Introduction
Some time back I was in NotSoSecure CTF competition, challenge was to use SQL injection(any kind) for obtaining 2 flags, to capture one flag, users were required to register as an admin. The application was vulnerable to column truncation sql injection vulnerability. column truncation sql injection vulnerability is a very interesting vulnerability, its actually a buffer overflow vulnerability, O yeah you heard me. You might think I have gone insane, because usually buffer overflow is related to system exploitation.Part of it is true, but this vulnerability is on Web applications, and amazingly was found on a most popular blogging platform WordPress.
Column truncation sql injection vulnerability description
This vulnerability arises when application’s structural logic mismatches with the database structural logic. When Database applies an input length limit and application allows input length to be of any size, this results in truncation of strings longer then the limit upon insertion into the database.Truncating strings longer then the limit allowed in the database is default behaviour, though it will emit a warning, but that warning won’t have any impact. So how is it a security vulnerability?
Lets take an example.
On a website , Users are allowed to register with any username (other then the ones that are already taken)
Application has no limit on the length of username
Database column username length limit is 20 Chars.
Mysql is in Default configuration
Explaination
Now if a user tries to register as “admin”, it won’t be registered because “admin” is already taken. What if the user tries to register with “admin “. It won’t get registered because trailing spaces after “n” will be ignored due to relaxation in string comparisons, however if MySQL does binary comparisons of strings, things would have been different because it will compare the strings byte by byte which makes heading or trailing spaces significant, but by default and in most cases, binary collation is not used.Binary collation(Collation defines a set to rules in MySQL for comparisons) should be used specially to get accurate results or case sensitive, cross language chars/strings comparisons. Some applications like in case of WordPress column truncation sql injection vulnerability , it used Trim() function on user login which removes leading and trailing spaces.
Now what if a user tries to register with this name “admin x” , total chars 21, but the column limit is 20, so the last “x” will get truncated, then the spaces will get removed, so “admin” will be inserted into the database along with the password the user will provide during registration. Hence gaining the admin’s privileges.
ليست هناك تعليقات:
إرسال تعليق