Blind time-based injection getChar loops to very high number #5171
Description
When targeting an unstable Microsoft SQL Server (likely any sql server), when in the process of extracting data character by character, a problem occurs when the server fails to respond in time, and causes sqlmap to think that it returned true:
From that point in time, sqlmap will loop into the millions, searching for the ASCII/Unicode character.
For example, on a blind injection request which should have gotten a response in time but didn't because of server lag, the following requests get send out (i've filtered the relevant part out of the query):
SELECT DB_NAME()),1,1))>64
SELECT DB_NAME()),1,1))>96
SELECT DB_NAME()),1,1))>112
SELECT DB_NAME()),1,1))>120
SELECT DB_NAME()),1,1))>124
SELECT DB_NAME()),1,1))>126
SELECT DB_NAME()),1,1))>127
SELECT DB_NAME()),1,1))>1088
SELECT DB_NAME()),1,1))>1568
SELECT DB_NAME()),1,1))>1808
SELECT DB_NAME()),1,1))>1928
...
SELECT DB_NAME()),1,1))>16777168
....
SELECT DB_NAME()),1,1))>67108480
And so on...
I suspect it could have something to do with the while loop in line 306 (lib/techniques/blind/inference.py)