Questions about this topic? Sign up to ask in the talk tab.

Difference between revisions of "Boolean enumeration"

From NetSec
Jump to: navigation, search
Line 29: Line 29:
 
**** G = (A + B) / 2
 
**** G = (A + B) / 2
 
*** START AGAIN
 
*** START AGAIN
 +
 +
[[Category:Exploitation]]

Revision as of 07:41, 19 May 2012

Boolean enumeration is used to discover data when you can only ask the an information system yes or no questions about the value of one byte.

This is especially useful in SQL injection.

As we know because of hexadecimal, the largest value any byte can hold is 255. So, we can ask the question:

Is the value of our one byte at this position greater than 128?

If so, we can add 64 to 128 and ask if its greater than that. Otherwise, we can ask if its greater than 64.

Eventually you will have to use less than and equal to as questions. Once you get the value, you can move onto the next byte.

Guess a number algorithm

Let there be a number N we know to be between bounds A and B Our guess is G

  • IS G == N?
    • if yes finish
    • if no
      • IF (B-A)==1 # special case, parity issues sometimes
        • G=A
        • IF G==N FINISH
        • ELSE G=B
        • IF G==N FINISH
      • is G > N ?
        • IF YES THEN B = G
        • IF NO THEN A = G
        • G = (A + B) / 2
      • START AGAIN