added calculateDeltaSeconds method for dealing with non-deterministic time behaviour in some cases (e.g. WAITFOR DELAY in case of MSSQL)

2025-12-10 09:49:06 +00:00 · 2010-05-13 11:05:35 +00:00
parent 762781e94d
commit ca3e12ae73
6 changed files with 16 additions and 8 deletions
--- a/lib/techniques/blind/timebased.py
+++ b/lib/techniques/blind/timebased.py
@@ -25,6 +25,7 @@ Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 import time

 from lib.core.agent import agent
+from lib.core.common import calculateDeltaSeconds
 from lib.core.common import getDelayQuery
 from lib.core.data import conf
 from lib.core.data import kb
@@ -43,7 +44,7 @@ def timeTest():
    payload   = agent.payload(newValue=query)
    start     = time.time()
    _         = Request.queryPage(payload)
-    duration  = int(time.time() - start)
+    duration  = calculateDeltaSeconds(start)

    if duration >= conf.timeSec:
        infoMsg  = "the parameter '%s' is affected by a time " % kb.injParameter
@@ -64,7 +65,7 @@ def timeTest():
        timeQuery  = getDelayQuery(andCond=True)
        start      = time.time()
        payload, _ = inject.goStacked(timeQuery)
-        duration   = int(time.time() - start)
+        duration   = calculateDeltaSeconds(start)

        if duration >= conf.timeSec:
            infoMsg  = "the parameter '%s' is affected by a time " % kb.injParameter
@@ -84,6 +85,6 @@ def timeTest():
 def timeUse(query):
    start      = time.time()
    _, _       = inject.goStacked(query)
-    duration   = int(time.time() - start)
+    duration   = calculateDeltaSeconds(start)

    return duration
--- a/lib/techniques/inband/union/use.py
+++ b/lib/techniques/inband/union/use.py
@@ -26,6 +26,7 @@ import re
 import time

 from lib.core.agent import agent
+from lib.core.common import calculateDeltaSeconds
 from lib.core.common import parseUnionPage
 from lib.core.data import conf
 from lib.core.data import kb
@@ -228,7 +229,7 @@ def unionUse(expression, direct=False, unescape=True, resetCounter=False, nullCh
        endPosition = resultPage.rindex(temp.stop) + len(temp.stop)
        value = str(resultPage[startPosition:endPosition])

-        duration = int(time.time() - start)
+        duration = calculateDeltaSeconds(start)

        debugMsg = "performed %d queries in %d seconds" % (reqCount, duration)
        logger.debug(debugMsg)
--- a/lib/techniques/outband/stacked.py
+++ b/lib/techniques/outband/stacked.py
@@ -24,6 +24,7 @@ Franklin St, Fifth Floor, Boston, MA  02110-1301  USA

 import time

+from lib.core.common import calculateDeltaSeconds
 from lib.core.common import getDelayQuery
 from lib.core.data import conf
 from lib.core.data import kb
@@ -45,7 +46,7 @@ def stackedTest():
    query      = getDelayQuery()
    start      = time.time()
    payload, _ = inject.goStacked(query)
-    duration   = int(time.time() - start)
+    duration   = calculateDeltaSeconds(start)

    if duration >= conf.timeSec:
        infoMsg  = "the web application supports stacked queries "