Jaromir emailed me a link to a paper he has written on SQL injection where he manipulates the where clause of an existing statement that can be exploited via SQl injection. Normal wisdom says that if you can only manipulate the where clause you cannot access the data in tables not included in the existing FROM clause. He is using the technique of inference
the result. This is similar to the newton-raphson technique used in interest calculations for loans and lease agreements. His first example says is the number of credit cards in the table less than 6 if it is, test if its less than three and home in on the result. This is same technique as Newton-Raphson.
Jaromir then extends the technique to guess the length of a column of a table that he is interested in (Say the credit card number column) and then he extends further to guess the character at each position in each field (column) for each row (the count above).
Jaromir includes examples for reading numbers and strings written in the groovy language and includes a source code download as well as fully worked examples as an appendix.
The paper is titled "Reading Data with the Where Clause
", very nice piece of work.