@@ -483,7 +483,13 @@ def blindThread():
483483 if commonValue is not None :
484484 # One-shot query containing equals commonValue
485485 testValue = unescaper .escape ("'%s'" % commonValue ) if "'" not in commonValue else unescaper .escape ("%s" % commonValue , quote = False )
486- query = agent .prefixQuery (safeStringFormat ("AND (%s) = %s" , (expressionUnescaped , testValue )))
486+
487+ if timeBasedCompare :
488+ query = kb .injection .data [kb .technique ].vector .replace ("[RANDNUM]" , testValue )
489+ query = agent .prefixQuery (query .replace ("[INFERENCE]" , "(%s)=%s" % (expressionUnescaped , testValue )))
490+ else :
491+ query = agent .prefixQuery (safeStringFormat ("AND (%s)=%s" , (expressionUnescaped , testValue )))
492+
487493 query = agent .suffixQuery (query )
488494 result = Request .queryPage (agent .payload (newValue = query ), timeBasedCompare = timeBasedCompare , raise404 = False )
489495 incrementCounter (kb .technique )
@@ -504,7 +510,13 @@ def blindThread():
504510 # Substring-query containing equals commonPattern
505511 subquery = queries [Backend .getIdentifiedDbms ()].substring .query % (expressionUnescaped , 1 , len (commonPattern ))
506512 testValue = unescaper .escape ("'%s'" % commonPattern ) if "'" not in commonPattern else unescaper .escape ("%s" % commonPattern , quote = False )
507- query = agent .prefixQuery (safeStringFormat ("AND (%s) = %s" , (subquery , testValue )))
513+
514+ if timeBasedCompare :
515+ query = kb .injection .data [kb .technique ].vector .replace ("[RANDNUM]" , testValue )
516+ query = agent .prefixQuery (query .replace ("[INFERENCE]" , "(%s)=%s" % (subquery , testValue )))
517+ else :
518+ query = agent .prefixQuery (safeStringFormat ("AND (%s)=%s" , (subquery , testValue )))
519+
508520 query = agent .suffixQuery (query )
509521 result = Request .queryPage (agent .payload (newValue = query ), timeBasedCompare = timeBasedCompare , raise404 = False )
510522 incrementCounter (kb .technique )
0 commit comments