Writeup-CTF
  • CTF events
    • DamCTF-2021
    • N1CTF 2021
    • WANNAGAME CHAMPIONSHIP2021
      • After end
    • DefCamp CTF 21-22
  • Root-me
    • SQL Injection - Filter bypass
    • GraphQL
    • JSON Web Token (JWT) - Public key
    • LDAP injection - Blind
    • Python - Blind SSTI Filters Bypass
    • SQL Injection - Filter bypass
    • SQL Truncation
    • Page 1
    • [Root-me]PHP - Unserialize overflow
  • WebGoat
    • Injection
    • XXE
    • Broken Authentication
      • JWT Token
      • Password reset
    • Sensitive Data Exposure
      • Insecure login
    • Broken Access Control
      • Insecure Direct Object References
    • Cross Site Scripting (XSS)
    • Cross site request forgery
      • Cross-Site Request Forgeries
      • Server-Side Request Forgery
    • Client site
      • Client site filtering
      • Bypass front-end restrictions
      • HTML tampering
    • Insecure Deserialization
    • Vulnerable Components
    • Challenges
      • Admin lost password
      • Without password
      • Without account
Powered by GitBook
On this page
  1. Root-me

SQL Truncation

PreviousSQL Injection - Filter bypassNextPage 1

Last updated 3 years ago

In this challenge, there are register form to register new account and a validation form where we can enter admin's password to access admin panel.

  • /register.php:

  • /admin.php:

Something about SQL Truncation:

SQL Truncation is a flaw in database configuration in which an input is truncated (deleted) when added to the database due to surpassing the maximum defined length (For example: if table user has column username wih defined length is 20, if you create a new user with username length out of 20, characters from 21th character will be truncated.

You can use SQL Truncation to create a new user with have the same username with existed username (admin or somthing else)

For example:

In databse has admin user which has username is admin. And the defined length of username is 20

I will create new user with username:

admin+++++++++++++++hihi (+ is whitespace)

Because, the defined length of username is 20, so character from 21th character will be truncated.

So the username of new user in database now will become:

Next time an attacker logs in to the application with the admin account, the database will search for all matching accounts and will consider them valid for logging in. Therefore any entry with username as admin with space or without is a valid entry that can be used to authenticate to the application.

Reference: https://medium.com/r3d-buck3t/bypass-authentication-with-sql-truncation-attack-25a0c33ab87f

Back to challenge, let see table user:

You can see that login or user has defined length is 12, so we just neet to create an account has more 12 character (12 character 'admin' and whitespace plus random characters after).

Account is created successfully:

Use password of the account you just created to validate, you can access to admin panel and get flag:

image
image
image
image
image
image