From 0f8a551227b764cd80ead916fbea5ef4299c1985 Mon Sep 17 00:00:00 2001
From: Miroslav Stampar <miroslav.stampar@gmail.com>
Date: Sat, 9 Jan 2016 00:55:01 +0100
Subject: [PATCH] Potential patch for #1636

---
 lib/techniques/blind/inference.py | 18 ++++++++++++++++++
 plugins/generic/entries.py        |  4 ++--
 2 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/lib/techniques/blind/inference.py b/lib/techniques/blind/inference.py
index cf8e2dad5..aa04ceb9c 100644
--- a/lib/techniques/blind/inference.py
+++ b/lib/techniques/blind/inference.py
@@ -5,6 +5,7 @@ Copyright (c) 2006-2016 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
+import re
 import threading
 import time
 
@@ -25,6 +26,7 @@ from lib.core.common import getPartRun
 from lib.core.common import hashDBRetrieve
 from lib.core.common import hashDBWrite
 from lib.core.common import incrementCounter
+from lib.core.common import randomInt
 from lib.core.common import safeStringFormat
 from lib.core.common import singleTimeWarnMessage
 from lib.core.data import conf
@@ -42,6 +44,7 @@ from lib.core.settings import INFERENCE_UNKNOWN_CHAR
 from lib.core.settings import INFERENCE_GREATER_CHAR
 from lib.core.settings import INFERENCE_EQUALS_CHAR
 from lib.core.settings import INFERENCE_NOT_EQUALS_CHAR
+from lib.core.settings import MIN_TIME_RESPONSES
 from lib.core.settings import MAX_BISECTION_LENGTH
 from lib.core.settings import MAX_TIME_REVALIDATION_STEPS
 from lib.core.settings import PARTIAL_HEX_VALUE_MARKER
@@ -267,6 +270,21 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
                     unescapedCharValue = unescaper.escape("'%s'" % decodeIntToUnicode(posValue))
                     forgedPayload = safeStringFormat(payload, (expressionUnescaped, idx)).replace(markingValue, unescapedCharValue)
 
+                if timeBasedCompare and kb.whereCollectTimes:
+                    kb.responseTimes = []
+
+                    warnMsg = "\n[%s] [WARNING] time-based comparison requires " % time.strftime("%X")
+                    warnMsg += "larger statistical model, please wait"
+                    dataToStdout(warnMsg)
+
+                    while len(kb.responseTimes) < MIN_TIME_RESPONSES:
+                        falseWherePayload = re.sub(r"\b%s\b" % posValue, str(randomInt(6)), forgedPayload)
+                        Request.queryPage(falseWherePayload, content=True, raise404=False)
+                        dataToStdout('.')
+
+                    dataToStdout("\n")
+                    kb.whereCollectTimes = False
+
                 result = Request.queryPage(forgedPayload, timeBasedCompare=timeBasedCompare, raise404=False)
                 incrementCounter(kb.technique)
 
diff --git a/plugins/generic/entries.py b/plugins/generic/entries.py
index 5c83de4a4..ceabe2eb8 100644
--- a/plugins/generic/entries.py
+++ b/plugins/generic/entries.py
@@ -237,7 +237,7 @@ class Entries:
                     query = whereQuery(query)
 
                     if conf.dumpWhere:
-                        kb.whereResponseTimes = True
+                        kb.whereCollectTimes = True
                         pushValue(kb.responseTimes)
 
                     count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
@@ -330,7 +330,7 @@ class Entries:
 
                     if conf.dumpWhere:
                         kb.responseTimes = popValue()
-                        kb.whereResponseTimes = False
+                        kb.whereCollectTimes = False
 
                     for column, columnEntries in entries.items():
                         length = max(lengths[column], len(column))