google #1

Fine, make me laugh, what is the proper name for the attack.

Hint, it is not "boolean blind sql injection".

You have no idea what you are talking about nor how it works. The whole reason I stated it is because it is not well known and there is only one public article on the attack with the math required to execute it. Thus why I was challenging the OP to solve it with their advanced math and logic skills.

Tell me how to calculate the number of bits able to be retrieved with a single request based on the number of columns in a table. I wont make you figure out the harder math (which isn't actually hard) for retrieving said data.

Hint it is not 1 bit per request.

This post was edited by AbDuCt on May 17 2017 06:53pm

There is not just one public article about this topic and the math you're talking about has too many unknown variables to be solved. Stupid or trolling I'm not sure.

You have no idea either.

Whats the name of the attack. Let's start going through this systematically since you guys can't. Also there is only 1 variable. The number of columns in a database. Can't you read?

Hint, you must use the log function to calculate a partial bits per request.

This post was edited by AbDuCt on May 17 2017 07:51pm

Blind or time-based sql injection... this is just a type of sql injection and it will vary greatly in every scenario in which you execute it.

Boolean blind and time based SQL injection gathers one bit per request. Thanks for proving you have no idea.

Hell heres even simpler math, How many requests does it take to retrieve one byte with the previously named attacks.

This post was edited by AbDuCt on May 17 2017 08:41pm

You're spouting bullshit and talking like you're above everyone else. Please explain the exploit you're talking about and why we're all so wrong.

Fine.

Boolean SQLi is able to retrieve 1 bit per request via a floor and ceiling halfed algorithm where true false questions are asked seeing if the current byte being requested is between a floor and ceiling value which halfs each iteration of the algorithm.

Example: The initial starting point could be byte > 128 && byte < 256, if its true then we half the range and ask again, 8 times until we find our byte we are requesting.

This retrieves one bit per request, 8 requests are needed to fetch an entire byte.

Now the next method is called precomputation. This allows for greater than one bit to be extracted per request based on the number of columns in the table you are attacking. You likely will not find this anywhere on the internet. Because, uh, only 2 people wrote this and without the sql queries you will likely never figure out how to use it.

To calculate the number of bits lets make x (the number of columns) equal 32. This is not an infeasible number of records on a table that is web facing.

We can calculate the number of bits we can extract per request via using the log and modulo function to find the number of bits and trim the excess. The number of bits that can be extracted is not a linear function and has to be placed on a logarithmic scale. As the number of pages increases we increase at a decreasing rate how many bits we can extract in a single request.
Our bits we can extra per request would be calculated as



The number of bits we can extract is 5 per request. Next we find our factor and number of bytes we need to read at once in order to optimize the algorithm.



Due note that lcm stands for lowest common multiple. The factor and bytes we use later to extract data from the table.

Next we find the iterations we need to completely pull the full bytes of data from the table. Say our query return is "yall cant math", length 14. We find our total number of iterations to extract a full query by checking to see if our bytes we can extract evenly divide into our query length, if not increment by one. in our case we need 4 iterations



Next we figure out how many times we have to shift per iteration to retrieve our block of 4 bytes. This is done by simply dividing the lowest common multiple of total bits by how many bits we have total subtract one. If our lcm bits are not evenly divided by total bits we have to use modulo to clean the number up.



That's it for the prep math, time for the actual algorithm! I will leave the SQL queries out since this is apparently so widely documented and easy to understand for all of you.

We start at 1 and step through our result query `bytes` at a time (4) to find our position inside our query result. The first iteration would be a substring(1, 4) of "yall cant math" aka "yall", 4 bytes.

Now we iterate shift times (in our case 7) down to 0 to extract the number of `bytes` (4) from our query requesting 5 bits at a time per request.

We find our divisor for the query via



In case this is to hard for you the divisor is 34359738368 for the first iteration.

Next we construct our query in which the page rendered (between 0 and 32) reveals the first portion of our message via dividing the base 10 converted hex converted result of our substring.

The first page loaded between 0 and 32 would be 0. We add this to a accumulator where we multiply the value retrieved by our divisor.

accumulator += 0 * 34359738368

Now we shift once and readjust our variables!

Now the divisor is equal to 1073741824. We divide and modulo again by our divisor and the modulo and we get page number 1 loaded!

accumulator += 1 * 1073741824

Next iteration: Divisor is 33554432, page loaded is 28:
Next iteration: 1048576, 22
Next iteration: 32768, 2
Next Iteration: 1024, 27
Next iteration: 32, 3
Last iteration: 1, 12

Now our accumulator equals 2036427884. Want to know something funny? Let's convert 2036427884 into hex: 79616c6c Now lets convert it to ascii: "yall"

HOLY SHIT GUYS WE EXTRACTED 4 BYTES IN 7 REQUESTS AT 5 BITS PER REQUEST USING MATH.

Don't worry, I don't blame you guys. After all you can't google how to be knowledgeable in a field.

This post was edited by AbDuCt on May 17 2017 09:57pm

Nice, so you just copy pasted from the first result in google. Still no idea why are you so impressed with mid-school level of math. But please, keep thinking you're better than anyone else



This post was edited by nuvo on May 18 2017 03:18am

Abduct you are being silly. Knowing some obscure sql attacks isn't what makes a good software engineer lol.