英文:
Couchbase injection?
问题
Couchbase是一个相对较新的NoSql数据库。像任何其他新技术一样,它也存在一些安全问题。我花了很多时间来了解使用go-couchbase客户端库进行注入风险。根据他们的文档,我知道可能会发生模式和JavaScript注入攻击。然而,我无法形成任何恶意攻击。似乎纯字符串值在Couchbase端没有被解析(eval)。这是我的示例代码:
cbbucket, err = cbpool.GetBucketWithAuth(bi.Name, bi.Name, bi.Password)
if err != nil {
fmt.Printf("Failed to connect to bucket %s %v", bi.Name, err)
return
}
input := `{"v1":"Malicous"}`
err = cbbucket.Set("k1", 0, input)
if err != nil {
fmt.Printf("set failed error %v", err)
return
}
我认为,输入是攻击者可以操纵数据的地方。然而,存储在Couchbase中的内容是无害的(已转义)。这是数据库中存储的值:
{"v1":"Malicous"}
通过查看encoding/json包,我了解到go可以使用interface{}动态解析通用的JSON对象。因此,我修改了我的利用代码如下:
cbbucket, err = cbpool.GetBucketWithAuth(bi.Name, bi.Name, bi.Password)
if err != nil {
fmt.Printf("Failed to connect to bucket %s %v", bi.Name, err)
return
}
input := `{"v1":"Malicous"}`
b := []byte(input)
var f interface{}
err := json.Unmarshal(b, &f)
err = cbbucket.Set("k1", 0, &f)
if err != nil {
fmt.Printf("set failed error %v", err)
return
}
这次利用成功了。这是存储在Couchbase中的恶意JSON对象:
{
"v1": "Malicous"
}
嗯,这种利用并不令人兴奋...因为它确实需要开发人员盲目地解析用户输入并将其存储在数据库中。我想知道是否有其他更简单的利用技术,派生自字符串拼接,不需要如此大的粗心。
英文:
Couchbase is a relatively new NoSql database. Like any other new technology, it comes with some security concerns. I've spent quite a time to understand the risk of injection using go-couchbase client library. According to their documentation, I know that it is possible to form Schema and javascript injection attacks. However, I was not able to form any nasty attack. It seems like plain string values are not being parsed(eval) on the Couchbase side. Here is my sample:
cbbucket, err = cbpool.GetBucketWithAuth(bi.Name, bi.Name, bi.Password)
if err != nil {
fmt.Printf("Failed to connect to bucket %s %v", bi.Name, err)
return
}
input := `{"v1":"Malicous"}`
err = cbbucket.Set("k1", 0, input)
if err != nil {
fmt.Printf("set failed error %v", err)
return
}
I assume, the input is the point where an attacker can manipulate data. Nevertheless what is stored in the Couchbase is harmless(escaped) version of the input. Here is the stored value in the DB:
"{\"v1\":\"Malicous\"}"
By looking at the encoding/json package, I came to know that go can parse generic JSON objects on the fly using interface{}. Therefore, I have modified my exploitation code as follows:
cbbucket, err = cbpool.GetBucketWithAuth(bi.Name, bi.Name, bi.Password)
if err != nil {
fmt.Printf("Failed to connect to bucket %s %v", bi.Name, err)
return
}
input := `{"v1":"Malicous"}`
b := []byte(input)
var f interface{}
err := json.Unmarshal(b, &f)
err = cbbucket.Set("k1", 0, &f)
if err != nil {
fmt.Printf("set failed error %v", err)
return
}
This time the exploitation is successfully done. Here is the malicious JSON object stored in the Couchbase:
{
"v1": "Malicous"
}
Well, this exploitation is not so exciting... as it really requires the developer to blindly Unmarshal user input and store it in the the DB. I was wondering if there are other easier exploitation techniques, derived from string concatenation, which does not require such a huge carelessness.
答案1
得分: 1
对于像你所做的通过键访问的方式,Couchbase不会解析或验证写入数据库的值。这是应用程序的功能。只要该值是Couchbase Server可以理解的形式,它就会被写入作为该对象的值。
英文:
For access via key like you are doing, Couchbase does not parse or validate the value being written into the database. That is an application side function. As long as the value is in a form Couchbase Server understands, it is just written as the value for that object.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论