Wednesday, 25 April 2012

SQLite Injection

There does seem to be a lack of information regarding SQLite injection. This is probably because SQLite is so limited compared to other SQL databases. However, it does seem that given Android (and iOS?) interest in using them, there is something to be said for writing up some basics and findings that I've had so far.

 I will try to write this from a more general SQLite injection angle rather than OS specific. First enumeration. Getting out the master database is fairly straight forward as long as your injection is early on. If you can get results posted to the screen the enumerating the database structure is easy:


The SQLITE_MASTER database holds descriptions of all the tables so is a quick win for enumeration. From there, more select statements will get you the rest.

If the injection point is not at the WHERE or SELECT clause then things may get a little more difficult. More particularly interesting when the injection is at the ORDER BY clause. This means that not only can you not add in the table to select from, but you also can't use a UNION statement to join it to a fresh select statement. I've yet to find a good way to solve this one so please, answers on a postcard.

This is just an introductory post. I want to cover effective manual blind SQLite injection but this will have to wait until next time.

The other area that I want to look into is the use of the "." commands. SQLite seems to have many extra functions, which I'm guessing can not be used through API calls. Perhaps the PHP exec() function might? It would certainly be good to know where, if anywhere, these values could be used, as it would allow inclusions of other files.

Finally I want to take a look at whether the values can be overwritten with long/specially formatted strings. The .db file could then be manipulated into becoming something else (okay so this one's a long shot, but worth taking a look at).

Stay tuned


trotmaster said...

A fantastic cheatsheet for sqlite:

Sadly you can't stack queries in Android and load_extension isn't supported, so the "tricks to get shell" section isn't applicable for mobile.

trotmaster said...

Part II here: