SQL Column Truncation Vulnerabilities
来源:互联网 发布:纽约大学 知乎 编辑:程序博客网 时间:2024/05/22 00:05
mysql数据插入的时候,如果一列值插入的长度超过了它本身的限制,会自动省略后面的内容。我们先来做下这个试验:
1. 创建一个表:
mysql> create table users (username varchar(10), password varchar(20));Query OK, 0 rows affected (0.02 sec)mysql> describe users;+----------+-------------+------+-----+---------+-------+| Field | Type | Null | Key | Default | Extra |+----------+-------------+------+-----+---------+-------+| username | varchar(10) | YES | | NULL | || password | varchar(20) | YES | | NULL | |+----------+-------------+------+-----+---------+-------+2 rows in set (0.00 sec)
2. 来插入数据:
mysql> insert into users values('admin','123456');Query OK, 1 row affected (0.00 sec)mysql> select * from users;+----------+----------+| username | password |+----------+----------+| admin | 123456 |+----------+----------+1 row in set (0.00 sec)mysql> insert into users values('adminadminadmin','123456');Query OK, 1 row affected, 1 warning (0.00 sec)mysql> select * from users;+------------+----------+| username | password |+------------+----------+| admin | 123456 || adminadmin | 123456 |+------------+----------+2 rows in set (0.00 sec)
从上面插入adminadminadmin的时候给出了一个warning,但是还是插入成功了,不过超出的部分被省略了,只剩下adminadmin。
3. mysql还有一个特性,就是数据库中的字符串不会按二进制比较,会自动略掉字符串后面的空格。也就是说在mysql中‘admin ’等价于'admin'。
mysql> insert into users values('admin ','qweqwe');Query OK, 1 row affected (0.00 sec)mysql> select * from users where username='admin';+----------+----------+| username | password |+----------+----------+| admin | 123456 || admin | qweqwe |+----------+----------+2 rows in set (0.00 sec)可以得到两个admin,空格被忽略了。
4. 现在如果管理员的用户名已知是admin,我们可以利用上面两个特征来重新注册一个admin用户,就可以用自己注册的密码来登录admin了。
mysql> insert into users values('admin x','asdasd'); #这个‘admin x’有5个空格,所以x被省略了,直接成了admin了,当你用自己密码就可以登录了Query OK, 1 row affected, 1 warning (0.00 sec)mysql> select * from users where username='admin';+------------+----------+| username | password |+------------+----------+| admin | 123456 || admin | qweqwe || admin | asdasd |+------------+----------+3 rows in set (0.00 sec)5. 造成上面的原因主要是当插入过长的数据时没有检测,只是给了一个警告,如果设置了sql_mode为STRICT_ALL_TABLES 时,就会检测数据长度,如果太长就直接报错,不会插入成功的。
mysql> select @@sql_mod;ERROR 1193 (HY000): Unknown system variable 'sql_mod'mysql> select @@sql_mode;+------------+| @@sql_mode |+------------+| |+------------+1 row in set (0.00 sec)mysql> set sql_mode='STRICT_ALL_TABLES';Query OK, 0 rows affected (0.00 sec)mysql> insert into users values('admin x','asdasd');ERROR 1406 (22001): Data too long for column 'username' at row 1直接error了,没有插入成功了。
参考:
http://planet.mysql.com/entry/?id=14365
http://www.80sec.com/mysql-charset-truncation-vulnerability.html
http://www.notsosecure.com/blog/2008/09/11/sql-column-truncation-vulnerabilities/
0 0
- SQL Column Truncation Vulnerabilities
- MySQL SQL Column Truncation
- WordPress 2.6.1 SQL Column Truncation Vulnerability分析
- java.sql.BatchUpdateException: Data truncation: Data too long for column
- java.sql.BatchUpdateException: Data truncation: Data too long for column 'site_name' at row 1
- Caused by: java.sql.BatchUpdateException: Data truncation: Data too long for column 'cont' at row 1
- JBPM java.sql.BatchUpdateException: Data truncation: Incorrect datetime value: '' for column 'START_
- Caused by: java.sql.BatchUpdateException: Data truncation: Data too long for column 'JLFSM' at row 1
- Detecting SQL Injection Vulnerabilities
- 错误:SQL Error: 1406, SQLState: 22001____Data truncation: Data too long for column 'add_user' at row 1
- 报错Java.sql.SQLException: Data truncation: Data too long for column 'content' at row 1 Query
- java.sql.DataTruncation: Data truncation
- [Mysql] Data truncation: Data too long for column ......
- Data truncation: Data truncated for column 'content' at row 1
- Data truncation: Data truncated for column 'xxxxxxxxx' at row 1
- mysql插入错误 Data truncation: Data too long for column
- Data truncation: Incorrect datetime value: '' for column XX
- Mysql MysqlDataTruncation Data truncation Data too long for column
- 关于Josephus解法
- 机器人与关键技术解析
- Linux Crontab
- 图书管理系统启动界面的设计与实现
- 学习Android之第七个小程序头像选择(自定义对话框、Gallery、ImageSwitcher)
- SQL Column Truncation Vulnerabilities
- OS X Mavericks Xcode 5 上找回GDB
- 纯C实现unicode-utf8互转
- 如何通过地址栏传递参数及获得参数
- ci 权限限制
- IOS调试技巧:当程序崩溃的时候怎么办 iphone IOS
- C#实现(递归和非递归)快速排序和简单排序等一系列排序算法
- 发一段UNICODE UTF-8互转代码简洁版
- Java4Android(第40集) Java当中的数组