Generic SQLite Exploitation

From truxwiki.com
Jump to navigation Jump to search

You can extend Truxton to exploit SQLite databases that it doesn't currently support.

Generic SQLite Exploitation

SQLite is used everywhere. Many applications use them to store things like program settings, chats, geographic coordinates, etc. Trying to exploit all of the formats is an impossible task. Truxton solves this problem by giving the user the ability to add any number of custom queries that will be executed during loading. The results of these queries will be output as tab-separated values (TSV) child file of the SQLite file.

Concept of Operations

If you find or write a script that can exploit a particular kind of SQLite file, here's how you would integrate it with Truxton's exploitation pipeline.

  1. Put the SQL query and meta-data into an exploitation script.
  2. Put that script into a folder accessible by the loader
  3. Add the folder to the TruxtonSettings.xml file
  4. Restart the Truxton Service

Exploitation Script Format

The exploitation script is in XML format. This sample uses a script from Sarah Edward's aggregate_dictionary_scalars.txt script in her open source APOLLO framework.

<sqlite>
  <id>53514C69-7465-287E-AC3B-DE1C115A2B0A</id>
  <scriptversion>1</scriptversion>
  <author>Sarah Edwards/mac4n6.com/@iamevltwin</author>
  <notes>Keeping track of various values on a per-day basis.</notes>
  <source>https://github.com/mac4n6/APOLLO/blob/master/modules/aggregate_dictionary_scalars.txt</source>
  <info></info>
  <title>Aggregate Dictionary - Scalar</title>
  <version>8-14</version>
  <filename>ADDataStore.sqlitedb</filename>
  <sql>SELECT DATE(DAYSSINCE1970*86400, 'unixepoch') AS DAY, KEY AS "KEY", VALUE AS "VALUE" FROM SCALARS</sql>
</sqlite>

Fields

author

This should identify who to thank for writing the SQL query. It is where you give credit where credit is due.

filename

This optional field contains the names of the SQLite files that have been known to contain the data the query extracts. Truxton doesn't currently use this field but may in the future in some form of Triage load.

id

This is a globally unique identifier in a special format which corresponds to the [ID] column of the [Settings] table. It must begin with 53514C69-7465 so that the loader can find the scripts in the database.

info

This optional field contains free form text describing the data extracted by the query.

notes

This is used and name of the TSV file.

scriptversion

This is a counter field used by Truxton to update existing queries in the database. If the version specified here is greater than the version of this script in the database, the database will be updated. To upgrade an existing script, increment this number and restart the Truxton Service

source

This is usually a link to the source code or article that contained the SQL query.

sql

The SQL query. Should this query produce a result, a child file will be created containing the results in TSV format.

title

This is text that will be used in the details report.

version

This contains the version of the database or operating system the SQLite came from.