Add additional SQLi sleep tests

[mohghezal]

add sql time

[postmodern]

Ronin::Vulns::SQLI already does various SQL SLEEP(5) tests. Are you referring to a different technique?

ronin-vulns/lib/ronin/vulns/sqli.rb

Lines 350 to 388 in 45deabd

	# Various SQL sleep functions or statements.
	#
	# @api private
	SLEEP_TESTS = [
	'SLEEP(5)',
	"PG_SLEEP(5)",
	"WAITFOR DELAY '0:0:5'"
	]
	#
	# Tests whether the URL is vulnerable to SQL injection, by calling SQL
	# sleep functions to see if it takes longer for the response to be
	# returned.
	#
	# @return [Boolean]
	#
	# @api private
	#
	def test_sleep
	SLEEP_TESTS.each do |sql|
	[sql, ";SELECT #{sql}"].each do |sqli|
	start_time = Time.now
	response = exploit(sqli)
	stop_time = Time.now
	delta = (stop_time - start_time)
	# check for SQL errors first
	if check_for_sql_errors(response)
	return true
	end
	# if the response took more than 5 seconds, our SQL sleep function
	# probably worked.
	return true if delta > 5.0
	end
	end
	return false
	end

[mohghezal]

add more
SLEEP_TESTS = [
"'XOR(if(now()=sysdate(),sleep(5),0))XOR'Z --",
"'if(now()=sysdate(),sleep(5),0) --",
"'or(now()=sysdate()&&SLEEP(5))or'Z --",
"'|(IF((now())LIKE(sysdate()),SLEEP(5),0))|'Z --",
'SLEEP(5)',
"PG_SLEEP(5)",
"WAITFOR DELAY '0:0:5'"
]

[postmodern]

@mohghezal could you rewrite those without the or'Z -- suffixes, since SQLI#escape(sql) is supposed to add any termination/escaping to the given SQL. I'm not sure if the XOR/or/| at the end is required or part of the escape/termination?

[postmodern]

@mohghezal also how are these tests better than the existing SLEEP(5) test? Are they meant to be injected into certain SQL clauses? Will these bypass WAFs?