Module: Msf::Exploit::SQLi::TimeBasedBlindMixin

Included in:

Mssqli::TimeBasedBlind, MySQLi::BenchmarkBasedBlind, MySQLi::TimeBasedBlind, PostgreSQLi::TimeBasedBlind, SQLitei::TimeBasedBlind

Defined in:

lib/msf/core/exploit/sqli/time_based_blind_mixin.rb

Overview

This module provides methods that are used for time-based SQL injections, and are common across dbms-specific implementations.

Instance Method Summary

• #blind_request(query) ⇒ Boolean

  Performs one request, and does timing measurement, should leak one bit of information.

• #run_sql(query, output_charset: nil) ⇒ String

  Runs an SQL query, and returns its results (time-based blind technique).

• #test_vulnerable ⇒ Boolean

  Checks if the target is vulnerable to time-based blind injection.

Instance Method Details

#blind_request(query) ⇒ Boolean

Performs one request, and does timing measurement, should leak one bit of information

Parameters:

• query (String) —

  The SQL query to run

Returns:

• (Boolean) —

  Whether the target slept when queried with the given payload

# File 'lib/msf/core/exploit/sqli/time_based_blind_mixin.rb', line 48

def blind_request(query)
  time = Time.now
  @query_proc.call(query)
  diff = Time.now - time
  diff >= datastore['SqliDelay']
end

#run_sql(query, output_charset: nil) ⇒ String

Runs an SQL query, and returns its results (time-based blind technique)

Parameters:

• query (String) —

  The SQL query to execute

• output_charset (Range) (defaults to: nil) —

  The range of characters to expect in the output, optional

Returns:

• (String) —

  The query result

# File 'lib/msf/core/exploit/sqli/time_based_blind_mixin.rb', line 24

def run_sql(query, output_charset: nil)
  if output_charset.is_a?(Range) && output_charset.count > 0
    known_bits, bits_to_guess = Msf::Exploit::SQLi::Utils::Common.get_bitmask(output_charset)
  else
    known_bits = 0
    bits_to_guess = 8
  end
  vprint_status "{SQLi} Executing (#{query})"
  if @hex_encode_strings
    query = hex_encode_strings(query)
    vprint_status "{SQLi} Encoded to (#{query})"
  end
  # first, get the length of the output
  output_length = blind_detect_length(query, true)
  vprint_status "{SQLi} Time-based injection: expecting output of length #{output_length}"
  # now, get the output, of the given length
  blind_dump_data(query, output_length, known_bits, bits_to_guess, true)
end

#test_vulnerable ⇒ Boolean

Checks if the target is vulnerable to time-based blind injection. Uses time_blind_payload which is overridden by subclasses (SLEEP vs BENCHMARK).

Returns:

• (Boolean) —

  Whether the check confirmed that the time-based SQL injection works

# File 'lib/msf/core/exploit/sqli/time_based_blind_mixin.rb', line 11

def test_vulnerable
  out_true = blind_request(time_blind_payload('1=1'))
  out_false = blind_request(time_blind_payload('1=2'))
  out_true && !out_false
end