Mexican SQL manual injection vulnerability test (mongodb database) problem solution

The environment of the topic is Nginx+PHP+MongoDB. And the following code is given

In terms of the investigation knowledge points of the topic , That's it MD5 value .
First, let's open the link , Discovery is the user login interface （ If not, please wait a moment ）, Then as usual , Click on the notice , Find out id Information about

Let's read the code , stay query This part , hold id After inserting , Directly returned the queried data.
User entered id The value of is directly inserted into the database without any escape , In this place, we can id The value of is

1'});

In this way, the query statement becomes

db.notice.find({
    'id':'1'})'})

You can see that the back part is filtered , Then if it is modified to the following part

id=1'}); return ({title:tojson(db.Authority_confidential.find()[1]),2: 1

The assembled statement is

db.notice.find({
    'id':'1'}); return ({
    title:tojson(db.Authority_confidential.find()[1]),2: 1'})

find The function finds all the data ,tojson Yes convert to json Format , So we can find out all Authority_confidential Data in the library , The effect is as follows

Take a look md5 value , Then log in , Get key