Comment by tptacek
2 months ago
I don't understand your argument. If I have a SQLI, I can, as you acknowledge, fetch the schema. So what does it matter if the schema is published a priori? All that matters is whether I have SQLI.
2 months ago
I don't understand your argument. If I have a SQLI, I can, as you acknowledge, fetch the schema. So what does it matter if the schema is published a priori? All that matters is whether I have SQLI.
No, as other comments in the thread have pointed out, you can easily have an SQLI that doesn't send information back to you. You may find value in changing what's in the database even if you can't read from it.
If you do have the ability to retrieve information, then one of the first things you'll do is retrieve the schema.
And the reason you'll retrieve the schema, if you can, is that it facilitates the attacks you actually want to make. It has no value to you other than enabling your attacks. This observation seems sufficient to answer the question "does knowing the schema enable attacks?".
There is a whole sub-field of software security dedicated to retrieving information from SQL injections that don't directly return results. This is not a plausible objection.
Well, again, you make your attack and you retrieve the schema. Why did you do that?
1 reply →