SQL column truncation injection
This is even fairly unknown to most hackers, this vulnerability will allow us to duplicate a certain user account, making it overwrite the password of the current user.
How does it work?
Let’s say you have a website with a user registration form, you view the member list and you see there’s a user called “admin”. We would like to be admin ourselves, therefore we will try and overwrite his current passwords by creating a new account with the same name.
Let’s say you have a website with a user registration form, you view the member list and you see there’s a user called “admin”. We would like to be admin ourselves, therefore we will try and overwrite his current passwords by creating a new account with the same name.
Confused? Let’s explain it some more.
Tools needed:
· Firefox
· Firebug
Now let’s go ahead and go to the register form of the website (this method works about on 10-20% of targets).
Once you see the registration form open, and you can enter a username password and maybe an email we will open firebug, and inspect the “username” form, and check out if the admin has set a MAX digit for the user name, like 10 characters at max?
Once you see the registration form open, and you can enter a username password and maybe an email we will open firebug, and inspect the “username” form, and check out if the admin has set a MAX digit for the user name, like 10 characters at max?
Let’s say our target has defined 8 chars as a username limit, we won’t be able to exploit SQLi on it right? Now that we know it only has 8, we can go on and exploit it to do so we use the following username:
admin x
admin = 5 chars, and 3x a space = 8 characters, and the x to confuse the MySQL database.
When successfully registered, we should be able to login as his admin account, with full privileges.