//int InjectAndCheckBlindDelay(string payload, int time, int avg_time) //{ // for (int i = 0; i < 2; i++) // { // this.Scnr.RequestTrace(string.Format(" Injecting {0}", payload)); // Response res = this.Scnr.Inject(payload); // string res_trace = string.Format(" ==> Code-{0} Length-{1} Time-{2}ms.", res.Code, res.BodyLength, res.RoundTrip); // if (i == 0) // { // if (res.RoundTrip >= (time * 1000)) // { // this.Scnr.ResponseTrace(string.Format("{0} <i<b>>Delay Observed! Rechecking the result with the same Injection string<i</b>>", res_trace)); // } // else // { // this.Scnr.ResponseTrace(string.Format("{0} No Time Delay.", res_trace)); // break; // } // } // else if (i == 1) // { // if (res.RoundTrip >= (time * 1000)) // { // this.Scnr.ResponseTrace(string.Format("{0} <i<br>><i<cr>>Delay Observed Again! Indicates Presence of SQL Injection<i</cr>>", res_trace)); // this.RequestTriggers.Add(payload); // this.RequestTriggerDescs.Add(string.Format("The payload in this request contains a SQL query snippet which if executed will cause a delay of {0} milliseconds. The payload is {1}", time * 1000, payload)); // this.TriggerRequests.Add(this.Scnr.InjectedRequest.GetClone()); // this.ResponseTriggers.Add(""); // this.ResponseTriggerDescs.Add(string.Format("It took {0} milliseconds to get this response. It took so long because of the {1} milliseconds delay caused by the payload.", res.RoundTrip, time * 1000)); // this.TriggerResponses.Add(res); // this.TriggerCount = this.TriggerCount + 1; // FindingReason reason = this.GetBlindTimeReason(payload, time * 1000, res.RoundTrip, avg_time, this.TriggerCount); // this.reasons.Add(reason); // //#this.ReportSQLInjection() // return 1; // } // else // { // this.Scnr.ResponseTrace(string.Format("{0} <i<b>>Time Delay did not occur again!<i</b>>", res_trace)); // } // } // } // return 0; //} int InjectAndCheckBlindDelay(SqlInjectionPayloadParts PayloadParts) { TimeBasedCheckResults TimeCheckResults = DoTimeDelayBasedCheck(TimePayloadGenerator, PayloadParts); if (TimeCheckResults.Success) { this.RequestTriggers.Add(TimeCheckResults.DelayPayload); this.RequestTriggerDescs.Add(string.Format("The payload in this request contains a SQL query snippet which if executed will cause a delay of {0} milliseconds. The payload is {1}", TimeCheckResults.DelayInduced, TimeCheckResults.DelayPayload)); this.TriggerRequests.Add(TimeCheckResults.DelayRequest); this.ResponseTriggers.Add(""); this.ResponseTriggerDescs.Add(string.Format("It took {0} milliseconds to get this response. It took so long because of the {1} milliseconds delay caused by the payload.", TimeCheckResults.DelayObserved, TimeCheckResults.DelayInduced)); this.TriggerResponses.Add(TimeCheckResults.DelayResponse); this.TriggerCount = this.TriggerCount + 1; FindingReason reason = this.GetBlindTimeReason(TimeCheckResults, this.TriggerCount); this.reasons.Add(reason); //#this.ReportSQLInjection() return 1; } return 0; }
int CheckBlindTime() { int score = 0; this.Scnr.Trace("<i<br>><i<h>>Checking for Time based Injection:<i</h>>"); //this.Scnr.Trace("<i<br>> Sending three requests to get a baseline of the response time for time based check:"); //int min_delay = -1; //int max_delay = 0; //int time = 10000; //List<string> base_line_delays = new List<string>(); //int avg_time = 0; //for (int i = 0; i < 3; i++) //{ // Response res = this.Scnr.Inject(); // avg_time = avg_time + res.RoundTrip; // base_line_delays.Add(string.Format(" {0}) Response time is - {1} ms", i + 1, res.RoundTrip)); // if (res.RoundTrip > max_delay) // { // max_delay = res.RoundTrip; // } // if (res.RoundTrip < min_delay || min_delay == -1) // { // min_delay = res.RoundTrip; // } //} //this.Scnr.Trace(string.Join("<i<br>>", base_line_delays.ToArray())); //avg_time = avg_time / 3; //if (min_delay > 5000) //{ // time = ((max_delay + min_delay) / 1000) + 1; //} //else //{ // time = ((max_delay + 5000) / 1000) + 1; //} //this.Scnr.Trace(string.Format("<i<br>> Response Times: Minimum - {0}ms. Maximum - {1}ms.", min_delay, max_delay)); //this.Scnr.Trace(string.Format("<i<br>> <i<b>>Testing with delay time of {0}ms.<i</b>>", time * 1000)); SqlInjectionPayloadParts PayloadParts = new SqlInjectionPayloadParts(); foreach (string inj_str in time_check) { PayloadParts.SqlCommand = inj_str; //string payload = inj_str.Replace("__TIME__", time.ToString()); //score = score + this.InjectAndCheckBlindDelay(payload, time, avg_time); score = score + this.InjectAndCheckBlindDelay(PayloadParts); } return score; }