A lot of other commands require parameters that the attacker may not know the va... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

sverhagen on Dec 2, 2018 | parent | context | favorite | on: A Very Sleepy MySQL Attack

A lot of other commands require parameters that the attacker may not know the values for. Those require more knowledge about the system that first needs to be exfiltrated. Not every (hacked) query has its output directly plastered back in the UI, webpage or API response. So that would need more hacking, even if the "sleep" tells the hacker they're on to something. Disabling "sleep" would take away the canary, would it not? Maybe the hacker isn't even interested in dropping tables.

PeterisP on Dec 2, 2018 [–]

Disabling sleep would not take away the canary, it would make it more inconvenient - every instance of sleep can be replaced with some convoluted query that does a very slow calculation.

Join us for AI Startup School this June 16-17 in San Francisco!
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact