From a70a647aeb1666e4f742a24f66357d5789979bc3 Mon Sep 17 00:00:00 2001
From: Miroslav Stampar <miroslav.stampar@gmail.com>
Date: Mon, 28 May 2012 14:51:23 +0000
Subject: [PATCH] few fixes regarding --dns-domain usage (time-based technique
 should not be used as a failback because of few things, --time-sec should be
 put to 0 just in case,...)

---
 lib/request/inject.py     | 25 +++++++++++++------------
 lib/techniques/dns/use.py |  8 +++++++-
 2 files changed, 20 insertions(+), 13 deletions(-)

diff --git a/lib/request/inject.py b/lib/request/inject.py
index e5765a102..057f9e61b 100644
--- a/lib/request/inject.py
+++ b/lib/request/inject.py
@@ -21,6 +21,7 @@ from lib.core.common import getPublicTypeMembers
 from lib.core.common import hashDBRetrieve
 from lib.core.common import hashDBWrite
 from lib.core.common import initTechnique
+from lib.core.common import isNoneValue
 from lib.core.common import isNumPosStrValue
 from lib.core.common import isTechniqueAvailable
 from lib.core.common import parseUnionPage
@@ -66,18 +67,19 @@ def __goInference(payload, expression, charsetType=None, firstChar=None, lastCha
     if value is None:
         timeBasedCompare = (kb.technique in (PAYLOAD.TECHNIQUE.TIME, PAYLOAD.TECHNIQUE.STACKED))
 
-        if (conf.eta or conf.threads > 1) and Backend.getIdentifiedDbms() and not timeBasedCompare:
-            _, length, _ = queryOutputLength(expression, payload)
-        else:
-            length = None
+        if not (timeBasedCompare and kb.dnsTest):
+            if (conf.eta or conf.threads > 1) and Backend.getIdentifiedDbms() and not timeBasedCompare:
+                _, length, _ = queryOutputLength(expression, payload)
+            else:
+                length = None
 
-        kb.inferenceMode = True
-        count, value = bisection(payload, expression, length, charsetType, firstChar, lastChar, dump)
-        kb.inferenceMode = False
+            kb.inferenceMode = True
+            count, value = bisection(payload, expression, length, charsetType, firstChar, lastChar, dump)
+            kb.inferenceMode = False
 
-        if not kb.bruteMode:
-            debugMsg = "performed %d queries in %d seconds" % (count, calculateDeltaSeconds(start))
-            logger.debug(debugMsg)
+            if not kb.bruteMode:
+                debugMsg = "performed %d queries in %d seconds" % (count, calculateDeltaSeconds(start))
+                logger.debug(debugMsg)
 
     return value
 
@@ -317,9 +319,8 @@ def __goInferenceProxy(expression, fromUser=False, expected=None, batch=False, u
         expression += FROM_DUMMY_TABLE[Backend.getIdentifiedDbms()]
 
     outputs = __goInferenceFields(expression, expressionFields, expressionFieldsList, payload, expected, charsetType=charsetType, firstChar=firstChar, lastChar=lastChar, dump=dump)
-    returnValue = ", ".join(output for output in outputs)
 
-    return returnValue
+    return ", ".join(output for output in outputs) if not isNoneValue(outputs) else None
 
 def __goBooleanProxy(expression):
     """
diff --git a/lib/techniques/dns/use.py b/lib/techniques/dns/use.py
index b8f7c52c4..c95a4a5e6 100644
--- a/lib/techniques/dns/use.py
+++ b/lib/techniques/dns/use.py
@@ -20,6 +20,8 @@ from lib.core.common import extractRegexResult
 from lib.core.common import getSPQLSnippet
 from lib.core.common import hashDBRetrieve
 from lib.core.common import hashDBWrite
+from lib.core.common import popValue
+from lib.core.common import pushValue
 from lib.core.common import randomInt
 from lib.core.common import randomStr
 from lib.core.common import safecharencode
@@ -70,6 +72,9 @@ def dnsUse(payload, expression):
                 expressionRequest = getSPQLSnippet(Backend.getIdentifiedDbms(), "dns_request", PREFIX=prefix, QUERY=expressionReplaced, SUFFIX=suffix, DOMAIN=conf.dName)
                 expressionUnescaped = unescaper.unescape(expressionRequest)
 
+                pushValue(conf.timeSec)
+                conf.timeSec = 0
+
                 if Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.PGSQL):
                     comment = queries[Backend.getIdentifiedDbms()].comment.query
                     query = agent.prefixQuery("; %s" % expressionUnescaped)
@@ -77,8 +82,9 @@ def dnsUse(payload, expression):
                     forgedPayload = agent.payload(newValue=query)
                 else:
                     forgedPayload = safeStringFormat(payload, (expressionUnescaped, randomInt(1), randomInt(3)))
-    
+
                 Request.queryPage(forgedPayload, content=False, noteResponseTime=False, raise404=False)
+                conf.timeSec = popValue()
 
                 _ = conf.dnsServer.pop(prefix, suffix)