Posted by Ivan Marsh on 05/15/07 17:51

On Tue, 15 May 2007 09:46:52 -0700, shimmyshack wrote:

> On May 15, 4:24 pm, Ivan Marsh <anno...@you.now> wrote:
>> On Fri, 11 May 2007 23:02:45 +0000, Gordon Burditt wrote:
>> >>I set the default user for my connection to the read-only account and
>> >>have to purposefully change the account being used if I want to do
>> >>anything other than just read.
>>
>> >>You can't inject SQL if the account you're using doesn't have rights
>> >>to write to the database.
>>
>> > There are plenty of people who would love to inject
>> > select * from credit_card_account_list;
>> > even if the account you're using has no rights to write to the
>> > database.
>>
>> Obviously I was speaking of injections to cause data corruption.
>>
>> Anyone stupid enough to use credit_card_account_list as a table name
>> deserves to go out of business.
>
> one may gather all the data in a database by blind injecting a query
> which asks "true or false" questions. Subtle bahavioural changes in the
> app (timings of response, etc...) can lead to knowledge of the result,
> without the need to receive error messages back through http, this
> prevents WAFs, logs and so on from discovering the existence of the
> attack until it has successfully obtained all the info from the
> database, "is the first letter of the first table in the database
> greater than m?" etc.. etc...
> this thwarts security by obscurity, such as calling the credit_card
> table something like image_data_for_banner_adverts....

That being true is it not still more difficult to guess something that's
randomly generated or something that has meaning?

[Back to original message]