|
|
Posted by shimmyshack on 05/15/07 20:02
On May 15, 6:51 pm, Ivan Marsh <anno...@you.now> wrote:
> On Tue, 15 May 2007 09:46:52 -0700, shimmyshack wrote:
> > On May 15, 4:24 pm, Ivan Marsh <anno...@you.now> wrote:
> >> On Fri, 11 May 2007 23:02:45 +0000, Gordon Burditt wrote:
> >> >>I set the default user for my connection to the read-only account and
> >> >>have to purposefully change the account being used if I want to do
> >> >>anything other than just read.
>
> >> >>You can't inject SQL if the account you're using doesn't have rights
> >> >>to write to the database.
>
> >> > There are plenty of people who would love to inject
> >> > select * from credit_card_account_list;
> >> > even if the account you're using has no rights to write to the
> >> > database.
>
> >> Obviously I was speaking of injections to cause data corruption.
>
> >> Anyone stupid enough to use credit_card_account_list as a table name
> >> deserves to go out of business.
>
> > one may gather all the data in a database by blind injecting a query
> > which asks "true or false" questions. Subtle bahavioural changes in the
> > app (timings of response, etc...) can lead to knowledge of the result,
> > without the need to receive error messages back through http, this
> > prevents WAFs, logs and so on from discovering the existence of the
> > attack until it has successfully obtained all the info from the
> > database, "is the first letter of the first table in the database
> > greater than m?" etc.. etc...
> > this thwarts security by obscurity, such as calling the credit_card
> > table something like image_data_for_banner_adverts....
>
> That being true is it not still more difficult to guess something that's
> randomly generated or something that has meaning?
blind injection is mostly a sledge hammer (but I guess could be coded
to be "cleverer"), so it just asks many questions.
Navigation:
[Reply to this message]
|