Solution: SQL Truncation Challenge A

Tools Used:
When you register an account, note how the username field allows you a maximum length of 10 characters. That gives you decent intel that the database username field is likely varchar(10).

However, if you do a right click + inspect element on that input, you'll see that the 10 character limit is client-side. Change it to 11 characters.



Now for the exploit - create an account with the username "admin", followed by 5 spaces to pad it to 10 characters, then followed by some other characters that will be truncated but will make our username pass the unique check. You will not need to remember the characters you added to the end, but you will need to remember your password.



When you create the above account, it checks to see if user "admin x" exists in the database. It does not, so it passes the unique check. Then, when it inserts the user into the database, it truncates it to "admin ".

Now if we attempt to login to "admin" with the password we set, it will... work! This is because trailing spaces are ignored in MySQL's where clause on text fields, so when it checks to see if a username with "admin" and the password we set exists, it will find the account we made. Then it will set our session as logged in to the "admin" user, which is actually not the account we signed up with - and reveal the flag!

Note that if they had logged us in via userid instead of username (as is far more common) this would not have worked. However, it still does happen in the wild - sometimes moreso around account recovery / forgot password prompts, as shown in the more complicated Challenge B.