[sqlmap-users] Markov chain
Brought to you by:
inquisb
Menu
▾
▴
[sqlmap-users] Markov chain
|
From: Carlos G. V. <car...@gm...> - 2010-11-17 14:57:37
|
Hi to all. Before all, i want to mention that i been working with the repository version of sqlmap (0.9) and it's awsome. I want to propose something crazy: Markov chains. (http://en.wikipedia.org/wiki/Markov_chain) Keeping it simple: a Markov chain is a tool that works on predictive events. It works with events, generating a "chain" (a list) of wich event is going to happen if certain events has already happen. When using sqlmap, let's say, when enumerating users, if at the middle of the process we see that the user is "roo", it's obvious that the last char will be a "t". If a table name is "aucti", the rest will be "on". If we see the "events" of the Markov chain as the probability of find one char knowing the predecessor chars, it could be used in sqlmap, at least to "try" the more often char for the previous combination, based on a dictionary of words (common users, tables, structures, values, etc). Another capability of Markov chain is that it has "memory"; in case of char prediction, the memory specifies how much chars it will be "looking back" when predicting the next. I have code a sample in python that shows the process in a very fool example. It's a tool that takes a dictionary as input, a "memory size" (default 2 chars back), and generates a random text based on this chain. The result will be random text similar to the language used in the dictionary. In sqlmap, the chain could be used to test the next "more probably" character for the partially guessed string based on a dictionary of common words. For example: the script was used on a dict file generated using "sqlmap --help > testdict.txt", with this output: $ ./markov_chain.py -d testdict.txt -m 4 sqlmap/0.8 - authe cookie header --ver takeover own SQL injection INI file click processions can behaviour or stack-end DBMS database gentry key value=RFILE -c CONFIGFILE Write DBMS current Last from retrinter(s) ratingerpreteration cert=ACERT First or structure affection (defaults (default 1) Look that "randomly" generated text using the chain is very very similar to the english speaking. I'm attaching the source to the mail. Hope it can help! Best regards, -- --------8<-------- Carlos Gabriel Vergara http://www.ThorSecurity.com.ar PGP: http://www.ThorSecurity.com.ar/gabrielvergara.pgp -------->8-------- |
