sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-02-03 05:04:11 +03:00
Code Issues Packages Projects Releases Wiki Activity

Minor bug fix to properly execute --time-test also on MySQL >= 5.0.12

Browse Source
This commit is contained in:
Bernardo Damele 2010-01-05 11:43:16 +00:00
parent 71547a3496
commit 954a927cee
2 changed files with 13 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
lib/core/common.py
View File

@ -692,8 +692,8 @@ def parseUnionPage(output, expression, partial=False, condition=None, sort=True)
data = data[0] data = data[0]
return data return data
def getDelayQuery(): def getDelayQuery(andCond=False):
query = None query = None
if kb.dbms in ("MySQL", "PostgreSQL"): if kb.dbms in ("MySQL", "PostgreSQL"):
@ -704,6 +704,10 @@ def getDelayQuery():
if (kb.dbms == "MySQL" and banVer >= "5.0.12") or (kb.dbms == "PostgreSQL" and banVer >= "8.2"): if (kb.dbms == "MySQL" and banVer >= "5.0.12") or (kb.dbms == "PostgreSQL" and banVer >= "8.2"):
query = queries[kb.dbms].timedelay % conf.timeSec query = queries[kb.dbms].timedelay % conf.timeSec
if kb.dbms == "MySQL" and andCond:
query = query.replace("SELECT ", "")
else: else:
query = queries[kb.dbms].timedelay2 % conf.timeSec query = queries[kb.dbms].timedelay2 % conf.timeSec
else: else:

11
lib/techniques/blind/timebased.py
View File

@ -31,12 +31,13 @@ from lib.core.data import kb
from lib.core.data import logger from lib.core.data import logger
from lib.request import inject from lib.request import inject
from lib.request.connect import Connect as Request from lib.request.connect import Connect as Request
def timeTest(): def timeTest():
infoMsg = "testing time based blind sql injection on parameter " infoMsg = "testing time based blind sql injection on parameter "
infoMsg += "'%s' with AND condition syntax" % kb.injParameter infoMsg += "'%s' with AND condition syntax" % kb.injParameter
logger.info(infoMsg) logger.info(infoMsg)
timeQuery = getDelayQuery() timeQuery = getDelayQuery(andCond=True)
query = agent.prefixQuery(" AND %s" % timeQuery) query = agent.prefixQuery(" AND %s" % timeQuery)
query = agent.postfixQuery(query) query = agent.postfixQuery(query)
payload = agent.payload(newValue=query) payload = agent.payload(newValue=query)
@ -60,9 +61,10 @@ def timeTest():
infoMsg += "'%s' with stacked query syntax" % kb.injParameter infoMsg += "'%s' with stacked query syntax" % kb.injParameter
logger.info(infoMsg) logger.info(infoMsg)
start = time.time() timeQuery = getDelayQuery(andCond=True)
payload, _ = inject.goStacked(timeQuery) start = time.time()
duration = int(time.time() - start) payload, _ = inject.goStacked(timeQuery)
duration = int(time.time() - start)
if duration >= conf.timeSec: if duration >= conf.timeSec:
infoMsg = "the parameter '%s' is affected by a time " % kb.injParameter infoMsg = "the parameter '%s' is affected by a time " % kb.injParameter
@ -78,6 +80,7 @@ def timeTest():
kb.timeTest = False kb.timeTest = False
return kb.timeTest return kb.timeTest
def timeUse(query): def timeUse(query):
start = time.time() start = time.time()
_, _ = inject.goStacked(query) _, _ = inject.goStacked(query)