From 293ce18fed15f4d542fa3aa932cb20b8adbb93af Mon Sep 17 00:00:00 2001
From: Miroslav Stampar <miroslav.stampar@gmail.com>
Date: Tue, 7 Dec 2010 23:32:33 +0000
Subject: [PATCH] two major bug fixes regarding time calculation (previously
 comparison was also a part of "delta", which screwed results in cases with
 large pages; other was a standard distribution based one)

---
 lib/controller/checks.py | 9 +++------
 lib/core/option.py       | 1 +
 lib/request/connect.py   | 5 +++--
 3 files changed, 7 insertions(+), 8 deletions(-)

diff --git a/lib/controller/checks.py b/lib/controller/checks.py
index e630cb924..5a38ecdac 100644
--- a/lib/controller/checks.py
+++ b/lib/controller/checks.py
@@ -350,16 +350,13 @@ def checkSqlInjection(place, parameter, value):
                         # time based checks can take awhile
                         socket.setdefaulttimeout(120)
 
-                        # Perform the test's request and check how long
-                        # it takes to get the response back
-                        start = time.time()
+                        # Perform the test's request
                         _ = Request.queryPage(reqPayload, place, noteResponseTime = False)
-                        duration = calculateDeltaSeconds(start)
 
                         # 99.9999999997440% of all non time-based sql injection 
-                        # affected durations should be inside 7*stdev(durations)
+                        # affected durations should be inside +-7*stdev(durations)
                         # (Reference: http://www.answers.com/topic/standard-deviation)
-                        trueResult = (duration >= 7 * stdev(kb.responseTimes))
+                        trueResult = (kb.lastQueryDuration >= average(kb.responseTimes) + 7 * stdev(kb.responseTimes))
 
                         if trueResult:
                             infoMsg = "%s parameter '%s' is '%s' injectable " % (place, parameter, title)
diff --git a/lib/core/option.py b/lib/core/option.py
index 69d888f65..a865ee11c 100644
--- a/lib/core/option.py
+++ b/lib/core/option.py
@@ -1149,6 +1149,7 @@ def __setKnowledgeBaseAttributes():
     kb.injections      = []
     kb.keywords        = set(getFileItems(paths.SQL_KEYWORDS))
     kb.lastErrorPage   = None
+    kb.lastQueryDuration = 0
     kb.lastRequestUID  = 0
 
     kb.locks           = advancedDict()
diff --git a/lib/request/connect.py b/lib/request/connect.py
index 2cc175dd3..1b7402a9d 100644
--- a/lib/request/connect.py
+++ b/lib/request/connect.py
@@ -340,7 +340,6 @@ class Connect:
         uri         = None
         raise404    = place != PLACE.URI if raise404 is None else raise404
         toUrlencode = { PLACE.GET: True, PLACE.POST: True, PLACE.COOKIE: conf.cookieUrlencode, PLACE.UA: True, PLACE.URI: False }
-        start       = time.time()
 
         if not place:
             place = kb.injection.place
@@ -387,6 +386,7 @@ class Connect:
             if kb.queryCounter % conf.saFreq == 0:
                 Connect.getPage(url=conf.safUrl, cookie=cookie, direct=True, silent=True, ua=ua)
 
+        start = time.time()
         if not content and not response and kb.nullConnection:
             if kb.nullConnection == NULLCONNECTION.HEAD:
                 method = HTTPMETHOD.HEAD
@@ -405,6 +405,7 @@ class Connect:
 
         if not pageLength:
             page, headers = Connect.getPage(url=uri, get=get, post=post, cookie=cookie, ua=ua, silent=silent, method=method, auxHeaders=auxHeaders, response=response, raise404=raise404)
+        kb.lastQueryDuration = calculateDeltaSeconds(start)
 
         if conf.textOnly:
             page = getFilteredPageContent(page)
@@ -415,7 +416,7 @@ class Connect:
                 conf.cj.clear()
 
         if noteResponseTime:
-            kb.responseTimes.append(calculateDeltaSeconds(start))
+            kb.responseTimes.append(kb.lastQueryDuration)
 
         if content or response:
             return page, headers