def timeTest(): if kb.timeTest is not None: return kb.timeTest infoMsg = "testing time-based blind sql injection on parameter " infoMsg += "'%s' with %s condition syntax" % (kb.injParameter, conf.logic) logger.info(infoMsg) timeQuery = getDelayQuery(andCond=True) query = agent.prefixQuery("AND %s" % timeQuery) query = agent.suffixQuery(query) payload = agent.payload(newValue=query) start = time.time() _ = Request.queryPage(payload) duration = calculateDeltaSeconds(start) if duration >= conf.timeSec: infoMsg = "the target url is affected by a time-based blind " infoMsg += "sql injection with AND condition syntax on parameter " infoMsg += "'%s'" % kb.injParameter logger.info(infoMsg) kb.timeTest = agent.removePayloadDelimiters(payload, False) else: warnMsg = "the target url is not affected by a time-based blind " warnMsg += "sql injection with AND condition syntax on parameter " warnMsg += "'%s'" % kb.injParameter logger.warn(warnMsg) infoMsg = "testing time-based blind sql injection on parameter " infoMsg += "'%s' with stacked queries syntax" % kb.injParameter logger.info(infoMsg) timeQuery = getDelayQuery(andCond=True) start = time.time() payload, _ = inject.goStacked(timeQuery) duration = calculateDeltaSeconds(start) if duration >= conf.timeSec: infoMsg = "the target url is affected by a time-based blind sql " infoMsg += "injection with stacked queries syntax on parameter " infoMsg += "'%s'" % kb.injParameter logger.info(infoMsg) kb.timeTest = agent.removePayloadDelimiters(payload, False) else: warnMsg = "the target url is not affected by a time-based blind " warnMsg += "sql injection with stacked queries syntax on parameter " warnMsg += "'%s'" % kb.injParameter logger.warn(warnMsg) kb.timeTest = False return kb.timeTest
def timeTest(): infoMsg = "testing time based blind sql injection on parameter " infoMsg += "'%s' with AND condition syntax" % kb.injParameter logger.info(infoMsg) timeQuery = getDelayQuery(andCond=True) query = agent.prefixQuery(" AND %s" % timeQuery) query = agent.postfixQuery(query) payload = agent.payload(newValue=query) start = time.time() _ = Request.queryPage(payload) duration = int(time.time() - start) if duration >= conf.timeSec: infoMsg = "the parameter '%s' is affected by a time " % kb.injParameter infoMsg += "based blind sql injection with AND condition syntax" logger.info(infoMsg) kb.timeTest = payload else: warnMsg = "the parameter '%s' is not affected by a time " % kb.injParameter warnMsg += "based blind sql injection with AND condition syntax" logger.warn(warnMsg) infoMsg = "testing time based blind sql injection on parameter " infoMsg += "'%s' with stacked query syntax" % kb.injParameter logger.info(infoMsg) timeQuery = getDelayQuery(andCond=True) start = time.time() payload, _ = inject.goStacked(timeQuery) duration = int(time.time() - start) if duration >= conf.timeSec: infoMsg = "the parameter '%s' is affected by a time " % kb.injParameter infoMsg += "based blind sql injection with stacked query syntax" logger.info(infoMsg) kb.timeTest = payload else: warnMsg = "the parameter '%s' is not affected by a time " % kb.injParameter warnMsg += "based blind sql injection with stacked query syntax" logger.warn(warnMsg) kb.timeTest = False return kb.timeTest
def stackedTest(): if conf.direct: return if kb.stackedTest is not None: return kb.stackedTest infoMsg = "testing stacked queries sql injection on parameter " infoMsg += "'%s'" % kb.injParameter logger.info(infoMsg) query = getDelayQuery() start = time.time() payload, _ = inject.goStacked(query) duration = calculateDeltaSeconds(start) if duration >= conf.timeSec: infoMsg = "the target url is affected by a stacked queries " infoMsg += "sql injection on parameter '%s'" % kb.injParameter logger.info(infoMsg) kb.stackedTest = agent.removePayloadDelimiters(payload, False) else: warnMsg = "the target url is not affected by a stacked queries " warnMsg += "sql injection on parameter '%s'" % kb.injParameter logger.warn(warnMsg) kb.stackedTest = False setStacked() return kb.stackedTest
def stackedTest(): if kb.stackedTest is not None: return kb.stackedTest infoMsg = "testing stacked queries support on parameter " infoMsg += "'%s'" % kb.injParameter logger.info(infoMsg) query = getDelayQuery() start = time.time() payload, _ = inject.goStacked(query) duration = int(time.time() - start) if duration >= conf.timeSec: infoMsg = "the web application supports stacked queries " infoMsg += "on parameter '%s'" % kb.injParameter logger.info(infoMsg) kb.stackedTest = payload else: warnMsg = "the web application does not support stacked queries " warnMsg += "on parameter '%s'" % kb.injParameter logger.warn(warnMsg) kb.stackedTest = False setStacked() return kb.stackedTest