MongoDB nessuna iniezione, stringa di escape

3

Sto cercando di sfuggire alla query stringa in un'app Web basata su pymongo e mongodb. Sono in grado di ottenere i nomi delle collezioni, ma non riesco a visualizzarne il contenuto, dato che sto inserendo in dove clausola. Forse posso provare cieco?

di seguito:

dbparse.py?Parm1='||(tojsononeline(db.system.find()[0])[0]=='u')|'

Ma la mia domanda è, c'è un modo per sfuggire alla stringa per iniettare il codice e provare a RCE?

L'errore quando le virgolette vengono inviate come input Parm1

/usr/lib/cgi-bin/mongo/2.2.3/dbparse.py in ()
     41 print "</th>"
     42 if where:
=>   43    for record in collection.find(where):
     44         print "<tr>"
     45         print "<td align=\"center\">"+record["Param1"]+"</td>"
record undefined, collection = Collection(Database(MongoClient('localhost', 27017), u'test_db'), u'test_colle'), collection.find = <bound method Collection.find of Collection(Data...', 27017), u'test_db'), u'test_colle')>, where = {'$where': "this.Parm1 == ''''}

<class 'pymongo.errors.OperationFailure'>: database error: $where compile error
      args = (u'database error: $where compile error',)
      code = None
      message = u'database error: $where compile error' 

Codice sorgente del programma:

#!/usr/bin/python

# Import modules for CGI handling 
import cgi, cgitb 
cgitb.enable()
from pymongo import MongoClient
# Create instance of FieldStorage 
form = cgi.FieldStorage() 

# Connect to db
client = MongoClient()
db = client.test_db
collection = db.test_colle

# Get data from fields
condition = form.getvalue('Param1')
if condition:
    where = {"$where": "this.Param1 == '"+condition+"'" }
else:
    where = ""
print "Content-type:text/html\r\n\r\n"
print "<html>"
print "<head>"
print "<title>Hello - Second CGI Program</title>"
print "</head>"
print "<body>"
print "<h2>DDB Company name</h2>"
#print "<div name=\"debug\" value=\""+where+"\"/>"
form = """<form action="/mongo/2.2.3/dbparse.py" method="post">
CompanyName: <input type="text" name="Param1"><br />

<input type="submit" value="Submit" />
</form>"""
print form
print "<table>"
print "<tr>"
print "<th>Param1</th>"
print "<th>GarageName</th>"
print "<th>CompanyAddress</th>"
print "<th>GarageAddress</th>"
print "</th>"
if where:
   for record in collection.find(where):
    print "<tr>"
    print "<td align=\"center\">"+record["Param1"]+"</td>"
    print "<td align=\"center\">"+record["GarageName"]+"</td>"
    print "<td align=\"center\">"+record["CompanyAddress"]+"</td>"
    print "<td align=\"center\">"+record["GarageAddress"]+"</td>"
    print "</tr>"
else:
   for record in collection.find():
        print "<tr>"
        print "<td align=\"center\">"+record["Param1"]+"</td>"
        print "<td align=\"center\">"+record["GarageName"]+"</td>"
        print "<td align=\"center\">"+record["CompanyAddress"]+"</td>"
        print "<td align=\"center\">"+record["GarageAddress"]+"</td>"
        print "</tr>"
print "</table>"
print "</body>"
print "</html>"

#c = db.my_collection.find({"$where": condition})
#try:
#   print c.next()
#except Exception,e:
#   print str(e)
    
posta morganalexisxxx 20.11.2016 - 14:06
fonte

0 risposte

Leggi altre domande sui tag