Home

elsware

This project represents some ideas I've had regarding how to improve blind sql injection exploitation.

Raw data, extracted using a full 8 bit character set (could be 7 I guess):

"This is some text! 123! @"
This took 208 queries, or 8 queries per character.

But, there's a lot of "data" there that's not information. I got this:

"THIS IS SOME TEXT. ###. ."
With 130 queries, or 5 queries per character. This is 5/8th's of the time, bandwidth, and footprint, or almost 40% faster!

You can use this to look for information that seems interesting. The special characters tell me about the data. I see the alphas, and the numbers are indicated by #. The '.' tell me that there is punctuation there.

The next step is to write a "refine" functionality that will take this data and refine it to it's original form. I can leverage what I already know, so that getting precise data takes:

  • 1 query for alpha's (to determine case)
  • 4 queries for numbers (4 bits)
  • 5 or 7 queries for everything else, depending on which meta character is in the "scrunched" data.


Auth0 Logo