Potential patch for #1636

2024-11-25 11:03:47 +03:00 · 2016-01-09 00:55:01 +01:00 · 2016-01-09 00:55:01 +01:00 · 0f8a551227
commit 0f8a551227
parent 3c9be947c5
2 changed files with 20 additions and 2 deletions
--- a/lib/techniques/blind/inference.py
+++ b/lib/techniques/blind/inference.py
@ -5,6 +5,7 @@ Copyright (c) 2006-2016 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """

+import re
 import threading
 import time

@ -25,6 +26,7 @@ from lib.core.common import getPartRun
 from lib.core.common import hashDBRetrieve
 from lib.core.common import hashDBWrite
 from lib.core.common import incrementCounter
+from lib.core.common import randomInt
 from lib.core.common import safeStringFormat
 from lib.core.common import singleTimeWarnMessage
 from lib.core.data import conf
@ -42,6 +44,7 @@ from lib.core.settings import INFERENCE_UNKNOWN_CHAR
 from lib.core.settings import INFERENCE_GREATER_CHAR
 from lib.core.settings import INFERENCE_EQUALS_CHAR
 from lib.core.settings import INFERENCE_NOT_EQUALS_CHAR
+from lib.core.settings import MIN_TIME_RESPONSES
 from lib.core.settings import MAX_BISECTION_LENGTH
 from lib.core.settings import MAX_TIME_REVALIDATION_STEPS
 from lib.core.settings import PARTIAL_HEX_VALUE_MARKER
@ -267,6 +270,21 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
                    unescapedCharValue = unescaper.escape("'%s'" % decodeIntToUnicode(posValue))
                    forgedPayload = safeStringFormat(payload, (expressionUnescaped, idx)).replace(markingValue, unescapedCharValue)

+                if timeBasedCompare and kb.whereCollectTimes:
+                    kb.responseTimes = []
+
+                    warnMsg = "\n[%s] [WARNING] time-based comparison requires " % time.strftime("%X")
+                    warnMsg += "larger statistical model, please wait"
+                    dataToStdout(warnMsg)
+
+                    while len(kb.responseTimes) < MIN_TIME_RESPONSES:
+                        falseWherePayload = re.sub(r"\b%s\b" % posValue, str(randomInt(6)), forgedPayload)
+                        Request.queryPage(falseWherePayload, content=True, raise404=False)
+                        dataToStdout('.')
+
+                    dataToStdout("\n")
+                    kb.whereCollectTimes = False
+
                result = Request.queryPage(forgedPayload, timeBasedCompare=timeBasedCompare, raise404=False)
                incrementCounter(kb.technique)

--- a/plugins/generic/entries.py
+++ b/plugins/generic/entries.py
@ -237,7 +237,7 @@ class Entries:
                    query = whereQuery(query)

                    if conf.dumpWhere:
-                        kb.whereResponseTimes = True
+                        kb.whereCollectTimes = True
                        pushValue(kb.responseTimes)

                    count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
@ -330,7 +330,7 @@ class Entries:

                    if conf.dumpWhere:
                        kb.responseTimes = popValue()
-                        kb.whereResponseTimes = False
+                        kb.whereCollectTimes = False

                    for column, columnEntries in entries.items():
                        length = max(lengths[column], len(column))