Ruby China 的 Mongodb Hash 注入漏洞
今天在 Ruby China 上看见一个 帖子,从下面的回复中发现是 Mongodb 的漏洞,然后顺便学习了下。 漏洞详细介绍 以用户登陆而言,需要先根据用户传过来的帐户名从数据库中找到这条记录,然后再验证密码。 用户登陆流程 一个登陆表单 input type= "text" name=
今天在 Ruby China 上看见一个 帖子,从下面的回复中发现是 Mongodb 的漏洞,然后顺便学习了下。
漏洞详细介绍
以用户登陆而言,需要先根据用户传过来的帐户名从数据库中找到这条记录,然后再验证密码。
用户登陆流程
一个登陆表单
<span class="nt"><input> <span class="na">type=</span><span class="s">"text"</span> <span class="na">name=</span><span class="s">"session[account]"</span><span class="nt">></span> <span class="nt"><input> <span class="na">type=</span><span class="s">"text"</span> <span class="na">name=</span><span class="s">"session[password]"</span><span class="nt">></span> </span></span>
当提交后,服务端得到的数据是这样的(去除其它 token 等信息)。
<span class="p">{</span>
<span class="s2">"session"</span> <span class="o">=></span> <span class="p">{</span>
<span class="s2">"account"</span> <span class="o">=></span> <span class="s2">"username"</span><span class="p">,</span>
<span class="s2">"password"</span> <span class="o">=></span> <span class="s2">"password"</span>
<span class="p">}</span>
<span class="p">}</span>
然后服务端通过帐户名从数据库中取得记录
<span class="no">User</span><span class="o">.</span><span class="n">find_by</span><span class="p">(</span><span class="ss">account</span><span class="p">:</span> <span class="n">params</span><span class="o">[</span><span class="ss">:session</span><span class="o">][</span><span class="ss">:account</span><span class="o">]</span><span class="p">)</span> <span class="c1"># => User.find_by(account: "username")</span>
看起来很正常,但是问题就出现在这一步。
上面的查询语句转换成 Mongodb 查询语句是这样的
<span class="nx">db</span><span class="p">.</span><span class="nx">users</span><span class="p">.</span><span class="nx">find</span><span class="p">({</span> <span class="nx">account</span> <span class="o">:</span> <span class="nx">params</span><span class="p">[</span><span class="o">:</span><span class="nx">session</span><span class="p">][</span><span class="o">:</span><span class="nx">account</span><span class="p">]</span> <span class="p">}).</span><span class="nx">limit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span>
如果参数是普通的字符串,那么是没有问题的,但是如果它是一个 Hash 呢?
如果 params[:session][:account] 的值是 { "$ne" => "username" },那么得到的 Mongodb 查询语句就是这样的
<span class="nx">db</span><span class="p">.</span><span class="nx">users</span><span class="p">.</span><span class="nx">find</span><span class="p">({</span> <span class="nx">account</span> <span class="o">:</span> <span class="p">{</span> <span class="nx">$ne</span> <span class="o">:</span> <span class="s2">"username"</span> <span class="p">}</span> <span class="p">}).</span><span class="nx">limit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span>
这段代码什么意思?找到所有 account 不等于 username 的记录。同样 $ne 可以换成其他 Mongodb 支持的操作,比如 $gt, $lt。username 也可以换成一串乱序字符串,这样就能得到用户集合中的所有记录。
注入
想让服务端得到的参数是 Hash 很简单,只需要手动修改一下表单就行了。
原表单
<span class="nt"><input> <span class="na">type=</span><span class="s">"text"</span> <span class="na">name=</span><span class="s">"session[account]"</span><span class="nt">></span> </span>
修改后的表单
<span class="nt"><input> <span class="na">type=</span><span class="s">"text"</span> <span class="na">name=</span><span class="s">"session[account][$ne]"</span><span class="nt">></span> </span>
这样,服务端得到的参数就是这个样子的。
<span class="p">{</span>
<span class="s2">"session"</span> <span class="o">=></span> <span class="p">{</span>
<span class="s2">"account"</span> <span class="o">=></span> <span class="p">{</span>
<span class="s2">"$ne"</span> <span class="o">=></span> <span class="s2">"username"</span>
<span class="p">},</span>
<span class="s2">"password"</span> <span class="o">=></span> <span class="s2">"password"</span>
