Python:sqlmap Source Time-based blind note (time-based blind)

Time-based Blind (time-based blind)

When testing an application for a SQL injection vulnerability, a potential vulnerability is often found to be difficult to confirm. This may be due to a variety of reasons, but it is primarily because the Web app does not display any errors and therefore cannot retrieve any data.

In this case, it can be helpful to identify the vulnerability, inject a time delay into the database, and check if the server response has been delayed. Time delay is a powerful technique, although the Web server can hide errors or data, but must wait for the database to return the results, so you can use it to confirm the existence of SQL injection. This technique is particularly suitable for blinds .

SOURCE Interpretation

Code location: In the Checksqlinjection function (\lib\controller\checks.py file, approximately No. 444 row or so)

A time-based blind is used to test the target URL with the following code:

#In case of time-based blind or stacked queries#SQL Injectionselifmethod = =PAYLOAD. METHOD. Time:#Perform The test ' s requestTrueresult = Request.querypage (reqpayload, place, Timebasedcompare=true, raise404=False)ifTrueresult:#Confirm Test ' s resultsTrueresult = Request.querypage (reqpayload, place, Timebasedcompare=true, raise404=False)iftrueresult:infomsg="%s parameter '%s ' is '%s ' injectable"%(place, parameter, title) Logger.info (infomsg) injectable= True

Among them, focus on the request.querypage function, set the parameter timebasedcompare to true, so within the request.querypage function, there is a piece of code:

if Timebasedcompare:     return waslastrequestdelayed ()

function waslastrequestdelayed () function is to determine whether the last request has a significant delay, the method is to compare the response time of the last request with the average of the response time of all previous requests, If the response time of the last request is significantly greater than the average of the response time of the previous requests, it indicates a delay .

The code for the Waslastrequestdelayed function is as follows:

defwaslastrequestdelayed ():"""Returns True If the last Web request resulted in a time-delay"""    #99.9999999997440% of all non time-based SQL injection affected    #response times should be inside +-7*stdev ([normal response times])    #Math reference:http://www.answers.com/topic/standard-deviationdeviation =Stdev (kb.responsetimes) Threaddata=Getcurrentthreaddata ()ifdeviation:ifLen (Kb.responsetimes) <min_time_responses:warnmsg="time-based Standard deviation method used on a model"warnmsg+="With less than%d response times"%min_time_responses Logger.warn (warnmsg) Lowerstdlimit= Average (kb.responsetimes) + Time_stdev_coeff *Deviation RetVal= (Threaddata.lastqueryduration >=lowerstdlimit)if  notKb.testmode andRetVal andConf.timesec = =Time_default_delay:adjusttimedelay (threaddata.lastqueryduration, Lowerstdlimit)returnRetValElse:        return(threaddata.lastqueryduration-conf.timesec) >= 0

Every time an HTTP request is executed, the time the response is executed is append to the Kb.responsetimes list, but does not include the request initiated by time-based Blind.

Why?

You can tell from the following code that when Timebasedcompare is true (that is, time-based blind injection detection), it returns the execution result directly, and if it is a different type of request, the response time is saved.

if Timebasedcompare:     return waslastrequestdelayed () elif noteresponsetime:    kb.responseTimes.append (threaddata.lastqueryduration)

In addition, to ensure the accuracy of time-based blinds, Sqlmap performed two querypage.

If the result of 2 times is true, then the destination URL can be injected, so injectable is set to true. Copyright

Author: Once a civil man

Reprint Please specify source: http://www.cnblogs.com/hongfei/p/sqlmap-time-based-blind.html