Merge pull request #276 from heinosasshallik/master

add a note about SQL truncation no longer working in latest MySQL versions
2021-11-11 23:47:21 +00:00 · 2021-11-11 23:47:21 +00:00 · 1b6c914d27
commit 1b6c914d27
parent 892359eefe bae0a5634b
1 changed files with 3 additions and 0 deletions
--- a/pentesting-web/sql-injection/README.md
+++ b/pentesting-web/sql-injection/README.md
@ -342,12 +342,15 @@ To do so you should try to **create a new object named as the "master object"**

 #### SQL Truncation Attack

+
 If the database is vulnerable and the max number of chars for username is for example 30 and you want to impersonate the user **admin**, try to create a username called: "_admin \[30 spaces] a_" and any password.

 The database will **check** if the introduced **username** **exists** inside the database. If **not**, it will **cut** the **username** to the **max allowed number of characters** (in this case to: "_admin \[25 spaces]_") and the it will **automatically remove all the spaces at the end updating** inside the database the user "**admin**" with the **new password** (some error could appear but it doesn't means that this hasn't worked).

 More info: [https://blog.lucideus.com/2018/03/sql-truncation-attack-2018-lucideus.html](https://blog.lucideus.com/2018/03/sql-truncation-attack-2018-lucideus.html) & [https://resources.infosecinstitute.com/sql-truncation-attack/#gref](https://resources.infosecinstitute.com/sql-truncation-attack/#gref)

+_Note: This attack will no longer work as described above in latest MySQL installations. While comparisons still ignore trailing whitespace by default, attempting to insert a string that is longer than the length of a field will result in an error, and the insertion will fail._
+
 ### MySQL Insert time based checking

 Add as much `','',''` as you consider to exit the VALUES statement. If delay is executed, you have a SQLInjection.