[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] Mysql charset Truncation vulnerability
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: [Full-disclosure] Mysql charset Truncation vulnerability
- From: "Web Sec" <root@xxxxxxxxx>
- Date: Fri, 12 Sep 2008 15:39:36 +0800
Mysql charset Truncation vulnerability
By http://www.80sec.com/
We found that there is a interesting feature in mysql database,when you are
using utf8,gbk or
other charsets.This feature may make your application unsecure.
Stefen Esser shows some attack manners of mysql in his paper[1], in which he
issues the SQL
Column Truncation vulnerability.
The application is a forum where new users can register
The administrator's name is known e.g. 'admin'
MySQL is used in the default mode
There is no application restriction on the length of new user names
The database column username is limited to 16 characters
Although the application restrict the length of the username, we can bypass
it in the following
example:
<?php
$user=$_REQUEST['user'];
mysql_connect("localhost", "root", "") or
die("Could not connect: " . mysql_error());
mysql_select_db("test");
mysql_query("SET names utf8");
$result = mysql_query("SELECT * from test_user where user='$user'");
if(trim($user)=='' or strlen($user)>20 ){
die("Input user Invalid");
}
if(@mysql_fetch_array($result, MYSQL_NUM)) {
die("already exist");
}
else {
$sql="insert test_user values ('$user')";
mysql_query($sql);
echo "$user register OK!";
}
mysql_free_result($result);
?>
Read the code here:
$result = mysql_query("SELECT * from test_user where user='$user'");
If the attacker input a username 'admin z', and the sql
will be like this:
SELECT * FROM user WHERE username='admin z'
And the application will check the length of username with the following
code:
if(trim($user)=='' or strlen($user)>20 ){
die("Input user Invalid");
}
The attack will failed because the length of the username
'admin z' is
greater then 20.
But it will not end here, attacker can input username 'admin0xc1zzz', and
the sql will be like
this:
SELECT * FROM user WHERE username='admin0xc1zzz'
This pass the application's logic,when the insert commond executes:
insert test_user values ('admin0xc1zzz')
because the table is created in charset utf8,the 0xc1 is not a valid utf8
character,it will be
striped,also all of the next characters will be striped too.Then the
attacker got a user
"admin";
As you see,when mysql works at utf8,the invalid data will be striped ,but
the webapplication
doesn't know this,it works at binaray.The difference between webapplication
and database make a
vulnerability.
Reference:
[1]
http://www.suspekt.org/2008/08/18/mysql-and-sql-column-truncation-vulnerabilities/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/