Introducing extra validation property in case of time-based SQLi (HTTP code) - Issue #1973

stamparm · stamparm · commit 09617c824348 · 2016-09-27T10:20:36.000+02:00
diff --git a/lib/controller/checks.py b/lib/controller/checks.py
@@ -156,6 +156,7 @@ def checkSqlInjection(place, parameter, value):
             kb.testType = stype = test.stype
             clause = test.clause
             unionExtended = False
+            trueCode = None
 
             if stype == PAYLOAD.TECHNIQUE.UNION:
                 configUnion(test.request.char)
@@ -556,6 +557,7 @@ def genCmpPayload():
                         elif method == PAYLOAD.METHOD.TIME:
                             # Perform the test's request
                             trueResult = Request.queryPage(reqPayload, place, timeBasedCompare=True, raise404=False)
+                            trueCode = threadData.lastCode
 
                             if trueResult:
                                 # Confirm test's results
@@ -668,6 +670,7 @@ def genCmpPayload():
                         injection.data[stype].comment = comment
                         injection.data[stype].templatePayload = templatePayload
                         injection.data[stype].matchRatio = kb.matchRatio
+                        injection.data[stype].trueCode = trueCode
 
                         injection.conf.textOnly = conf.textOnly
                         injection.conf.titles = conf.titles
diff --git a/lib/core/settings.py b/lib/core/settings.py
@@ -19,7 +19,7 @@
 from lib.core.revision import getRevisionNumber
 
 # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
-VERSION = "1.0.9.35"
+VERSION = "1.0.9.36"
 REVISION = getRevisionNumber()
 TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
 TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
@@ -546,7 +546,7 @@
 HASHDB_END_TRANSACTION_RETRIES = 3
 
 # Unique milestone value used for forced deprecation of old HashDB values (e.g. when changing hash/pickle mechanism)
-HASHDB_MILESTONE_VALUE = "baFJusZrel"  # python -c 'import random, string; print "".join(random.sample(string.ascii_letters, 10))'
+HASHDB_MILESTONE_VALUE = "QWdDkLzhxH"  # python -c 'import random, string; print "".join(random.sample(string.ascii_letters, 10))'
 
 # Warn user of possible delay due to large page dump in full UNION query injections
 LARGE_OUTPUT_THRESHOLD = 1024 ** 2
diff --git a/lib/core/threads.py b/lib/core/threads.py
@@ -42,6 +42,7 @@ def reset(self):
         self.disableStdOut = False
         self.hashDBCursor = None
         self.inTransaction = False
+        self.lastCode = None
         self.lastComparisonPage = None
         self.lastComparisonHeaders = None
         self.lastComparisonCode = None
diff --git a/lib/request/connect.py b/lib/request/connect.py
@@ -1140,6 +1140,7 @@ def _randomizeParameter(paramString, randomParameter):
 
         threadData.lastQueryDuration = calculateDeltaSeconds(start)
         threadData.lastPage = page
+        threadData.lastCode = code
 
         kb.originalCode = kb.originalCode or code
 
diff --git a/lib/techniques/blind/inference.py b/lib/techniques/blind/inference.py
@@ -210,10 +210,17 @@ def validateChar(idx, value):
                 unescapedCharValue = unescaper.escape("'%s'" % decodeIntToUnicode(value))
                 forgedPayload = safeStringFormat(payload.replace(INFERENCE_GREATER_CHAR, INFERENCE_NOT_EQUALS_CHAR), (expressionUnescaped, idx)).replace(markingValue, unescapedCharValue)
 
-            result = Request.queryPage(forgedPayload, timeBasedCompare=timeBasedCompare, raise404=False)
+            result = not Request.queryPage(forgedPayload, timeBasedCompare=timeBasedCompare, raise404=False)
+
+            if result and timeBasedCompare:
+                result = threadData.lastCode == kb.injection.data[kb.technique].trueCode
+                if not result:
+                    warnMsg = "detected HTTP code '%d' in validation phase is differing from expected '%d'" % (threadData.lastCode, kb.injection.data[kb.technique].trueCode)
+                    singleTimeWarnMessage(warnMsg)
+
             incrementCounter(kb.technique)
 
