <span class="o">=></span> <span class="p">{</span>
    <span class="s2">"account"</span>  <span class="o">=></span> <span class="p">{</span>
      <span class="s2">"$ne"</span> <span class="o">=></span> <span class="s2">"username"</span>
    <span class="p">},</span>
    <span class="s2">"password"</span> <span class="o">=></span> <span class="s2">"password"</span>
  <span class="p">}</span>
<span class="p">}</span>

解决方法

将参数转化为字符串

Ruby China 的解决方法就是这种。

<span class="n">account</span> <span class="o">=</span> <span class="n">params</span><span class="o">[</span><span class="ss">:session</span><span class="o">][</span><span class="ss">:account</span><span class="o">].</span><span class="n">to_s</span>
<span class="no">User</span><span class="o">.</span><span class="n">find_by</span><span class="p">(</span><span class="ss">account</span><span class="p">:</span> <span class="n">account</span><span class="p">)</span>

Strong Parameters

Rails 4 开始提供了 Strong Parameters 用来对 params 参数进行过滤。基本语法是

<span class="k">def</span> <span class="nf">session_params</span>
  <span class="n">params</span><span class="o">.</span><span class="n">require</span><span class="p">(</span><span class="ss">:session</span><span class="p">)</span><span class="o">.</span><span class="n">permit</span><span class="p">(</span><span class="ss">:account</span><span class="p">,</span> <span class="ss">:password</span><span class="p">)</span>
<span class="k">end</span>

然后使用过滤后的数据进行查询数据库。

<span class="no">User</span><span class="o">.</span><span class="n">find_by</span><span class="p">(</span><span class="ss">account</span><span class="p">:</span> <span class="n">session_params</span><span class="o">[</span><span class="ss">:account</span><span class="o">]</span><span class="p">)</span>

Strong Parameters

Strong Parameters 是 Rails 4 中提供的用于过滤用户输入的机制，其核心的两个方法是

ActionController::Parameters#require
ActionController::Parameters#permit

require 用来获取参数中指定键的值

如果不存在则产生 ParameterMissing 异常

对于以下参数

<span class="p">{</span>
  <span class="s2">"session"</span> <span class="o">=></span> <span class="p">{</span>
    <span class="s2">"account"</span>  <span class="o">=></span> <span class="p">{</span>
      <span class="s2">"$ne"</span> <span class="o">=></span> <span class="s2">"username"</span>
    <span class="p">},</span>
    <span class="s2">"password"</span> <span class="o">=></span> <span class="s2">"password"</span>
  <span class="p">}</span>
<span class="p">}</span>

使用 params.require(:session) 后得到的结果是这样的

<span class="p">{</span>
  <span class="s2">"account"</span>  <span class="o">=></span> <span class="p">{</span>
    <span class="s2">"$ne"</span> <span class="o">=></span> <span class="s2">"username"</span>
  <span class="p">},</span>
  <span class="s2">"password"</span> <span class="o">=></span> <span class="s2">"password"</span>
<span class="p">}</span>

permit 用来对参数进行实际的过滤

对于 { "account" => "username", "password" => "password" }，使用 permit(:account, :password) 得到的结果还是原 Hash，因为该 Hash 中的两个键都被 permit 了，而使用 permit(:account) 得到的结果是 { "account" => "username" }，由于没有 permit :password，所以结果中 password 被过滤掉了。

如果是 { "account" => { "$ne" => "username" } } 的话，直接 permit(:account) 的结果是 nil。

如果需要保留多级参数，需要明确指出。

<span class="n">permit</span><span class="p">(</span><span class="ss">:password</span><span class="p">,</span> <span class="ss">account</span><span class="p">:</span> <span class="p">:</span><span class="vg">$ne</span><span class="p">)</span>
<span class="c1"># 或者多个键</span>
<span class="n">permit</span><span class="p">(</span><span class="ss">:password</span><span class="p">,</span> <span class="ss">account</span><span class="p">:</span> <span class="o">[</span> <span class="p">:</span><span class="vg">$ne</span><span class="p">,</span> <span class="p">:</span><span class="vg">$regexp</span> <span class="o">]</span><span class="p">)</span>