<span class="p">}</span>
<span class="p">}</span>
解决方法
将参数转化为字符串
Ruby China 的解决方法就是这种。
<span class="n">account</span> <span class="o">=</span> <span class="n">params</span><span class="o">[</span><span class="ss">:session</span><span class="o">][</span><span class="ss">:account</span><span class="o">].</span><span class="n">to_s</span> <span class="no">User</span><span class="o">.</span><span class="n">find_by</span><span class="p">(</span><span class="ss">account</span><span class="p">:</span> <span class="n">account</span><span class="p">)</span>
Strong Parameters
Rails 4 开始提供了 Strong Parameters 用来对 params 参数进行过滤。基本语法是
<span class="k">def</span> <span class="nf">session_params</span> <span class="n">params</span><span class="o">.</span><span class="n">require</span><span class="p">(</span><span class="ss">:session</span><span class="p">)</span><span class="o">.</span><span class="n">permit</span><span class="p">(</span><span class="ss">:account</span><span class="p">,</span> <span class="ss">:password</span><span class="p">)</span> <span class="k">end</span>
然后使用过滤后的数据进行查询数据库。
<span class="no">User</span><span class="o">.</span><span class="n">find_by</span><span class="p">(</span><span class="ss">account</span><span class="p">:</span> <span class="n">session_params</span><span class="o">[</span><span class="ss">:account</span><span class="o">]</span><span class="p">)</span>
Strong Parameters
Strong Parameters 是 Rails 4 中提供的用于过滤用户输入的机制,其核心的两个方法是
ActionController::Parameters#requireActionController::Parameters#permit
require 用来获取参数中指定键的值
如果不存在则产生 ParameterMissing 异常
对于以下参数
<span class="p">{</span>
<span class="s2">"session"</span> <span class="o">=></span> <span class="p">{</span>
<span class="s2">"account"</span> <span class="o">=></span> <span class="p">{</span>
<span class="s2">"$ne"</span> <span class="o">=></span> <span class="s2">"username"</span>
<span class="p">},</span>
<span class="s2">"password"</span> <span class="o">=></span> <span class="s2">"password"</span>
<span class="p">}</span>
<span class="p">}</span>
使用 params.require(:session) 后得到的结果是这样的
<span class="p">{</span>
<span class="s2">"account"</span> <span class="o">=></span> <span class="p">{</span>
<span class="s2">"$ne"</span> <span class="o">=></span> <span class="s2">"username"</span>
<span class="p">},</span>
<span class="s2">"password"</span> <span class="o">=></span> <span class="s2">"password"</span>
<span class="p">}</span>
permit 用来对参数进行实际的过滤
对于 { "account" => "username", "password" => "password" },使用 permit(:account, :password) 得到的结果还是原 Hash,因为该 Hash 中的两个键都被 permit 了,而使用 permit(:account) 得到的结果是 { "account" => "username" },由于没有 permit :password,所以结果中 password 被过滤掉了。
如果是 { "account" => { "$ne" => "username" } } 的话,直接 permit(:account) 的结果是 nil。
如果需要保留多级参数,需要明确指出。
<span class="n">permit</span><span class="p">(</span><span class="ss">:password</span><span class="p">,</span> <span class="ss">account</span><span class="p">:</span> <span class="p">:</span><span class="vg">$ne</span><span class="p">)</span> <span class="c1"># 或者多个键</span> <span class="n">permit</span><span class="p">(</span><span class="ss">:password</span><span class="p">,</span> <span class="ss">account</span><span class="p">:</span> <span class="o">[</span> <span class="p">:</span><span class="vg">$ne</span><span class="p">,</span> <span class="p">:</span><span class="vg">$regexp</span> <span class="o">]</span><span class="p">)</span>
总结
- 这个漏洞对于普通的用户表单登陆没有多大影响,因为这里只是查找记录,然后验证密码,所以只会提示用户密码错误而已。但是对于 API 接口就有隐患了,API 接口是通过 token 而不是验证密码登陆的。
- 这件事让我更加了解了 Rails 4 中 Strong Parameters 的厉害之处!
