undefined | Better HN

0 pointshot_gril1y ago0 comments

SQL injection will give you the entire schema anyway. It doesn't help if someone tells you the col names beforehand. I'm more wondering about non-SQL-injection vulns.

0 pointshot_gril1y ago0 comments

SQL injection will give you the entire schema anyway. It doesn't help if someone tells you the col names beforehand. I'm more wondering about non-SQL-injection vulns.

0 comments

6 comments · 1 top-level

HDThoreaun1y ago· 5 in thread

SQL injection isnt just an ssh tunnel to the database. If the line you've injected isnt a select and the backend never fetches it how does the injection give you the column names?

hot_grilOP1y ago

Wait, this is known as a blind SQLi, and it's not so blind. You can still use timing to get the info you need one bit at a time. This may be slow, but it's doable without triggering any DB errors, so you have time.

HDThoreaun1y ago

people come up with the darndest things.

1 more reply

wglb1y ago

I've seen this done by enumerating possible table names.

hot_grilOP1y ago

That's a typical way, but the errors might alert them, and of course maybe the names aren't so easily guessed.

hot_grilOP1y ago

Oops you're right, it's possible that you have no way to read things back.

j / k navigate · click thread line to collapse

0 comments

6 comments · 1 top-level

HDThoreaun1y ago· 5 in thread

SQL injection isnt just an ssh tunnel to the database. If the line you've injected isnt a select and the backend never fetches it how does the injection give you the column names?

hot_grilOP1y ago

HDThoreaun1y ago

people come up with the darndest things.

1 more reply

wglb1y ago

I've seen this done by enumerating possible table names.

hot_grilOP1y ago

That's a typical way, but the errors might alert them, and of course maybe the names aren't so easily guessed.

hot_grilOP1y ago

Oops you're right, it's possible that you have no way to read things back.

j / k navigate · click thread line to collapse