SQL Truncation
Last updated
Last updated
In this challenge, there are register form to register new account and a validation form where we can enter admin's password to access admin panel.
/register.php:
/admin.php:
SQL Truncation is a flaw in database configuration in which an input is truncated (deleted) when added to the database due to surpassing the maximum defined length (For example: if table user has column username wih defined length is 20, if you create a new user with username length out of 20, characters from 21th character will be truncated.
You can use SQL Truncation to create a new user with have the same username with existed username (admin or somthing else)
For example:
In databse has admin user which has username is admin. And the defined length of username is 20
I will create new user with username:
Because, the defined length of username is 20, so character from 21th character will be truncated.
So the username of new user in database now will become:
Next time an attacker logs in to the application with the admin account, the database will search for all matching accounts and will consider them valid for logging in. Therefore any entry with username as admin with space or without is a valid entry that can be used to authenticate to the application.
Reference: https://medium.com/r3d-buck3t/bypass-authentication-with-sql-truncation-attack-25a0c33ab87f
Back to challenge, let see table user:
You can see that login or user has defined length is 12, so we just neet to create an account has more 12 character (12 character 'admin' and whitespace plus random characters after).
Account is created successfully:
Use password of the account you just created to validate, you can access to admin panel and get flag: