update regarding time based payloads

stamparm · stamparm · commit 1ae2fa7f1a65 · 2010-12-08T11:26:54.000Z
diff --git a/lib/controller/checks.py b/lib/controller/checks.py
@@ -14,7 +14,6 @@
 from difflib import SequenceMatcher
 
 from lib.core.agent import agent
-from lib.core.common import average
 from lib.core.common import beep
 from lib.core.common import calculateDeltaSeconds
 from lib.core.common import extractRegexResult
@@ -26,7 +25,6 @@
 from lib.core.common import readInput
 from lib.core.common import removeDynamicContent
 from lib.core.common import showStaticWords
-from lib.core.common import stdev
 from lib.core.common import trimAlphaNum
 from lib.core.common import wasLastRequestDBMSError
 from lib.core.common import DynamicContentItem
@@ -351,12 +349,7 @@ def checkSqlInjection(place, parameter, value):
                         socket.setdefaulttimeout(120)
 
                         # Perform the test's request
-                        _ = Request.queryPage(reqPayload, place, content=True, noteResponseTime=False)
-
-                        # 99.9999999997440% of all non time-based sql injection 
-                        # affected durations should be inside +-7*stdev(durations)
-                        # (Reference: http://www.answers.com/topic/standard-deviation)
-                        trueResult = (kb.lastQueryDuration >= average(kb.responseTimes) + 7 * stdev(kb.responseTimes))
+                        trueResult = Request.queryPage(reqPayload, place, timeBasedCompare=True)
 
                         if trueResult:
                             infoMsg = "%s parameter '%s' is '%s' injectable " % (place, parameter, title)
diff --git a/lib/request/connect.py b/lib/request/connect.py
@@ -17,12 +17,14 @@
 
 from lib.contrib import multipartpost
 from lib.core.agent import agent
+from lib.core.common import average
 from lib.core.common import calculateDeltaSeconds
 from lib.core.common import extractErrorMessage
 from lib.core.common import getFilteredPageContent
 from lib.core.common import getUnicode
 from lib.core.common import logHTTPTraffic
 from lib.core.common import readInput
+from lib.core.common import stdev
 from lib.core.convert import urlencode
 from lib.core.common import urlEncodeCookieValues
 from lib.core.data import conf
@@ -321,7 +323,7 @@ def getPage(**kwargs):
         return page, responseHeaders
 
     @staticmethod
-    def queryPage(value=None, place=None, content=False, getSeqMatcher=False, silent=False, method=None, auxHeaders=None, response=False, raise404 = None, noteResponseTime = True):
+    def queryPage(value=None, place=None, content=False, getSeqMatcher=False, silent=False, method=None, auxHeaders=None, response=False, raise404 = None, noteResponseTime = True, timeBasedCompare = False):
         """
         This method calls a function to get the target url page content
         and returns its page MD5 hash or a boolean value in case of
@@ -417,7 +419,12 @@ def queryPage(value=None, place=None, content=False, getSeqMatcher=False, silent
             if conf.cj:
                 conf.cj.clear()
 
-        if noteResponseTime:
+        if timeBasedCompare:
+            # 99.9999999997440% of all non time-based sql injection
+            # affected durations should be inside +-7*stdev(durations)
+            # (Reference: http://www.answers.com/topic/standard-deviation)
+            return (kb.lastQueryDuration >= average(kb.responseTimes) + 7 * stdev(kb.responseTimes))
+        elif noteResponseTime:
             kb.responseTimes.append(kb.lastQueryDuration)
 
         if content or response:
