two major bug fixes regarding time calculation (previously comparison was also a part of "delta", which screwed results in cases with large pages; other was a standard distribution based one)

2025-10-31 16:07:55 +03:00 · 2010-12-07 23:32:33 +00:00 · 2010-12-07 23:32:33 +00:00 · 293ce18fed
commit 293ce18fed
parent b21eb88905
3 changed files with 7 additions and 8 deletions
--- a/lib/controller/checks.py
+++ b/lib/controller/checks.py
@ -350,16 +350,13 @@ def checkSqlInjection(place, parameter, value):
                        # time based checks can take awhile
                        socket.setdefaulttimeout(120)

-                        # Perform the test's request and check how long
-                        # it takes to get the response back
-                        start = time.time()
+                        # Perform the test's request
                        _ = Request.queryPage(reqPayload, place, noteResponseTime = False)
-                        duration = calculateDeltaSeconds(start)

                        # 99.9999999997440% of all non time-based sql injection 
-                        # affected durations should be inside 7*stdev(durations)
+                        # affected durations should be inside +-7*stdev(durations)
                        # (Reference: http://www.answers.com/topic/standard-deviation)
-                        trueResult = (duration >= 7 * stdev(kb.responseTimes))
+                        trueResult = (kb.lastQueryDuration >= average(kb.responseTimes) + 7 * stdev(kb.responseTimes))

                        if trueResult:
                            infoMsg = "%s parameter '%s' is '%s' injectable " % (place, parameter, title)
--- a/lib/core/option.py
+++ b/lib/core/option.py
@ -1149,6 +1149,7 @@ def __setKnowledgeBaseAttributes():
    kb.injections      = []
    kb.keywords        = set(getFileItems(paths.SQL_KEYWORDS))
    kb.lastErrorPage   = None
+    kb.lastQueryDuration = 0
    kb.lastRequestUID  = 0

    kb.locks           = advancedDict()
--- a/lib/request/connect.py
+++ b/lib/request/connect.py
@ -340,7 +340,6 @@ class Connect:
        uri         = None
        raise404    = place != PLACE.URI if raise404 is None else raise404
        toUrlencode = { PLACE.GET: True, PLACE.POST: True, PLACE.COOKIE: conf.cookieUrlencode, PLACE.UA: True, PLACE.URI: False }
-        start       = time.time()

        if not place:
            place = kb.injection.place
@ -387,6 +386,7 @@ class Connect:
            if kb.queryCounter % conf.saFreq == 0:
                Connect.getPage(url=conf.safUrl, cookie=cookie, direct=True, silent=True, ua=ua)

+        start = time.time()
        if not content and not response and kb.nullConnection:
            if kb.nullConnection == NULLCONNECTION.HEAD:
                method = HTTPMETHOD.HEAD
@ -405,6 +405,7 @@ class Connect:

        if not pageLength:
            page, headers = Connect.getPage(url=uri, get=get, post=post, cookie=cookie, ua=ua, silent=silent, method=method, auxHeaders=auxHeaders, response=response, raise404=raise404)
+        kb.lastQueryDuration = calculateDeltaSeconds(start)

        if conf.textOnly:
            page = getFilteredPageContent(page)
@ -415,7 +416,7 @@ class Connect:
                conf.cj.clear()

        if noteResponseTime:
-            kb.responseTimes.append(calculateDeltaSeconds(start))
+            kb.responseTimes.append(kb.lastQueryDuration)

        if content or response:
            return page, headers