API tools faq
paste
Advertisement
Guest User

well...

a guest
Mar 27th, 2016
143
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.93 KB | None | 0 0
raw download clone embed print report
  1. url: http://ringzer0team.com/challenges/171
  2. flag: FLAG-0Kg64o8M9gPQfH45583Mc0jc3u
  3.  
  4.  
  5. this challenge wants us to perform a 'data truncation' attack on the underlying
  6. dbms system.
  7.  
  8. «what's 'data truncation'?»
  9.  
  10. ah-ha! bobby, that's a really interesting question indeed! here, take this url
  11. http://planet.mysql.com/entry/?id=14365 and rtfm, bobby.
  12.  
  13. for those of you whose name isn't 'bobby' (not even 'robert', just 'bobby'), a
  14. column (or data) truncation vulnerability is an implementation flaw where the
  15. users' input isn't being properly sanitized during an UPDATE or INSERT clause,
  16. and pairing that with a sized column value (eg: varchar(20)) with mysql's
  17. relaxed comparison rules when outside of a binary context comparison grants us
  18. an interesting scenario, one where we're able to insert a 'comparison' similar
  19. value into a field.
  20.  
  21. what do i mean by 'comparison similar'? let's take this challenge's scenario
  22. for example:
  23.  
  24. . upon registering the engine will check for an existing row with the same
  25. username to avoid duplicates:
  26.  
  27. SELECT id FROM users WHERE user = '$username'
  28.  
  29. . if the previous query returns 0 rows, it will then proceed and insert the
  30. new user:
  31.  
  32. INSERT INTO users (user, pass) VALUES ('$user', '$pass')
  33.  
  34. what's the deal here? see, let's assume 'user' is a field whose type is
  35. varchar with default limits (20), this means we can register as, say,
  36. '123456789-123456789-' and everything will be fine and dandy but what happens
  37. should we try and submit '123456789-123456789-12345' as our username? we'll get
  38. truncated back to '123456789-123456789-'. nothing out of the ordinary.
  39.  
  40. now, onto the 'what if's: what if we register as 'admin x'?
  41. those are 15 blanks followed by one char and preceded by a 5 char string. that
  42. is 21 chars worth of stuff, so following the rule above we should just get
  43. truncated back to 'admin '. true, and that is mysql working as
  44. intended, nothing out of the ordinary here either.
  45.  
  46. thing is, the first SELECT will return false, since there's no "21 chars" user
  47. in the table, and INSERT will insert our row truncated to 20. the problem lies
  48. in mysql's loose comparison for the login's SELECT - when in non-binary mode
  49. comparison, 'admin ' and 'admin' are the same to the dbms, all
  50. trailing whitespace is stripped. thing is, 'admin ' has a (to us)
  51. known password, while 'admin' doesn't; but since mysql treats both usernames as
  52. equal, we can now login as 'admin' with our password, because:
  53.  
  54. SELECT * FROM users WHERE user = 'admin' AND pass = 'kek'
  55.  
  56. will return our row.
  57.  
  58. > Welcome back admin FLAG-0Kg64o8M9gPQfH45583Mc0jc3u
  59.  
  60. weirdly enough, i ended up buying a hint for this one because the truncation
  61. (first thing i tried) didn't seem to work (bad timing i guess), so i also tried
  62. updating the table, inserting rows and whatnot; in the end i've come full-circle
  63. and went back to truncation.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!