-
Notifications
You must be signed in to change notification settings - Fork 412
Strategies
πjSQL
is checking from slowest to fastest strategies in order to identify the best strategies and to get rows efficiently.
The slowest strategy gets a single character bit-by-bit with 7 requests, the fastest strategy gets large chunks of text with a single query.
The simplest strategy shows the rows directly in the source page, the worst strategy does not even display anything.
Note
Open a discussion to share about additional strategies you know.
The following pseudo-code describe the extraction methods from the simplest to the most convoluted.
Union-based is the standard strategy that extracts the most chars with the least amount of queries.
Response from the target contains directly the SQL result so the process is really fast.
select row then show row
βοΈ ~100k chars in 1 request
Strategy is basically identical and as efficient as Normal
, though Stacked
feature is not proposed by all engines thus less frequently encountered.
select row then show row
βοΈ ~100k chars in 1 request
Database engines may contain buggy syntax processor which can be triggered by a specific forged SQL query. The result appears directly in a error message returned by the database however with a size reduced significantly.
Error strategy gets the SQL results directly in the response so it's still really efficient, particularly useful when Normal strategy is not working.
select row then show row in internal error message
βοΈ ~100 chars in 1 request
For various reasons you may not get the result directly in the response, nevertheless target can show a specific given text for a specific query.
It means you can query the database to get an exact response like Yes
or No
depending on the text in the response.
Additionally each letter can be translated into its ASCII integer code, which in turn can be split into its binary components:
char:'a' β‘οΈ ascii:97 β‘οΈ bin:1100001
You can thus query the entire result bit-by-bit and char-by-char, even when the target does not return anything directly. However it's significantly slower than Normal
or Error
.
if Nth bit of char X in the row is 1
then π’ show page A
else π΄ show page B
βοΈ Nth bit of ascii(X in the row) from 1 to 7 is π’ or π΄ ?
β‘οΈ pages:π’;π’;π΄;π΄;π΄;π΄;π’ β‘οΈ bin:1100001 β‘οΈ ascii:97 β‘οΈ char:'a' in 7 requests
Here is when the target does not even return anything in the page, no SQL result, no specific text related to the query.
With Time the criteria allowing to query the database for Yes
and No
is the delay required by the target to load.
Like Blind the entire result is built bit-by-bit. It's also even slower than Blind
and depends strongly on the network quality and on target reliability, consequently you may get corrupted chars as the loading time is not strictly reliable.
if Nth bit of char X in the row is 1
then π’ sleep 5s
else π΄ do-nothing
βοΈ Nth bit of ascii(X in the row) from 1 to 7 is π’ or π΄ ?
β‘οΈ pages:π’;π’;π΄;π΄;π΄;π΄;π’ β‘οΈ bin:1100001 β‘οΈ ascii:97 β‘οΈ char:'a' in 7 requests
Binary representation of chars can be processed more efficiently than Blind if you can get groups of bits, yet the target requires a set of 7 distinct responses to match any of the possible groups of Yes
and No
combination.
Applicable use case is when you can query by id and you get distinct content for every id (eg. ?id=1
, ?id=2
, etc).
if Nth bit-group of char X in row is 000 then π΄π΄π΄ show page A
else if Nth bit-group of char X in row is 001 then π΄π΄π’ show page B
...
else if Nth bit-group of char X in row is 110 then π’π’π΄ show page F
else if Nth bit-group of char X in row is 111 then π’π’π’ show page G
βοΈ Nth bits-group of ascii(X in row) from 1 to 3 ?
β‘οΈ pages:π΄π΄π’;π’π΄π΄;π΄π΄π’ β‘οΈ bin:1100001 β‘οΈ ascii:97 β‘οΈ char:'a' in 3 requests
- DNS: mount a DNS server, inject target with calls to the DNS server subdomain then get result from DNS logs
- Position: get
Boolean
result from a limited chars map, reducing from 7 to 3 queries - Duality: combine
Time
withBlind
to extract 2 bits directly - Ascii: convert each char to ASCII code and open matching page id similarly to
Multibit
Speed | Read bit(s) |
Page Diff |
Show rows |
Show onINSERT
|
Show onUPDATE
|
Show onDELETE
|
|
---|---|---|---|---|---|---|---|
Time |
πππ | βοΈ | β¬ | β | β | β | β |
Blind |
ππ | βοΈ | βοΈ | β | β | β | β |
Multibit |
π | βοΈ | βοΈ | β | β | β | β |
Error |
β‘ | β¬ | β¬ | βοΈ | βοΈ | βοΈ | βοΈ |
Stacked |
β‘β‘β‘ | β¬ | β¬ | βοΈ | β | β | β |
Normal |
β‘β‘β‘ | β¬ | β¬ | βοΈ | β | β | β |