[LegionMammal978]

Is there not any SQLi vulnerability in practice that doesn't allow such an information recovery? That is, is the schema-recovery step so foolproof that it can always be performed on any target form? GP is suggesting that this may be difficult, depending on the kind of signal that gets returned from the form.

[tptacek]

In my entire experience as a software security practitioner, which at the time of my testimony encompassed some hundreds of assessments of SQL-backed websites, the availability of a schema has never impacted my ability to exploit a SQL injection. It's not my job as an expert witness, nor Matt's job as a plaintiff, to invent improbable scenarios where security could hinge on schema availability. The court (all of them, in fact) found that testimony dispositive, so I'm happy to leave the issue there.

[hot_gril]

"Blind" SQLi is a thing, but even in the real-life example I could find, it wasn't exactly blind. They could still use the timing to get one bit of info at a time and discern the email addresses. https://www.invokesec.com/2025/01/13/a-real-world-example-of...

It's hard to imagine a case where you can't even get info based on timing. But it requires more effort and knowledge to exploit this.