Python: time-based blind (time-based blind) and sqlmaptime-based

Python: time-based blind (time-based blind) and sqlmaptime-based
Time-based blind)

When you test whether an application has the SQL injection vulnerability, it is often difficult to identify a potential vulnerability. This may be due to multiple reasons, but it is mainly because the Web application does not display any errors and thus cannot retrieve any data.

In this case, it is helpful to identify vulnerabilities, inject time delays to the database, and check whether the server response is delayed. Time delay is a powerful technology. Although the Web server can hide errors or data, it must wait for the database to return results, so it can be used to confirm whether SQL Injection exists. This technology is especially suitable for blind injection.

Source code explanation

Code Location: In the checkSqlInjection function (about 444th lines in the \ lib \ controller \ checks. py file)

The time-based blind injection is used to perform a blind injection test on the target URL. The Code is as follows:

# In case of time-based blind or stacked queries# SQL injectionselif method == PAYLOAD.METHOD.TIME:    # Perform the test's request    trueResult = Request.queryPage(reqPayload, place, timeBasedCompare=True, raise404=False)    if trueResult:        # Confirm test's results        trueResult = Request.queryPage(reqPayload, place, timeBasedCompare=True, raise404=False)        if trueResult:            infoMsg = "%s parameter '%s' is '%s' injectable " % (place, parameter, title)            logger.info(infoMsg)            injectable = True

Specifically, pay attention to the Request. queryPage function, and set the timeBasedCompare parameter to True. Therefore, in the Request. queryPage function, there is such a piece of code:

if timeBasedCompare:    return wasLastRequestDelayed()

The wasLastRequestDelayed () function is used to determine whether the last request has a significant latency, the method is to compare the response time of the last request with the average response time of all previous requests. If the response time of the last request is significantly greater than the average response time of previous requests, there is a delay.

The code of the wasLastRequestDelayed function is as follows:

def wasLastRequestDelayed():    """    Returns True if the last web request resulted in a time-delay    """    # 99.9999999997440% of all non time-based sql injection affected    # response times should be inside +-7*stdev([normal response times])    # Math reference: http://www.answers.com/topic/standard-deviation    deviation = stdev(kb.responseTimes)    threadData = getCurrentThreadData()    if deviation:        if len(kb.responseTimes) < MIN_TIME_RESPONSES:            warnMsg = "time-based standard deviation method used on a model "            warnMsg += "with less than %d response times" % MIN_TIME_RESPONSES            logger.warn(warnMsg)        lowerStdLimit = average(kb.responseTimes) + TIME_STDEV_COEFF * deviation        retVal = (threadData.lastQueryDuration >= lowerStdLimit)        if not kb.testMode and retVal and conf.timeSec == TIME_DEFAULT_DELAY:            adjustTimeDelay(threadData.lastQueryDuration, lowerStdLimit)        return retVal    else:        return (threadData.lastQueryDuration - conf.timeSec) >= 0

Each time an http request is executed, the response time is appended to the kb. responseTimes list, but the request initiated by time-based blind is not included.

Why?

You can see from the following code that when timeBasedCompare is True (that is, time-based blind injection Detection), the execution result is directly returned. If it is another type of request, save the response time.

if timeBasedCompare:    return wasLastRequestDelayed()elif noteResponseTime:    kb.responseTimes.append(threadData.lastQueryDuration)

In addition, to ensure the accuracy of time-based blind injection, sqlmap executes queryPage twice.

If both results are True, the target URL can be injected, so set injectable to True. Copyright

Author: Former Civil Engineer

Reprinted please indicate the source: http://www.cnblogs.com/hongfei/p/sqlmap-time-based-blind.html