From 35aa785870d3d90c18bcab9626ac3e9b496a569b Mon Sep 17 00:00:00 2001
From: Bernardo Damele <bernardo.damele@gmail.com>
Date: Fri, 15 Feb 2013 16:25:33 +0000
Subject: [PATCH] bug fix to make --predict-output work also with time-based
 technique

---
 lib/techniques/blind/inference.py | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/lib/techniques/blind/inference.py b/lib/techniques/blind/inference.py
index 705fef6bf..c1207e33a 100644
--- a/lib/techniques/blind/inference.py
+++ b/lib/techniques/blind/inference.py
@@ -483,7 +483,13 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
                     if commonValue is not None:
                         # One-shot query containing equals commonValue
                         testValue = unescaper.escape("'%s'" % commonValue) if "'" not in commonValue else unescaper.escape("%s" % commonValue, quote=False)
-                        query = agent.prefixQuery(safeStringFormat("AND (%s) = %s", (expressionUnescaped, testValue)))
+
+                        if timeBasedCompare:
+                            query = kb.injection.data[kb.technique].vector.replace("[RANDNUM]", testValue)
+                            query = agent.prefixQuery(query.replace("[INFERENCE]", "(%s)=%s" % (expressionUnescaped, testValue)))
+                        else:
+                            query = agent.prefixQuery(safeStringFormat("AND (%s)=%s", (expressionUnescaped, testValue)))
+
                         query = agent.suffixQuery(query)
                         result = Request.queryPage(agent.payload(newValue=query), timeBasedCompare=timeBasedCompare, raise404=False)
                         incrementCounter(kb.technique)
@@ -504,7 +510,13 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
                         # Substring-query containing equals commonPattern
                         subquery = queries[Backend.getIdentifiedDbms()].substring.query % (expressionUnescaped, 1, len(commonPattern))
                         testValue = unescaper.escape("'%s'" % commonPattern) if "'" not in commonPattern else unescaper.escape("%s" % commonPattern, quote=False)
-                        query = agent.prefixQuery(safeStringFormat("AND (%s) = %s", (subquery, testValue)))
+
+                        if timeBasedCompare:
+                            query = kb.injection.data[kb.technique].vector.replace("[RANDNUM]", testValue)
+                            query = agent.prefixQuery(query.replace("[INFERENCE]", "(%s)=%s" % (subquery, testValue)))
+                        else:
+                            query = agent.prefixQuery(safeStringFormat("AND (%s)=%s", (subquery, testValue)))
+
                         query = agent.suffixQuery(query)
                         result = Request.queryPage(agent.payload(newValue=query), timeBasedCompare=timeBasedCompare, raise404=False)
                         incrementCounter(kb.technique)