update regarding time based payloads

lib/controller/checks.py

@@ -14,7 +14,6 @@ import time
 from difflib import SequenceMatcher
 
 from lib.core.agent import agent
-from lib.core.common import average
 from lib.core.common import beep
 from lib.core.common import calculateDeltaSeconds
 from lib.core.common import extractRegexResult
@@ -26,7 +25,6 @@ from lib.core.common import randomStr
 from lib.core.common import readInput
 from lib.core.common import removeDynamicContent
 from lib.core.common import showStaticWords
-from lib.core.common import stdev
 from lib.core.common import trimAlphaNum
 from lib.core.common import wasLastRequestDBMSError
 from lib.core.common import DynamicContentItem
@@ -351,12 +349,7 @@ def checkSqlInjection(place, parameter, value):
                         socket.setdefaulttimeout(120)
 
                         # Perform the test's request
-                        _ = Request.queryPage(reqPayload, place, content=True, noteResponseTime=False)
+                        trueResult = Request.queryPage(reqPayload, place, timeBasedCompare=True)
-
-                        # 99.9999999997440% of all non time-based sql injection 
-                        # affected durations should be inside +-7*stdev(durations)
-                        # (Reference: http://www.answers.com/topic/standard-deviation)
-                        trueResult = (kb.lastQueryDuration >= average(kb.responseTimes) + 7 * stdev(kb.responseTimes))
 
                         if trueResult:
                             infoMsg = "%s parameter '%s' is '%s' injectable " % (place, parameter, title)

lib/request/connect.py

@@ -17,12 +17,14 @@ import traceback
 
 from lib.contrib import multipartpost
 from lib.core.agent import agent
+from lib.core.common import average
 from lib.core.common import calculateDeltaSeconds
 from lib.core.common import extractErrorMessage
 from lib.core.common import getFilteredPageContent
 from lib.core.common import getUnicode
 from lib.core.common import logHTTPTraffic
 from lib.core.common import readInput
+from lib.core.common import stdev
 from lib.core.convert import urlencode
 from lib.core.common import urlEncodeCookieValues
 from lib.core.data import conf
@@ -321,7 +323,7 @@ class Connect:
         return page, responseHeaders
 
     @staticmethod
-    def queryPage(value=None, place=None, content=False, getSeqMatcher=False, silent=False, method=None, auxHeaders=None, response=False, raise404 = None, noteResponseTime = True):
+    def queryPage(value=None, place=None, content=False, getSeqMatcher=False, silent=False, method=None, auxHeaders=None, response=False, raise404 = None, noteResponseTime = True, timeBasedCompare = False):
         """
         This method calls a function to get the target url page content
         and returns its page MD5 hash or a boolean value in case of
@@ -417,7 +419,12 @@ class Connect:
             if conf.cj:
                 conf.cj.clear()
 
-        if noteResponseTime:
+        if timeBasedCompare:
+            # 99.9999999997440% of all non time-based sql injection
+            # affected durations should be inside +-7*stdev(durations)
+            # (Reference: http://www.answers.com/topic/standard-deviation)
+            return (kb.lastQueryDuration >= average(kb.responseTimes) + 7 * stdev(kb.responseTimes))
+        elif noteResponseTime:
             kb.responseTimes.append(kb.lastQueryDuration)
 
         if content or response: