Questions about this topic? Sign up to ask in the talk tab.

Difference between revisions of "Boolean enumeration"

From NetSec
Jump to: navigation, search
 
 
(6 intermediate revisions by 4 users not shown)
Line 1: Line 1:
Boolean enumeration is used to discover data when you can only ask the an information system yes or no questions about the value of one byte.
+
'''Boolean enumeration''' is used to discover data when you can only ask the an information system yes or no questions about a value.
  
 
This is especially useful in [[SQL injection]].   
 
This is especially useful in [[SQL injection]].   
  
As we know because of [http://wiki.dotslashproductions.net/Assembly_Basics#Counting hexadecimal], the largest value any byte can hold is 255.  So, we can ask the question:
+
As we know because of [[Assembly_Basics#Counting|hexadecimal]], the largest value any byte can hold is 255.  So, we can ask the question:
  
 
Is the value of our one [[byte]] at this position greater than 128?
 
Is the value of our one [[byte]] at this position greater than 128?
Line 11: Line 11:
 
Eventually you will have to use less than and equal to as questions.  Once you get the value, you can move onto the next [[byte]].
 
Eventually you will have to use less than and equal to as questions.  Once you get the value, you can move onto the next [[byte]].
  
[[Category:Information]]
+
= Guess a number algorithm =
 +
 
 +
Let there be a number N we know to be between bounds A and B
 +
Our guess is G
 +
{{code|text=
 +
* IS G == N?
 +
** if yes finish
 +
** if no
 +
*** IF (B-A)==1 # special case, parity issues sometimes
 +
**** G=A
 +
**** IF G==N FINISH
 +
**** ELSE G=B
 +
**** IF G==N FINISH
 +
*** is G > N ?
 +
**** IF YES THEN B = G
 +
**** IF NO THEN A = G
 +
**** G = (A + B) / 2
 +
*** START AGAIN}}
 +
 
 +
[[Category:Programming]]

Latest revision as of 20:06, 7 August 2012

Boolean enumeration is used to discover data when you can only ask the an information system yes or no questions about a value.

This is especially useful in SQL injection.

As we know because of hexadecimal, the largest value any byte can hold is 255. So, we can ask the question:

Is the value of our one byte at this position greater than 128?

If so, we can add 64 to 128 and ask if its greater than that. Otherwise, we can ask if its greater than 64.

Eventually you will have to use less than and equal to as questions. Once you get the value, you can move onto the next byte.

Guess a number algorithm

Let there be a number N we know to be between bounds A and B Our guess is G

  • IS G == N?
    • if yes finish
    • if no
      • IF (B-A)==1 # special case, parity issues sometimes
        • G=A
        • IF G==N FINISH
        • ELSE G=B
        • IF G==N FINISH
      • is G > N ?
        • IF YES THEN B = G
        • IF NO THEN A = G
        • G = (A + B) / 2
      • START AGAIN