From ecd4a5a5325cc5758711aa4fb46f6bdcd769d0e9 Mon Sep 17 00:00:00 2001 From: Miroslav Stampar Date: Tue, 7 Dec 2010 16:39:31 +0000 Subject: [PATCH] added standard deviation check in time based tests --- lib/controller/checks.py | 53 +++++++++++++++++++++++++--------------- lib/core/common.py | 13 ++++++++++ lib/core/option.py | 1 + lib/core/settings.py | 1 + 4 files changed, 48 insertions(+), 20 deletions(-) diff --git a/lib/controller/checks.py b/lib/controller/checks.py index e5babab32..4d84ff719 100644 --- a/lib/controller/checks.py +++ b/lib/controller/checks.py @@ -26,6 +26,7 @@ from lib.core.common import randomStr from lib.core.common import readInput from lib.core.common import removeDynamicContent from lib.core.common import showStaticWords +from lib.core.common import stdev from lib.core.common import trimAlphaNum from lib.core.common import wasLastRequestDBMSError from lib.core.common import DynamicContentItem @@ -47,6 +48,7 @@ from lib.core.exception import sqlmapUserQuitException from lib.core.session import setString from lib.core.session import setRegexp from lib.core.settings import MIN_DURATION_RATIO +from lib.core.settings import MAX_TIME_STDEV from lib.core.settings import TIME_TOLERANCE from lib.request.connect import Connect as Request from lib.request.templates import getPageTemplate @@ -343,31 +345,42 @@ def checkSqlInjection(place, parameter, value): # In case of time-based blind or stacked queries # SQL injections - elif method == PAYLOAD.METHOD.TIME: - # Store old value of socket timeout - pushValue(socket.getdefaulttimeout()) + elif method == PAYLOAD.METHOD.TIME and kb.timeTests: + if stdev(kb.responseTimes) > MAX_TIME_STDEV: + # the standard deviation tells us how far from the mean + # the data points tend to be. It will have the same units + # as the data points themselves + warnMsg = "loading time(s) of the target url is too " + warnMsg += "chaotic. skipping further time-based tests." + logger.critical(warnMsg) - # Set socket timeout to 2 minutes as some - # time based checks can take awhile - socket.setdefaulttimeout(120) + kb.timeTests = False + else: + # Store old value of socket timeout + pushValue(socket.getdefaulttimeout()) - # Perform the test's request and check how long - # it takes to get the response back - start = time.time() - _ = Request.queryPage(reqPayload, place, noteResponseTime = False) - duration = calculateDeltaSeconds(start) - - trueResult = (check.isdigit() and abs(duration - int(check) - average(kb.responseTimes)) < TIME_TOLERANCE)\ - or (check == "[DELAYED]" and duration >= MIN_DURATION_RATIO * max(kb.responseTimes)) + # Set socket timeout to 2 minutes as some + # time based checks can take awhile + socket.setdefaulttimeout(120) - if trueResult: - infoMsg = "%s parameter '%s' is '%s' injectable " % (place, parameter, title) - logger.info(infoMsg) + # Perform the test's request and check how long + # it takes to get the response back + start = time.time() + _ = Request.queryPage(reqPayload, place, noteResponseTime = False) + duration = calculateDeltaSeconds(start) + + trueResult = duration > max(kb.responseTimes) and ((check.isdigit()\ + and abs(duration - int(check) - average(kb.responseTimes)) < TIME_TOLERANCE)\ + or (check == "[DELAYED]" and duration >= MIN_DURATION_RATIO * max(kb.responseTimes))) - injectable = True + if trueResult: + infoMsg = "%s parameter '%s' is '%s' injectable " % (place, parameter, title) + logger.info(infoMsg) - # Restore value of socket timeout - socket.setdefaulttimeout(popValue()) + injectable = True + + # Restore value of socket timeout + socket.setdefaulttimeout(popValue()) # If the injection test was successful feed the injection # object with the test's details diff --git a/lib/core/common.py b/lib/core/common.py index f78030b75..35d97016a 100644 --- a/lib/core/common.py +++ b/lib/core/common.py @@ -27,6 +27,7 @@ from ConfigParser import RawConfigParser from StringIO import StringIO from difflib import SequenceMatcher from inspect import getmembers +from math import sqrt from subprocess import PIPE from subprocess import Popen as execute from tempfile import NamedTemporaryFile @@ -1276,6 +1277,18 @@ def readXmlFile(xmlFile): xfile.close() return retVal +def stdev(values): + """ + Computes standard deviation of a list of numbers. + """ + sum = 0.0 + avg = average(values) + + for value in values: + sum += pow(value - avg, 2) + + return sqrt(sum/len(values)) + def average(values): """ Computes the arithmetic mean of a list of numbers. diff --git a/lib/core/option.py b/lib/core/option.py index 69d888f65..92eed55e3 100644 --- a/lib/core/option.py +++ b/lib/core/option.py @@ -1182,6 +1182,7 @@ def __setKnowledgeBaseAttributes(): kb.technique = None kb.testMode = False kb.testQueryCount = 0 + kb.timeTests = True kb.unionComment = "" kb.unionCount = None kb.unionPosition = None diff --git a/lib/core/settings.py b/lib/core/settings.py index b4dedbfdb..3510b211b 100644 --- a/lib/core/settings.py +++ b/lib/core/settings.py @@ -51,6 +51,7 @@ PAYLOAD_DELIMITER = "\x00" # time testing settings TIME_TOLERANCE = 0.5 MIN_DURATION_RATIO = 1.5 +MAX_TIME_STDEV = 1 # System variables IS_WIN = subprocess.mswindows