minor adjustment of a time based char retrievals (no more infinite increasing of timeSec value for problematic characters)

2024-11-22 01:26:42 +03:00 · 2011-08-16 06:50:20 +00:00 · 2011-08-16 06:50:20 +00:00 · 7cc5743c5d
commit 7cc5743c5d
parent 600ef3eace
4 changed files with 35 additions and 20 deletions
--- a/doc/THANKS
+++ b/doc/THANKS
@ -586,6 +586,13 @@ fufuh <fufuh@users.sourceforge.net>
 james <james@ev6.net>
    for reporting a bug

+Joe "Pragmatk" <pragmatk@gmail.com>
+    for reporting a few bugs
+
+John Smith <tixos@live.com>
+    for reporting several bugs
+    for suggesting some features
+
 m4l1c3 <malice.anon@gmail.com>
    for reporting considerable amount of bugs

@ -598,26 +605,22 @@ mitchell <mitchell@tufala.net>
 nightman <nightman@email.de>
    for reporting considerable amount of bugs

+Oso Dog osodog123@yahoo.com
+    for reporting a minor bug
+
 pacman730 <pacman730@users.sourceforge.net>
    for reporting a bug

+pentestmonkey <pentestmonkey@pentestmonkey.net>
+    for reporting several bugs
+    for suggesting a few minor enhancements
+
 Phat R. <phatthanaphol@gmail.com>
    for reporting a few bugs

 Phil P <@superevr>
    for suggesting a minor enhancement

-Joe "Pragmatk" <pragmatk@gmail.com>
-    for reporting a few bugs
-
-John Smith <tixos@live.com>
-    for reporting several bugs
-    for suggesting some features
-
-pentestmonkey <pentestmonkey@pentestmonkey.net>
-    for reporting several bugs
-    for suggesting a few minor enhancements
-
 ragos <ragos@joker.ms>
    for reporting a minor bug

--- a/lib/core/option.py
+++ b/lib/core/option.py
@ -1432,6 +1432,7 @@ def __setKnowledgeBaseAttributes(flushAll=True):
    kb.pageTemplates = dict()
    kb.orderByColumns = None
    kb.originalPage = None
+    kb.originalTimeDelay = None

    # Back-end DBMS underlying operating system fingerprint via banner (-b)
    # parsing
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@ -391,3 +391,6 @@ TRIM_STDOUT_DUMP_SIZE = 1024

 # Step used in ORDER BY technique used for finding the right number of columns in UNION query injections
 ORDER_BY_STEP = 10
+
+# Maximum number of times for revalidation of a character in time-based injections
+MAX_TIME_REVALIDATION_STEPS = 5
--- a/lib/techniques/blind/inference.py
+++ b/lib/techniques/blind/inference.py
@ -44,6 +44,7 @@ from lib.core.settings import INFERENCE_UNKNOWN_CHAR
 from lib.core.settings import INFERENCE_GREATER_CHAR
 from lib.core.settings import INFERENCE_EQUALS_CHAR
 from lib.core.settings import INFERENCE_NOT_EQUALS_CHAR
+from lib.core.settings import MAX_TIME_REVALIDATION_STEPS
 from lib.core.settings import PYVERSION
 from lib.core.threads import getCurrentThreadData
 from lib.core.threads import runThreads
@ -259,16 +260,23 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
                                errMsg = "invalid character detected. retrying.."
                                logger.error(errMsg)

-                                conf.timeSec += 1
-                                warnMsg = "increasing time delay to %d second%s " % (conf.timeSec, 's' if conf.timeSec > 1 else '')
-                                warnMsg += "(due to invalid char)"
-                                logger.warn(warnMsg)
+                                if not kb.originalTimeDelay:
+                                    kb.originalTimeDelay = conf.timeSec

-                                if kb.adjustTimeDelay:
-                                    dbgMsg = "turning off auto-adjustment mechanism"
-                                    logger.debug(dbgMsg)
-                                    kb.adjustTimeDelay = False
-                                return getChar(idx, originalTbl, continuousOrder, expand)
+                                conf.timeSec += 1
+                                if (conf.timeSec - kb.originalTimeDelay) <= MAX_TIME_REVALIDATION_STEPS:
+                                    warnMsg = "increasing time delay to %d second%s " % (conf.timeSec, 's' if conf.timeSec > 1 else '')
+                                    warnMsg += "(due to invalid char)"
+                                    logger.warn(warnMsg)
+
+                                    if kb.adjustTimeDelay:
+                                        dbgMsg = "turning off auto-adjustment mechanism"
+                                        logger.debug(dbgMsg)
+                                        kb.adjustTimeDelay = False
+                                    return getChar(idx, originalTbl, continuousOrder, expand)
+                                else:
+                                    conf.timeSec = kb.originalTimeDelay
+                                    return None
                            else:
                                return decodeIntToUnicode(retVal)
                        else: