implemented feature request from Ole Rasmussen regarding table name retrieval speedup

lib/core/option.py

@@ -920,6 +920,7 @@ def __setKnowledgeBaseAttributes():
     kb.injParameter   = None
     kb.injPlace       = None
     kb.injType        = None
+    kb.hintValue      = None
 
     # Back-end DBMS underlying operating system fingerprint via banner (-b)
     # parsing

lib/techniques/blind/inference.py

@@ -114,7 +114,31 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
 
     queriesCount = [0]    # As list to deal with nested scoping rules
 
+    hintlock  = threading.Lock()
+    def tryHint(idx):
+        hintlock.acquire()
+        hintValue = kb.hintValue
+        hintlock.release()
+        if hintValue and len(hintValue) >= idx:
+            if kb.dbms == "SQLite":
+                posValue = hintValue[idx-1]
+            else:
+                posValue = ord(hintValue[idx-1])
+
+            forgedPayload = safeStringFormat(payload.replace('%3E', '%3D'), (expressionUnescaped, idx, posValue))
+            result        = Request.queryPage(urlencode(forgedPayload))
+            if result:
+                return hintValue[idx-1]
+        hintlock.acquire()
+        kb.hintValue = None
+        hintlock.release()
+        return None
+
     def getChar(idx, asciiTbl=asciiTbl):
+        result = tryHint(idx)
+        if result:
+            return result
+
         maxValue = asciiTbl[len(asciiTbl)-1]
         minValue = 0
 

plugins/generic/enumeration.py

@@ -783,6 +783,7 @@ class Enumeration:
                         query = rootQuery["blind"]["query"] % (db, index)
                     table = inject.getValue(query, inband=False)
                     tables.append(table)
+                    kb.hintValue = table
 
                 if tables:
                     kb.data.cachedTables[db] = tables