← Back to context

Comment by tptacek

2 months ago

Which is why in the ordinary course of a pentest you'd use the SQL injection vulnerability to recover the information in the schema.

6 comments

tptacek

Reply
LegionMammal978  2 months ago

Is there not any SQLi vulnerability in practice that doesn't allow such an information recovery? That is, is the schema-recovery step so foolproof that it can always be performed on any target form? GP is suggesting that this may be difficult, depending on the kind of signal that gets returned from the form.

  • tptacek  2 months ago

    In my entire experience as a software security practitioner, which at the time of my testimony encompassed some hundreds of assessments of SQL-backed websites, the availability of a schema has never impacted my ability to exploit a SQL injection. It's not my job as an expert witness, nor Matt's job as a plaintiff, to invent improbable scenarios where security could hinge on schema availability. The court (all of them, in fact) found that testimony dispositive, so I'm happy to leave the issue there.

default-kramer  2 months ago

Maybe I'm ignorant, but if the account the app is using doesn't have access to the information_schema how do you do this?

  • lcnPylGDnU4H9OF  2 months ago

    I don’t think that’s a very common setup but perhaps I’m just exposing my own ignorance. Just consider the popularity of ORMs. They explicitly load the schema into the application in many cases.

  • kmoser  2 months ago

    Not just that, but perhaps the app is smart enough to lock you out the second it detects an attempt to gather the schema, e.g. by logging and automatically responding to a query that displays the schema. Then you have to look for other ways in (another IP, etc.). But if you know the schema in advance, you have a better chance of a one-shot injection that accomplishes your malicious goal.

    In other words, advance knowledge of the schema may make it easier to act maliciously.