Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Never underestimate the SQL injection! There is likely some function being called somewhere that has higher permissions than your initial query.

The Schemaverse has a SQL Injection trophy with no actual code path to win it. After 2 1/2 years, there are two people who have it.



I find it confusing to call this kind of attack "SQL injection", as it is much better described by "privilege escalation", isn't it?


I wouldn't say that. Elevation could be done in a myriad of ways, and injection is one of them. The question is whether you are causing a query to go wrong by feeding it specially crafted text. The only scenario without useful injection is one where you have complete and convenient root access from all input methods.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: