From SQL Injection in SQLite to shell

Question

I need to obtain a shell from an SQL injection over an application with sqlite database.

Currently my exploit looks like the following:

lucian@0x90:~/$ proxychains nc 10.185.10.55 1101
ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-127.0.0.1:9999-<><>-10.185.10.55:1101-<><>-OK
Input please:
1 UNION ALL SELECT 42,'qvzbq'||'LOHpyNMpQSCCIaWebmCZHjvwrZhYczWfJGiXVBzV'||'qzzxq',42;-- sdasdasd
1 UNION ALL SELECT 42,'qvzbq'||'LOHpyNMpQSCCIaWebmCZHjvwrZhYczWfJGiXVBzV'||'qzzxq',42;-- sdasdasd

Parsing results... 
Customer information: Damy Roali qvzbqLOHpyNMpQSCCIaWebmCZHjvwrZhYczWfJGiXVBzVqzzxq 42 


lucian@0x90:~/$

Following this link http://atta.cked.me/home/sqlite3injectioncheatsheet I discovered that I can either ATTACH DATABASE (by creating a .php file in the document root of a web folder) or load_extension (by loading a dll file from an smb path) in order to gain the shell.

Is this by default in SQLite or do I need to enable something or check something?

score 1 · Accepted Answer · answered Jun 08 '19 at 17:50

Is this by default in SQLite or do I need to enable something or check something?

This SQLite cheat sheet

https://github.com/unicornsasfuel/sqlite_sqli_cheat_sheet

says

File writing (php to web folder) "...requires either direct database access or (non-default) stacked query option enabled..."

Arbitrary Code Execution (load dll) "...Requires non-default configuration..." and more specifically the link you provided above says "...Unfortunately, this component of SQLite is disabled in the libraries by default ... "

Here is how you enable extension loading

https://www.sqlite.org/c3ref/enable_load_extension.html

sqlite3_enable_load_extension(dB, 1)

From SQL Injection in SQLite to shell

1 Answers1