In this video CrashOverron explains how to exploit an sql column truncation vulnerability.
A SQL Column Truncation Vulnerability is another sql vulnerability that arises due to the way
SQL compares strings. MySQL compares strings in binary mode by default this means that the string 'admin ' is equal to the string 'admin'. There for if a new member try's to use the user-name 'admin ' the user is denied because the user name 'admin' already exists.

If however the user field is 10 characters and the user enters the user-name 'admin x' application will search the db for this user and be unable to find it because it is impossible to find a user-name with a length of 11 characters in a database field that only has 10 characters. The application will now accept the new user-name and insert it into the database. However because the user-name column is longer than the user field it is truncated back to 10 characters this now makes the string 'admin ' . The table now contains two users one 'admin' and the other 'admin '. Both users will be returned when the SELECT query is executed and depending on how the application handles those queries determines if user 'admin' or user 'admin ' logs in.



Download video here flv | wmv

· Posted by Override on 01/30/2010 10:33· 1 Comment · 12995 Reads ·