[kmoser]

Knowledge of the column names doesn't give you insight into whether a vulnerability exists. It gives you insight into what you can do with a vulnerability, should it exist. For example, if you want to set your account balance to $1 million, you'd need to know the column name in order to generate a valid query. Without advance knowledge of the column name, your job becomes harder.

[hot_gril]

SQL injection will give you the entire schema anyway. It doesn't help if someone tells you the col names beforehand. I'm more wondering about non-SQL-injection vulns.

[HDThoreaun]

SQL injection isnt just an ssh tunnel to the database. If the line you've injected isnt a select and the backend never fetches it how does the injection give you the column names?

[hot_gril]

Wait, this is known as a blind SQLi, and it's not so blind. You can still use timing to get the info you need one bit at a time. This may be slow, but it's doable without triggering any DB errors, so you have time.

[HDThoreaun]

people come up with the darndest things.

[hot_gril]

Yeah, it's a cool trick and not obvious. I think when I said SQL injection gets you the schema, I was recalling some faint old memory from a security course without remembering why this is doable.

[wglb]

I've seen this done by enumerating possible table names.

[hot_gril]

That's a typical way, but the errors might alert them, and of course maybe the names aren't so easily guessed.

[hot_gril]

Oops you're right, it's possible that you have no way to read things back.