SQL Truncation Attack 2018 | Lucideus Research

SQL Truncation is an exploit which arises due to the misconfiguration of databases. This vulnerability can potentially lead to compromise of user account privileges. This exploit can be performed on any web login page if the website also has a register page and if the vulnerability is present, of course. For the sake of this article, we are talking in context to Mysql database.

About the attack 
The first appearance of this vulnerability is in CVE-2008-4106 which reports the problem in the WordPress CMS. The CVE reports that the problem was related to a WordPress implementation.

SQL Truncation is a vulnerability that threatens the primary application that uses the MySQL database server in its default configuration. The threat is based on the fact that if the stored string does not fit into a column with a specific text data type, it will crop and store the value in a truncated form. Together with the property of database systems that are commonly considered to have end-string and end-to-end values, the application may be unexpected.

What is the attack?
Step 1. We registered on a website by creating a pair of username and password through the registration form.


Step 2. After logging in, we noticed that some features were restricted to admins only.

Step 3. Upon inspection of the registration form, we found out that the character limit on username is set to 16.


Step 4. We logged out and opened the registration form again, only this time we kept the username as 'admin           1' i.e. admin followed by 11 spaces and a random character (total 17 characters). The password was selected by us as pass@123.

Step 5. The moment of 'Eureka' follows this form was successfully accepted.

Step 6. Log in with these new admin credentials and voila! Logged in as admin!

Why does this attack work? This attack works because of the nature of Select and Insert query of Mysql database. How the select query works: Before passing data to the ‘insert’ query, the ‘select’ query matches the username with the previous entries to reveal any redundant entries. As the username we entered is ‘admin 1’ the select query will not find any similar entry and pass the data to the insert query to do its job. How 'insert' query stores data. Talking about mysql, all strings are truncated before being stored in the database. Also, there is a length restriction of 16 characters. So, ‘admin 1’ (17 Characters) will be cut to 16 characters by removing the last digit. After passing the validation, the username is ‘admin ‘ which will be stored as ‘admin’ because of truncation. How the select query fetches. When we try to login with username = ‘admin’ and the password that we created, the select query successfully finds this pair and lets us login with admin privileges. Mitigation To mitigate this attack multiple things have to be considered: 1. Databases should not allow duplicate entries of critical fields like the username. Primary keys should be implemented. 2. The truncate function should be implemented on all fields even on the application front so that the database receives filtered data. 3. Database and Web forms should have the same character limits on corresponding fields. 4. Strict mode should be enabled on databases.



Post a Comment

2 Comments

  1. Would love to see any demo. And WordPress was mentioned so can I get any working example.

    ReplyDelete
  2. Quite interesting! Nice research.

    ReplyDelete