Comment by HDThoreaun
2 months ago
SQL injection isnt just an ssh tunnel to the database. If the line you've injected isnt a select and the backend never fetches it how does the injection give you the column names?
2 months ago
SQL injection isnt just an ssh tunnel to the database. If the line you've injected isnt a select and the backend never fetches it how does the injection give you the column names?
Wait, this is known as a blind SQLi, and it's not so blind. You can still use timing to get the info you need one bit at a time. This may be slow, but it's doable without triggering any DB errors, so you have time.
people come up with the darndest things.
Yeah, it's a cool trick and not obvious. I think when I said SQL injection gets you the schema, I was recalling some faint old memory from a security course without remembering why this is doable.
I've seen this done by enumerating possible table names.
That's a typical way, but the errors might alert them, and of course maybe the names aren't so easily guessed.
Oops you're right, it's possible that you have no way to read things back.