-            return not result
+            return result
 
         def getChar(idx, charTbl=None, continuousOrder=True, expand=charsetType is None, shiftTable=None, retried=None):
             """
diff --git a/txt/checksum.md5 b/txt/checksum.md5
@@ -20,7 +20,7 @@ b46521e29ea3d813bab5aeb16cac6498  extra/shutils/duplicates.py
 cc9c82cfffd8ee9b25ba3af6284f057e  extra/sqlharvest/__init__.py
 4f2f817596540d82f9fcc0c5b2228beb  extra/sqlharvest/sqlharvest.py
 2daa39e4d59526acb4772b6c47eb315f  lib/controller/action.py
-0b7074043c7ea07002e0ab4803811c9f  lib/controller/checks.py
+af33b6f729a33235d0230e7b9af6b9cb  lib/controller/checks.py
 7c5ba631796f12d6de9b667e4cc7812b  lib/controller/controller.py
 0a64305c3b3a01a2fc3a5e6204f442f1  lib/controller/handler.py
 cc9c82cfffd8ee9b25ba3af6284f057e  lib/controller/__init__.py
@@ -45,12 +45,12 @@ e60456db5380840a586654344003d4e6  lib/core/readlineng.py
 5ef56abb8671c2ca6ceecb208258e360  lib/core/replication.py
 99a2b496b9d5b546b335653ca801153f  lib/core/revision.py
 7c15dd2777af4dac2c89cab6df17462e  lib/core/session.py
-434f63a6f4943d675125459d54616653  lib/core/settings.py
+c007f8f0c5f3d8f7b801f33d0ec58448  lib/core/settings.py
 7af83e4f18cab6dff5e67840eb65be80  lib/core/shell.py
 23657cd7d924e3c6d225719865855827  lib/core/subprocessng.py
 0bc2fae1dec18cdd11954b22358293f2  lib/core/target.py
 d43f059747ffd48952922c94152e2a07  lib/core/testing.py
-424a6cf9bdfaf7182657ed7929d7df5a  lib/core/threads.py
+7ec80da7d7fa8ceaf2ff606cfa578c15  lib/core/threads.py
 53c15b78e0288274f52410db25406432  lib/core/unescaper.py
 6bdc53e2ca152ff8cd35ad671e48a96b  lib/core/update.py
 8485a3cd94c0a5af2718bad60c5f1ae5  lib/core/wordlist.py
@@ -68,7 +68,7 @@ b40a4c5d91770d347df36d3065b63798  lib/parse/sitemap.py
 9299f21804033f099681525bb9bf51c0  lib/request/basicauthhandler.py
 ca9879ea9277810c5fce0f0d8d2f8e03  lib/request/basic.py
 c48285682a61d49982cb508351013cb4  lib/request/comparison.py
-20fe3d96ae45cf46d19504415cebd819  lib/request/connect.py
+29148e4412209526b18acbd8a942fe03  lib/request/connect.py
 49b4c583af68689de5f9acb162de2939  lib/request/direct.py
 1a46f7bb26b23ec0c0d9d9c95828241b  lib/request/dns.py
 70ceefe39980611494d4f99afb96f652  lib/request/httpshandler.py
@@ -87,7 +87,7 @@ cc9c82cfffd8ee9b25ba3af6284f057e  lib/takeover/__init__.py
 7d6cd7bdfc8f4bc4e8aed60c84cdf87f  lib/takeover/udf.py
 f6e3084abd506925a8be3d1c0a6d058c  lib/takeover/web.py
 9af83a62de360184f1c14e69b8a95cfe  lib/takeover/xp_cmdshell.py
-03b8c2028e996c471e45308fa518d79a  lib/techniques/blind/inference.py
+004c45c172d549e098a5fd5285a54cb3  lib/techniques/blind/inference.py
 cc9c82cfffd8ee9b25ba3af6284f057e  lib/techniques/blind/__init__.py
 cc9c82cfffd8ee9b25ba3af6284f057e  lib/techniques/brute/__init__.py
 d36effffe64e63ef9b3be490f850e2cc  lib/techniques/brute/use.py