本文出自:http://blog.sloger.info/, 原文地址:http://sloger.info/posts/mongodb-hash-injection-bugs, 感谢原作者分享。
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
How to configure MongoDB automatic expansion on Debian
Apr 02, 2025 am 07:36 AM
This article introduces how to configure MongoDB on Debian system to achieve automatic expansion. The main steps include setting up the MongoDB replica set and disk space monitoring. 1. MongoDB installation First, make sure that MongoDB is installed on the Debian system. Install using the following command: sudoaptupdatesudoaptinstall-ymongodb-org 2. Configuring MongoDB replica set MongoDB replica set ensures high availability and data redundancy, which is the basis for achieving automatic capacity expansion. Start MongoDB service: sudosystemctlstartmongodsudosys
How to ensure high availability of MongoDB on Debian
Apr 02, 2025 am 07:21 AM
This article describes how to build a highly available MongoDB database on a Debian system. We will explore multiple ways to ensure data security and services continue to operate. Key strategy: ReplicaSet: ReplicaSet: Use replicasets to achieve data redundancy and automatic failover. When a master node fails, the replica set will automatically elect a new master node to ensure the continuous availability of the service. Data backup and recovery: Regularly use the mongodump command to backup the database and formulate effective recovery strategies to deal with the risk of data loss. Monitoring and Alarms: Deploy monitoring tools (such as Prometheus, Grafana) to monitor the running status of MongoDB in real time, and
China Must Dedollarize Forex Reserves to Reduce Risks
Nov 06, 2024 pm 12:26 PM
Economists have assessed China's standing in the current international geopolitical situation, declaring their concerns about the level of reserves held in U.S. dollars.
Navicat's method to view MongoDB database password
Apr 08, 2025 pm 09:39 PM
It is impossible to view MongoDB password directly through Navicat because it is stored as hash values. How to retrieve lost passwords: 1. Reset passwords; 2. Check configuration files (may contain hash values); 3. Check codes (may hardcode passwords).
Use Composer to solve the dilemma of recommendation systems: andres-montanez/recommendations-bundle
Apr 18, 2025 am 11:48 AM
When developing an e-commerce website, I encountered a difficult problem: how to provide users with personalized product recommendations. Initially, I tried some simple recommendation algorithms, but the results were not ideal, and user satisfaction was also affected. In order to improve the accuracy and efficiency of the recommendation system, I decided to adopt a more professional solution. Finally, I installed andres-montanez/recommendations-bundle through Composer, which not only solved my problem, but also greatly improved the performance of the recommendation system. You can learn composer through the following address:
What is the CentOS MongoDB backup strategy?
Apr 14, 2025 pm 04:51 PM
Detailed explanation of MongoDB efficient backup strategy under CentOS system This article will introduce in detail the various strategies for implementing MongoDB backup on CentOS system to ensure data security and business continuity. We will cover manual backups, timed backups, automated script backups, and backup methods in Docker container environments, and provide best practices for backup file management. Manual backup: Use the mongodump command to perform manual full backup, for example: mongodump-hlocalhost:27017-u username-p password-d database name-o/backup directory This command will export the data and metadata of the specified database to the specified backup directory.
Major update of Pi Coin: Pi Bank is coming!
Mar 03, 2025 pm 06:18 PM
PiNetwork is about to launch PiBank, a revolutionary mobile banking platform! PiNetwork today released a major update on Elmahrosa (Face) PIMISRBank, referred to as PiBank, which perfectly integrates traditional banking services with PiNetwork cryptocurrency functions to realize the atomic exchange of fiat currencies and cryptocurrencies (supports the swap between fiat currencies such as the US dollar, euro, and Indonesian rupiah with cryptocurrencies such as PiCoin, USDT, and USDC). What is the charm of PiBank? Let's find out! PiBank's main functions: One-stop management of bank accounts and cryptocurrency assets. Support real-time transactions and adopt biospecies
How to encrypt data in Debian MongoDB
Apr 12, 2025 pm 08:03 PM
Encrypting MongoDB database on a Debian system requires following the following steps: Step 1: Install MongoDB First, make sure your Debian system has MongoDB installed. If not, please refer to the official MongoDB document for installation: https://docs.mongodb.com/manual/tutorial/install-mongodb-on-debian/Step 2: Generate the encryption key file Create a file containing the encryption key and set the correct permissions: ddif=/dev/urandomof=/etc/mongodb-keyfilebs=512