总结

这个漏洞对于普通的用户表单登陆没有多大影响，因为这里只是查找记录，然后验证密码，所以只会提示用户密码错误而已。但是对于 API 接口就有隐患了，API 接口是通过 token 而不是验证密码登陆的。
这件事让我更加了解了 Rails 4 中 Strong Parameters 的厉害之处！

本文出自：http://blog.sloger.info/, 原文地址：http://sloger.info/posts/mongodb-hash-injection-bugs, 感谢原作者分享。

Statement

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

How do you handle database upgrades in MySQL?Apr 30, 2025 am 12:28 AM

The steps for upgrading MySQL database include: 1. Backup the database, 2. Stop the current MySQL service, 3. Install the new version of MySQL, 4. Start the new version of MySQL service, 5. Recover the database. Compatibility issues are required during the upgrade process, and advanced tools such as PerconaToolkit can be used for testing and optimization.

What are the different backup strategies you can use for MySQL?Apr 30, 2025 am 12:28 AM

MySQL backup policies include logical backup, physical backup, incremental backup, replication-based backup, and cloud backup. 1. Logical backup uses mysqldump to export database structure and data, which is suitable for small databases and version migrations. 2. Physical backups are fast and comprehensive by copying data files, but require database consistency. 3. Incremental backup uses binary logging to record changes, which is suitable for large databases. 4. Replication-based backup reduces the impact on the production system by backing up from the server. 5. Cloud backups such as AmazonRDS provide automation solutions, but costs and control need to be considered. When selecting a policy, database size, downtime tolerance, recovery time, and recovery point goals should be considered.

What is MySQL clustering?Apr 30, 2025 am 12:28 AM

MySQLclusteringenhancesdatabaserobustnessandscalabilitybydistributingdataacrossmultiplenodes.ItusestheNDBenginefordatareplicationandfaulttolerance,ensuringhighavailability.Setupinvolvesconfiguringmanagement,data,andSQLnodes,withcarefulmonitoringandpe

How do you optimize database schema design for performance in MySQL?Apr 30, 2025 am 12:27 AM

Optimizing database schema design in MySQL can improve performance through the following steps: 1. Index optimization: Create indexes on common query columns, balancing the overhead of query and inserting updates. 2. Table structure optimization: Reduce data redundancy through normalization or anti-normalization and improve access efficiency. 3. Data type selection: Use appropriate data types, such as INT instead of VARCHAR, to reduce storage space. 4. Partitioning and sub-table: For large data volumes, use partitioning and sub-table to disperse data to improve query and maintenance efficiency.

How can you optimize MySQL performance?Apr 30, 2025 am 12:26 AM

TooptimizeMySQLperformance,followthesesteps:1)Implementproperindexingtospeedupqueries,2)UseEXPLAINtoanalyzeandoptimizequeryperformance,3)Adjustserverconfigurationsettingslikeinnodb_buffer_pool_sizeandmax_connections,4)Usepartitioningforlargetablestoi

How to use MySQL functions for data processing and calculationApr 29, 2025 pm 04:21 PM

MySQL functions can be used for data processing and calculation. 1. Basic usage includes string processing, date calculation and mathematical operations. 2. Advanced usage involves combining multiple functions to implement complex operations. 3. Performance optimization requires avoiding the use of functions in the WHERE clause and using GROUPBY and temporary tables.

An efficient way to batch insert data in MySQLApr 29, 2025 pm 04:18 PM

Efficient methods for batch inserting data in MySQL include: 1. Using INSERTINTO...VALUES syntax, 2. Using LOADDATAINFILE command, 3. Using transaction processing, 4. Adjust batch size, 5. Disable indexing, 6. Using INSERTIGNORE or INSERT...ONDUPLICATEKEYUPDATE, these methods can significantly improve database operation efficiency.

Steps to add and delete fields to MySQL tablesApr 29, 2025 pm 04:15 PM

In MySQL, add fields using ALTERTABLEtable_nameADDCOLUMNnew_columnVARCHAR(255)AFTERexisting_column, delete fields using ALTERTABLEtable_nameDROPCOLUMNcolumn_to_drop. When adding fields, you need to specify a location to optimize query performance and data structure; before deleting fields, you need to confirm that the operation is irreversible; modifying table structure using online DDL, backup data, test environment, and low-load time periods is performance optimization and best practice.

See all articles