I have a question regarding exercise 7, for the following two questions:
1. The attacker is able to see the number of returned rows. Which queries can they use to exfiltrate some information about the password for admin?
2. The attacker is able to see whether any row was returned at all. Which queries can they use to exfiltrate some information about the password for admin?
The answer SELECT * FROM users WHERE password='123' has been marked as wrong, even though it does leak information about the password for 'admin'. Here's the scenario where this would leak the information:
assume the attacker executes the SQL injection, and the web app returns 0 rows (or nothing at all, for the 2nd question), then we can infer from this that the password for 'admin' is NOT '123', since it doesn't exist in the database AND we know that 'admin' is in the database. So while we don't know what is admin's password, we do know that is it not '123'.
Please let me know if my thought process missed any part of the question, because the way I think about such questions is we should always consider all possible scenarios and whether they would leak any information.
If the question would be marked as 'correct' then I'd really appreciate it if you could re-grade my marks for these two questions.