PenTest/sqlmap
1
0
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-12-06 20:51:31 +00:00
Code Issues Projects Releases Wiki Activity

it's a must to double check time based payloads

Browse Source
This commit is contained in:
Miroslav Stampar
2010-12-07 14:59:11 +00:00
parent e53fef546e
commit 4959da3ce6
1 changed files with 12 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
lib/controller/checks.py
View File

@@ -355,17 +355,20 @@ def checkSqlInjection(place, parameter, value):
_ = Request.queryPage(reqPayload, place) _ = Request.queryPage(reqPayload, place)
duration = calculateDeltaSeconds(start) duration = calculateDeltaSeconds(start)
# Threat sleep and delayed (heavy query) differently trueResult = (check.isdigit() and duration >= int(check)) or (check == "[DELAYED]" and duration >= max(TIME_MIN_DELTA, kb.responseTime))
if check.isdigit() and duration >= int(check):
infoMsg = "%s parameter '%s' is '%s' injectable " % (place, parameter, title)
logger.info(infoMsg)
injectable = True if trueResult:
elif check == "[DELAYED]" and duration >= max(TIME_MIN_DELTA, kb.responseTime): start = time.time()
infoMsg = "%s parameter '%s' is '%s' injectable " % (place, parameter, title) _ = Request.queryPage(reqPayload, place)
logger.info(infoMsg) duration = calculateDeltaSeconds(start)
injectable = True trueResult = (check.isdigit() and duration >= int(check)) or (check == "[DELAYED]" and duration >= max(TIME_MIN_DELTA, kb.responseTime))
if trueResult:
infoMsg = "%s parameter '%s' is '%s' injectable " % (place, parameter, title)
logger.info(infoMsg)
injectable = True
# Restore value of socket timeout # Restore value of socket timeout
socket.setdefaulttimeout(popValue()) socket.setdefaulttimeout(popValue())