|
|
Posted by shimmyshack on 05/15/07 16:46
On May 15, 4:24 pm, Ivan Marsh <anno...@you.now> wrote:
> On Fri, 11 May 2007 23:02:45 +0000, Gordon Burditt wrote:
> >>I set the default user for my connection to the read-only account and
> >>have to purposefully change the account being used if I want to do
> >>anything other than just read.
>
> >>You can't inject SQL if the account you're using doesn't have rights to
> >>write to the database.
>
> > There are plenty of people who would love to inject
> > select * from credit_card_account_list;
> > even if the account you're using has no rights to write to the database.
>
> Obviously I was speaking of injections to cause data corruption.
>
> Anyone stupid enough to use credit_card_account_list as a table name
> deserves to go out of business.
one may gather all the data in a database by blind injecting a query
which asks "true or false" questions. Subtle bahavioural changes in
the app (timings of response, etc...) can lead to knowledge of the
result, without the need to receive error messages back through http,
this prevents WAFs, logs and so on from discovering the existence of
the attack until it has successfully obtained all the info from the
database, "is the first letter of the first table in the database
greater than m?" etc.. etc...
this thwarts security by obscurity, such as calling the credit_card
table something like image_data_for_banner_adverts....
Navigation:
[Reply to this message]
|