Potential patch for #1636

stamparm · stamparm · commit 0f8a551227b7 · 2016-01-09T00:55:01.000+01:00
diff --git a/lib/techniques/blind/inference.py b/lib/techniques/blind/inference.py
@@ -5,6 +5,7 @@
 See the file 'doc/COPYING' for copying permission
 """
 
+import re
 import threading
 import time
 
@@ -25,6 +26,7 @@
 from lib.core.common import hashDBRetrieve
 from lib.core.common import hashDBWrite
 from lib.core.common import incrementCounter
+from lib.core.common import randomInt
 from lib.core.common import safeStringFormat
 from lib.core.common import singleTimeWarnMessage
 from lib.core.data import conf
@@ -42,6 +44,7 @@
 from lib.core.settings import INFERENCE_GREATER_CHAR
 from lib.core.settings import INFERENCE_EQUALS_CHAR
 from lib.core.settings import INFERENCE_NOT_EQUALS_CHAR
+from lib.core.settings import MIN_TIME_RESPONSES
 from lib.core.settings import MAX_BISECTION_LENGTH
 from lib.core.settings import MAX_TIME_REVALIDATION_STEPS
 from lib.core.settings import PARTIAL_HEX_VALUE_MARKER
@@ -267,6 +270,21 @@ def getChar(idx, charTbl=None, continuousOrder=True, expand=charsetType is None,
                     unescapedCharValue = unescaper.escape("'%s'" % decodeIntToUnicode(posValue))
                     forgedPayload = safeStringFormat(payload, (expressionUnescaped, idx)).replace(markingValue, unescapedCharValue)
 
+                if timeBasedCompare and kb.whereCollectTimes:
+                    kb.responseTimes = []
+
+                    warnMsg = "\n[%s] [WARNING] time-based comparison requires " % time.strftime("%X")
+                    warnMsg += "larger statistical model, please wait"
+                    dataToStdout(warnMsg)
+
+                    while len(kb.responseTimes) < MIN_TIME_RESPONSES:
+                        falseWherePayload = re.sub(r"\b%s\b" % posValue, str(randomInt(6)), forgedPayload)
+                        Request.queryPage(falseWherePayload, content=True, raise404=False)
+                        dataToStdout('.')
+
+                    dataToStdout("\n")
+                    kb.whereCollectTimes = False
+
                 result = Request.queryPage(forgedPayload, timeBasedCompare=timeBasedCompare, raise404=False)
                 incrementCounter(kb.technique)
 
diff --git a/plugins/generic/entries.py b/plugins/generic/entries.py
@@ -237,7 +237,7 @@ def dumpTable(self, foundData=None):
                     query = whereQuery(query)
 
                     if conf.dumpWhere:
-                        kb.whereResponseTimes = True
+                        kb.whereCollectTimes = True
                         pushValue(kb.responseTimes)
 
                     count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
@@ -330,7 +330,7 @@ def dumpTable(self, foundData=None):
 
                     if conf.dumpWhere:
                         kb.responseTimes = popValue()
-                        kb.whereResponseTimes = False
+                        kb.whereCollectTimes = False
 
                     for column, columnEntries in entries.items():
                         length = max(lengths[column], len(column))
