MYSQL Truncation
Context
The objective of this article is to teach how to exploit MySQL truncation vulnerabilities for username collision attacks. This technique involves understanding how data truncation works in MySQL and leveraging this behavior to cause authentication bypass. This guide assumes you have foundational knowledge in MySQL SQL injection, the concept of varchar
limits, and username collision attacks.
Theory
MySQL Truncation Vulnerability
When a user input exceeds the defined length of a column in a MySQL database, the excess characters are truncated. This occurs without warning if the input data type is a string and the column type is, for example, a VARCHAR
with a specific length limit. This can lead to vulnerabilities in applications, especially when unique constraints are attached to the truncated columns.
Exploiting this vulnerability is feasible when unique constraints are applied to the columns because truncated inputs could collide, leading to potential conflicts or authentication bypasses.
Username Collision via Truncation
The principle behind exploiting username collision via truncation lies in crafting inputs that exceed the VARCHAR
limit on columns with unique constraints. When such input is sent to the database, it is truncated to fit the column's maximum allowed length, potentially resulting in a collision with an existing truncated value in the table.
To execute this attack, an attacker can create a new entry with an excessive length username that is truncated to match an existing one under the same unique column constraint, allowing unauthorized access or overwrite of data.
Practice
Exploiting MySQL Truncation for Username Collision
-
Identify the Target Column: The first step is to identify a target column that has a unique constraint and a limited length defined by its
VARCHAR
attribute. This could be done by examining the table schema if access is available or by inference through testing and observing behavior. -
Verify Existing Entries: Check for existing entries that could be targeted for collision due to truncation. You can use a command to query the current usernames.
SELECT username FROM users WHERE username='longusername';
-
Craft Input for Truncation: Create an input that exceeds the column length limit. This crafted input should be designed such that, when truncated, it collides with an existing truncated username in the database.
INSERT INTO users (username) VALUES ('longusername1234567890');
-
Check for Collision: After insertion, verify whether the collision occurred by querying the truncated username. If the username collision is successful, the attacker might gain unauthorized access or cause data conflicts.
SELECT username FROM users WHERE username='longusername';
Result
This exploitation technique can lead to authentication bypass, where gaining access becomes possible by duplicating or overwriting existing usernames due to MySQL column length truncation and unique constraints.
Tools
- MySQL Client: A command-line client used to interact with MySQL databases for executing queries and managing data.