Comment by hot_gril
10 months ago
SQL injection will give you the entire schema anyway. It doesn't help if someone tells you the col names beforehand. I'm more wondering about non-SQL-injection vulns.
10 months ago
SQL injection will give you the entire schema anyway. It doesn't help if someone tells you the col names beforehand. I'm more wondering about non-SQL-injection vulns.
SQL injection isnt just an ssh tunnel to the database. If the line you've injected isnt a select and the backend never fetches it how does the injection give you the column names?
Wait, this is known as a blind SQLi, and it's not so blind. You can still use timing to get the info you need one bit at a time. This may be slow, but it's doable without triggering any DB errors, so you have time.
people come up with the darndest things.
1 reply →
I've seen this done by enumerating possible table names.
That's a typical way, but the errors might alert them, and of course maybe the names aren't so easily guessed.
Oops you're right, it's possible that you have no way to read things back.