Sep 5, 2018 · 1 min read
The trick is how “read-only” user defined — if a user cannot modified tables, can he/she modify file system itself?
- Statements that can dump output to file system like “SELECT INTO OUTFILE”
- User can still have permissions to system commands like xp_cmdshell
Another problem with read-only db is enumeration. Tables may not store anything sensitive, but an attacker can request a database version and applied patches through Select statement. DB version can be not vulnerable or not really exploitable from outside but still…