Removed --error-test, --stacked-test and --time-test switches and adapted the code accordingly. This is due to the fact that the new XML based detection engine already supports all of those tests (and more).

2025-12-10 07:31:36 +00:00 · 2010-11-29 11:47:58 +00:00
parent e8c6c01e27
commit c22338ce90
12 changed files with 1 additions and 234 deletions
--- a/lib/techniques/blind/timebased.py
+++ b/lib/techniques/blind/timebased.py
@@ -18,61 +18,6 @@ from lib.core.data import logger
 from lib.request import inject
 from lib.request.connect import Connect as Request

-def timeTest():
-    if kb.timeTest is not None:
-        return kb.timeTest
-
-    infoMsg  = "testing time-based blind sql injection on parameter "
-    infoMsg += "'%s' with %s condition syntax" % (kb.injection.parameter, conf.logic)
-    logger.info(infoMsg)
-
-    timeQuery = getDelayQuery(andCond=True)
-    query     = agent.prefixQuery("AND %s" % timeQuery)
-    query     = agent.suffixQuery(query)
-    payload   = agent.payload(newValue=query)
-    start     = time.time()
-    _         = Request.queryPage(payload)
-    duration  = calculateDeltaSeconds(start)
-
-    if duration >= conf.timeSec:
-        infoMsg  = "the target url is affected by a time-based blind "
-        infoMsg += "sql injection with AND condition syntax on parameter "
-        infoMsg += "'%s'" % kb.injection.parameter
-        logger.info(infoMsg)
-
-        kb.timeTest = agent.removePayloadDelimiters(payload, False)
-    else:
-        warnMsg  = "the target url is not affected by a time-based blind "
-        warnMsg += "sql injection with AND condition syntax on parameter "
-        warnMsg += "'%s'" % kb.injection.parameter
-        logger.warn(warnMsg)
-
-        infoMsg  = "testing time-based blind sql injection on parameter "
-        infoMsg += "'%s' with stacked queries syntax" % kb.injection.parameter
-        logger.info(infoMsg)
-
-        timeQuery  = getDelayQuery(andCond=True)
-        start      = time.time()
-        payload, _ = inject.goStacked(timeQuery)
-        duration   = calculateDeltaSeconds(start)
-
-        if duration >= conf.timeSec:
-            infoMsg  = "the target url is affected by a time-based blind sql "
-            infoMsg += "injection with stacked queries syntax on parameter "
-            infoMsg += "'%s'" % kb.injection.parameter
-            logger.info(infoMsg)
-
-            kb.timeTest = agent.removePayloadDelimiters(payload, False)
-        else:
-            warnMsg  = "the target url is not affected by a time-based blind "
-            warnMsg += "sql injection with stacked queries syntax on parameter "
-            warnMsg += "'%s'" % kb.injection.parameter
-            logger.warn(warnMsg)
-
-            kb.timeTest = False
-
-    return kb.timeTest
-
 def timeUse(query):
    start      = time.time()
    _, _       = inject.goStacked(query)