Re: Permission to Select - Mailing list pgsql-sql

From PFC
Subject Re: Permission to Select
Date
Msg-id op.s6ddkgyncigqcu@apollo13
Whole thread Raw
In response to Re: Permission to Select  (Rod Taylor <pg@rbt.ca>)
Responses Re: Permission to Select
List pgsql-sql

> What information can be retrieved from a structure by being able to
> update all rows?
Write a plpgsql function snoop(x) which inserts x into a table 'log'  
created by you, and also returns x.UPDATE users SET password=snoop(password).Read log table.Done.
If you have WHERE rights on a table, you can guess any column content  
pretty quick. Just do a binary search. Some time ago I had a friend whose  
website had some SQL injection holes, and he said "so what ? who cares ? I  
have magicquotes" (lol), so I coded a python script which injected a  
"password BETWEEN x AND y" (using CHR() to avoid quotes) and narrowed the  
search. It took about 1 minute to get the password (which turned out to be  
md5 that resisted a few seconds to dictionary attack using whatever evil  
hax0rz tool).


pgsql-sql by date:

Previous
From: Richard Huxton
Date:
Subject: Re: Constraint Error effect on PostgreSQL
Next
From: "Daniel Caune"
Date:
Subject: Re: connectby documentation