MongoDb应用程序安全
我正在检查MongoDB应用程序。我的系统上安装了一个应用程序,当我在输入框中输入单引号(')时,会弹出以下错误:MongoDb应用程序安全,mongodb,Mongodb,我正在检查MongoDB应用程序。我的系统上安装了一个应用程序,当我在输入框中输入单引号(')时,会弹出以下错误: A problem occurred in a Python script. Here is the sequence of function calls leading up to the error, in the order they occurred. /usr/lib/cgi-bin/mongo/2.2.3/dbparse.py in () 41 print
A problem occurred in a Python script. Here is the sequence of function calls leading up to the error, in the order they occurred.
/usr/lib/cgi-bin/mongo/2.2.3/dbparse.py in ()
41 print "</th>"
42 if where:
=> 43 for record in collection.find(where):
44 print "<tr>"
45 print "<td align=\"center\">"+record["test"]+"</td>"
record undefined, collection = Collection(Database(MongoClient('localhost', 27017), u'test_d'), u'london_garages'), collection.find = <bound method Collection.find of Collection(Data...', 27017), u'test_d'), u'l_g')>, where = {'$where': "this.test== ''--'"}
Python脚本中出现问题。下面是导致错误的函数调用序列,按发生顺序排列。
/usr/lib/cgi-bin/mongo/2.2.3/dbparse.py in()
41打印“
42如果:
=>43,用于集合中的记录。查找(其中):
44打印“
45打印“”+记录[“测试”]+“”
记录未定义,collection=collection(数据库(MongoClient('localhost',27017),u'test_d'),u'london_garages'),collection.find=,如果查看错误和以下部分:
where = {'$where': "this.test== ''--'"}
我假设单引号指向where子句(某种搜索),因此您的代码可能如下所示:
where = {'$where': "this.test== '[YOUR TEXT BOX INPUT]--'"}
单引号过早地终止了where子句。这是NoSQL注入的一个很好的演示