0

I'm in a Drupal 8 mysql database (part of a lab so not illegally) and the password hash seems to be truncated in the users_field_data database. I've never quite seen this, and any searches I can find don't seem to tell me anything. I'm not sure how Drupal would ever verify the password if it doesn't have the full hash?

The hash I'm getting back looks something like this: $S$E6GCf39Fu376XcvVHzroZhuiOp3jRURyhDwOMzGfT22X3b..X4ed

I tried changing the column size from varchar 55 to varchar 100 and nothing happened. I'm retrieving the password hash using the following statement:

SELECT pass FROM users_field_data;

Is there something I'm missing that is preventing me from pulling the full hash?

Improve this question
7
  • It is not necessary to have the full hash. The server might compare only the same number of bytes as the stored hash from the freshly hashed password. Whether this is actually done is another question. I haven't looked into Drupal. Commented Feb 22, 2021 at 19:21
  • Yeah it's possible they could compare just part of the hash, but seems odd as that would decrease security if anything. I'm guessing due to the CTF/lab style of my environment that it's purposely some kind of misconfiguration (the column size was deliberately too small) but I'm wondering if it's just something I don't know about mysql/drupal. Commented Feb 22, 2021 at 19:23
  • Woops, I never asked my question! Is there anything i"m missing that is able to pull the full hash (some sort of query) or is this just an issue with storing too large of a value into too small of a column? Commented Feb 22, 2021 at 19:46
  • @user15262123 where are you seeing this output? Seems strange that it would be truncated like that Commented Feb 22, 2021 at 21:25
  • @lucasreta, It's from a paid lab environment and is on a SQL database for one of the machines. It is not a machine in production, nor is it part of an exam of any sorts. Commented Feb 22, 2021 at 22:29
Related questions
2
MySQL chops off characters from md5 password
3
Error comparing hash to hashed mysql password (output values are equal)
0
problem with passwords using sha256
Load 7 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.