← Back to context

Comment by thaumasiotes

2 months ago

No, as other comments in the thread have pointed out, you can easily have an SQLI that doesn't send information back to you. You may find value in changing what's in the database even if you can't read from it.

If you do have the ability to retrieve information, then one of the first things you'll do is retrieve the schema.

And the reason you'll retrieve the schema, if you can, is that it facilitates the attacks you actually want to make. It has no value to you other than enabling your attacks. This observation seems sufficient to answer the question "does knowing the schema enable attacks?".

3 comments

thaumasiotes

Reply
tptacek  2 months ago

There is a whole sub-field of software security dedicated to retrieving information from SQL injections that don't directly return results. This is not a plausible objection.

  • thaumasiotes  2 months ago

    Well, again, you make your attack and you retrieve the schema. Why did you do that?

    • hunter2_  2 months ago

      To become informed, which is also the stated purpose of FOIA?

      Some may use their newfound education for good while others use it for evil, as with any education.