New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SQLi progress feedback #19092
Comments
Why not? 👀 Maybe I don't understand the full context, but we definitely do that here:
As well as for the MSF spinner thread on console boot that spits out the intro message
|
I also think that displaying data before the end of the attack would have a lot of value. Had - thought about it, @adfoster-r7 the issue was that logging APIs didn't offer a portable way to move the cursor on the screen, or to print without a newline and send backspaces. The console "starting metasploit" message is displayed through $stderr.print (https://github.com/rapid7/metasploit-framework/blob/master/lib%2Fmetasploit%2Fframework%2Fcommand%2Fconsole.rb). My understanding is that it would not be portable, and that the library should only use print_XXX from the Msf::Module::UI::Message mixin, but that would be something to improve on the logging library side if that's the case. For @h00die's suggestion, I agree that it would help, perhaps based on the size of new data that gets retrieved? (Because 10% of the data can be very insignificant, if for example, the whole data is 20 bytes, you wouldn't print 10 progress lines, or, if it's too large, printing 10% can output information that can't be easily viewed on a terminal, and 10% can take a lot of time, printing more progress lines would be better I think for this case). |
@h00die which script are you referring to? that is not giving output |
It isn't necessarily a script problem, more of a library issue. |
The
metasploit-framework/lib/rex/ui/subscriber.rb Lines 71 to 76 in c83a219
I believe in terms of portability, I've confirmed |
Dev setup, use 5.0.0
Metasploit setup:
|
How about we add:
To the Or similar? It will display the slices pulled from the SQLi (not decode them) make it immune to non-printable characters, issues of newline embedded, etc? |
Referring to this code:
|
BTW: there seems to be duplicate code here, not sure why there isn't a base class that has |
Example of duplicate code:
Actually... seems like there aren't that much duplicate code |
I don't see how |
@h00die I looked more into this, there is no way to show progress - as we don't know the My only idea at the moment is to show the slice returned with a |
@red0xff and I had previously discussed someway of giving feedback for SQLi where the output isn't near instant. So a blind SQLi for instance. I LOVE how sqlmap will give you
_________
then fill it in likea_mini___a_or
. It's a neat gui trick. Now obviously we can't do that with MSF, but when you have to dump 400+ characters and it takes 30+ minutes, its pretty boring just looking at a blank screen w/ no feedback.I'd like to suggest a new feature of the SQLi libraries where there is a configurable percentage for feedback.
So for instance, it defaults to
10
(aka every 10% completed, give feedback on progress).Output would look similar to the command stagers:
Thoughts?
The text was updated successfully, but these errors were encountered: