Generic SQLite Exploitation
You can extend Truxton to exploit SQLite databases that it doesn't currently support.
Contents
Generic SQLite Exploitation
SQLite is used everywhere. Many applications use them to store things like program settings, chats, geographic coordinates, etc. Trying to exploit all of the formats is an impossible task. Truxton solves this problem by giving the user the ability to add any number of custom queries that will be executed during loading. The results of these queries will be output as tab-separated values (TSV) child file of the SQLite file.
Concept of Operations
If you find or write a script that can exploit a particular kind of SQLite file, here's how you would integrate it with Truxton's exploitation pipeline.
- Put the SQL query and meta-data into an exploitation script.
- Put that script into a folder accessible by the loader
- Add the folder to the
TruxtonSettings.xml
file - Restart the Truxton Service
Exploitation Script Format
The exploitation script is in XML format. This sample uses a script from Sarah Edward's aggregate_dictionary_scalars.txt script in her open source APOLLO framework.
<sqlite> <id>53514C69-7465-287E-AC3B-DE1C115A2B0A</id> <scriptversion>1</scriptversion> <author>Sarah Edwards/mac4n6.com/@iamevltwin</author> <notes>Keeping track of various values on a per-day basis.</notes> <source>https://github.com/mac4n6/APOLLO/blob/master/modules/aggregate_dictionary_scalars.txt</source> <info></info> <title>Aggregate Dictionary - Scalar</title> <version>8-14</version> <filename>ADDataStore.sqlitedb</filename> <sql>SELECT DATE(DAYSSINCE1970*86400, 'unixepoch') AS DAY, KEY AS "KEY", VALUE AS "VALUE" FROM SCALARS</sql> </sqlite>
Fields
author
This should identify who to thank for writing the SQL query. It is where you give credit where credit is due.
filename
This optional field contains the names of the SQLite files that have been known to contain the data the query extracts. Truxton doesn't currently use this field but may in the future in some form of Triage load.
id
This is a globally unique identifier in a special format which corresponds to the [ID]
column of the [Settings]
table.
It must begin with 53514C69-7465
so that the loader can find the scripts in the database.
info
This optional field contains free form text describing the data extracted by the query.
notes
This is used and name of the TSV file.
scriptversion
This is a counter field used by Truxton to update existing queries in the database. If the version specified here is greater than the version of this script in the database, the database will be updated. To upgrade an existing script, increment this number and restart the Truxton Service
source
This is usually a link to the source code or article that contained the SQL query.
sql
The SQL query. Should this query produce a result, a child file will be created containing the results in TSV format.
title
This is text that will be used in the details report.
version
This contains the version of the database or operating system the SQLite came from.