//int InjectAndCheckBlindDelay(string payload, int time, int avg_time)
//{
// for (int i = 0; i < 2; i++)
// {
// this.Scnr.RequestTrace(string.Format(" Injecting {0}", payload));
// Response res = this.Scnr.Inject(payload);
// string res_trace = string.Format(" ==> Code-{0} Length-{1} Time-{2}ms.", res.Code, res.BodyLength, res.RoundTrip);
// if (i == 0)
// {
// if (res.RoundTrip >= (time * 1000))
// {
// this.Scnr.ResponseTrace(string.Format("{0} <i<b>>Delay Observed! Rechecking the result with the same Injection string<i</b>>", res_trace));
// }
// else
// {
// this.Scnr.ResponseTrace(string.Format("{0} No Time Delay.", res_trace));
// break;
// }
// }
// else if (i == 1)
// {
// if (res.RoundTrip >= (time * 1000))
// {
// this.Scnr.ResponseTrace(string.Format("{0} <i<br>><i<cr>>Delay Observed Again! Indicates Presence of SQL Injection<i</cr>>", res_trace));
// this.RequestTriggers.Add(payload);
// this.RequestTriggerDescs.Add(string.Format("The payload in this request contains a SQL query snippet which if executed will cause a delay of {0} milliseconds. The payload is {1}", time * 1000, payload));
// this.TriggerRequests.Add(this.Scnr.InjectedRequest.GetClone());
// this.ResponseTriggers.Add("");
// this.ResponseTriggerDescs.Add(string.Format("It took {0} milliseconds to get this response. It took so long because of the {1} milliseconds delay caused by the payload.", res.RoundTrip, time * 1000));
// this.TriggerResponses.Add(res);
// this.TriggerCount = this.TriggerCount + 1;
// FindingReason reason = this.GetBlindTimeReason(payload, time * 1000, res.RoundTrip, avg_time, this.TriggerCount);
// this.reasons.Add(reason);
// //#this.ReportSQLInjection()
// return 1;
// }
// else
// {
// this.Scnr.ResponseTrace(string.Format("{0} <i<b>>Time Delay did not occur again!<i</b>>", res_trace));
// }
// }
// }
// return 0;
//}
int InjectAndCheckBlindDelay(SqlInjectionPayloadParts PayloadParts)
{
TimeBasedCheckResults TimeCheckResults = DoTimeDelayBasedCheck(TimePayloadGenerator, PayloadParts);
if (TimeCheckResults.Success)
{
this.RequestTriggers.Add(TimeCheckResults.DelayPayload);
this.RequestTriggerDescs.Add(string.Format("The payload in this request contains a SQL query snippet which if executed will cause a delay of {0} milliseconds. The payload is {1}", TimeCheckResults.DelayInduced, TimeCheckResults.DelayPayload));
this.TriggerRequests.Add(TimeCheckResults.DelayRequest);
this.ResponseTriggers.Add("");
this.ResponseTriggerDescs.Add(string.Format("It took {0} milliseconds to get this response. It took so long because of the {1} milliseconds delay caused by the payload.", TimeCheckResults.DelayObserved, TimeCheckResults.DelayInduced));
this.TriggerResponses.Add(TimeCheckResults.DelayResponse);
this.TriggerCount = this.TriggerCount + 1;
FindingReason reason = this.GetBlindTimeReason(TimeCheckResults, this.TriggerCount);
this.reasons.Add(reason);
//#this.ReportSQLInjection()
return 1;
}
return 0;
}
int CheckBlindTime()
{
int score = 0;
this.Scnr.Trace("<i<br>><i<h>>Checking for Time based Injection:<i</h>>");
//this.Scnr.Trace("<i<br>> Sending three requests to get a baseline of the response time for time based check:");
//int min_delay = -1;
//int max_delay = 0;
//int time = 10000;
//List<string> base_line_delays = new List<string>();
//int avg_time = 0;
//for (int i = 0; i < 3; i++)
//{
// Response res = this.Scnr.Inject();
// avg_time = avg_time + res.RoundTrip;
// base_line_delays.Add(string.Format(" {0}) Response time is - {1} ms", i + 1, res.RoundTrip));
// if (res.RoundTrip > max_delay)
// {
// max_delay = res.RoundTrip;
// }
// if (res.RoundTrip < min_delay || min_delay == -1)
// {
// min_delay = res.RoundTrip;
// }
//}
//this.Scnr.Trace(string.Join("<i<br>>", base_line_delays.ToArray()));
//avg_time = avg_time / 3;
//if (min_delay > 5000)
//{
// time = ((max_delay + min_delay) / 1000) + 1;
//}
//else
//{
// time = ((max_delay + 5000) / 1000) + 1;
//}
//this.Scnr.Trace(string.Format("<i<br>> Response Times: Minimum - {0}ms. Maximum - {1}ms.", min_delay, max_delay));
//this.Scnr.Trace(string.Format("<i<br>> <i<b>>Testing with delay time of {0}ms.<i</b>>", time * 1000));
SqlInjectionPayloadParts PayloadParts = new SqlInjectionPayloadParts();
foreach (string inj_str in time_check)
{
PayloadParts.SqlCommand = inj_str;
//string payload = inj_str.Replace("__TIME__", time.ToString());
//score = score + this.InjectAndCheckBlindDelay(payload, time, avg_time);
score = score + this.InjectAndCheckBlindDelay(PayloadParts);
}
return score;
}
