Re: [sqlite] SQLite as a Shell Script
Ah, I stand corrected. Thanks for pointing that out! Although if you try running a "db" script in an interactive shell: bash 4.1.2 says: bash: /tmp/db: cannot execute binary file zsh 4.3.10 says: zsh: /tmp/db: cannot execute binary file dash 0.5.5.1 says: /tmp/db: /tmp/db: cannot execute binary file tcsh 6.17.00 says: /tmp/db: /tmp/db: cannot execute binary file busybox ash 1.15.1 says: /tmp/db: /tmp/db: cannot execute binary file When explicitly pointed at the db (ie. "zsh /tmp/db"), bash was the only one to complain. So in general it seems there's a difference between the treatment of an executable-file-sans-shebang and script-named-on-command-line. -Rowan On 17 November 2016 at 22:31, Wout Mertens <wout.mert...@gmail.com> wrote: > actually, if a file is executable and missing a proper shebang, it is just > interpreted by the shell. But getting that executable flag is indeed not > trivial. > > On Wed, Nov 16, 2016 at 1:17 PM Rowan Worth <row...@dug.com> wrote: > > > Not true. You can go ahead and create a database called "ls", but: > > > > a) it will not be executable, and > > b) the file will start with "SQLite format 3" rather than the requisite > > "#!/bin/busybox ash" > > > > So the sysadmin would still have to manually execute the "script" with an > > appropriate shell. > > -Rowan > > > > On 16 November 2016 at 18:56, Wout Mertens <wout.mert...@gmail.com> > wrote: > > > > > well, if you have a sysadmin that has "." in their path, you could > write > > a > > > database called "ls" or common misspellings of commands, and that way > > > execute arbitrary code if the sysadmin visits the system. > > > > > > Wout. > > > > > > On Wed, Nov 16, 2016 at 11:43 AM Rowan Worth <row...@dug.com> wrote: > > > > > > > Interesting but doesn't seem overly practical. If you're in a > postiion > > to > > > > run 'busybox ash /foo/bar' then you can easily create a shell script > > > > through simpler means. > > > > > > > > Filesystem access via ATTACH DATABASE is worth bringing attention to > > > > though, as I think a lot of developers wouldn't expect that. It can > be > > > > mitigated via something like sqlite3_limit(db, SQLITE_LIMIT_ATTACHED, > > 1) > > > if > > > > you don't need ATTACH functionality (maybe with a limit of zero? > > haven't > > > > tested it). > > > > > > > > Of course if you are paying proper attention to security you should > > > already > > > > be onto the SQL injection vectors that put ATTACH in user's hands > > anyway > > > :) > > > > > > > > -Rowan > > > > > > > > On 16 November 2016 at 07:10, jungle Boogie <jungleboog...@gmail.com > > > > > > wrote: > > > > > > > > > Hi All, > > > > > > > > > > Pretty interesting article: > > > > > https://www.invincealabs.com/blog/2016/11/sqlite-shell-script/ > > > > > > > > > > This post documents how we were able to create a SQLite database > that > > > > > can be executed as an ash shell script purely from SQL queries. > > > > > > > > > > > > > > > Found here: > > > > > > > > > https://www.reddit.com/r/netsec/comments/5cwb07/sqlite_ > > > as_a_shell_script/ > > > > > > > > > > > > > > > > > > > > -- > > > > > --- > > > > > inum: 883510009027723 > > > > > sip: jungleboo...@sip2sip.info > > > > > ___ > > > > > sqlite-users mailing list > > > > > sqlite-users@mailinglists.sqlite.org > > > > > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/ > sqlite-users > > > > > > > > > ___ > > > > sqlite-users mailing list > > > > sqlite-users@mailinglists.sqlite.org > > > > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users > > > > > > > ___ > > > sqlite-users mailing list > > > sqlite-users@mailinglists.sqlite.org > > > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users > > > > > ___ > > sqlite-users mailing list > > sqlite-users@mailinglists.sqlite.org > > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users > > > ___ > sqlite-users mailing list > sqlite-users@mailinglists.sqlite.org > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users > ___ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Re: [sqlite] SQLite as a Shell Script
actually, if a file is executable and missing a proper shebang, it is just interpreted by the shell. But getting that executable flag is indeed not trivial. On Wed, Nov 16, 2016 at 1:17 PM Rowan Worth <row...@dug.com> wrote: > Not true. You can go ahead and create a database called "ls", but: > > a) it will not be executable, and > b) the file will start with "SQLite format 3" rather than the requisite > "#!/bin/busybox ash" > > So the sysadmin would still have to manually execute the "script" with an > appropriate shell. > -Rowan > > On 16 November 2016 at 18:56, Wout Mertens <wout.mert...@gmail.com> wrote: > > > well, if you have a sysadmin that has "." in their path, you could write > a > > database called "ls" or common misspellings of commands, and that way > > execute arbitrary code if the sysadmin visits the system. > > > > Wout. > > > > On Wed, Nov 16, 2016 at 11:43 AM Rowan Worth <row...@dug.com> wrote: > > > > > Interesting but doesn't seem overly practical. If you're in a postiion > to > > > run 'busybox ash /foo/bar' then you can easily create a shell script > > > through simpler means. > > > > > > Filesystem access via ATTACH DATABASE is worth bringing attention to > > > though, as I think a lot of developers wouldn't expect that. It can be > > > mitigated via something like sqlite3_limit(db, SQLITE_LIMIT_ATTACHED, > 1) > > if > > > you don't need ATTACH functionality (maybe with a limit of zero? > haven't > > > tested it). > > > > > > Of course if you are paying proper attention to security you should > > already > > > be onto the SQL injection vectors that put ATTACH in user's hands > anyway > > :) > > > > > > -Rowan > > > > > > On 16 November 2016 at 07:10, jungle Boogie <jungleboog...@gmail.com> > > > wrote: > > > > > > > Hi All, > > > > > > > > Pretty interesting article: > > > > https://www.invincealabs.com/blog/2016/11/sqlite-shell-script/ > > > > > > > > This post documents how we were able to create a SQLite database that > > > > can be executed as an ash shell script purely from SQL queries. > > > > > > > > > > > > Found here: > > > > > > > https://www.reddit.com/r/netsec/comments/5cwb07/sqlite_ > > as_a_shell_script/ > > > > > > > > > > > > > > > > -- > > > > --- > > > > inum: 883510009027723 > > > > sip: jungleboo...@sip2sip.info > > > > ___ > > > > sqlite-users mailing list > > > > sqlite-users@mailinglists.sqlite.org > > > > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users > > > > > > > ___ > > > sqlite-users mailing list > > > sqlite-users@mailinglists.sqlite.org > > > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users > > > > > ___ > > sqlite-users mailing list > > sqlite-users@mailinglists.sqlite.org > > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users > > > ___ > sqlite-users mailing list > sqlite-users@mailinglists.sqlite.org > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users > ___ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Re: [sqlite] SQLite as a Shell Script
Not true. You can go ahead and create a database called "ls", but: a) it will not be executable, and b) the file will start with "SQLite format 3" rather than the requisite "#!/bin/busybox ash" So the sysadmin would still have to manually execute the "script" with an appropriate shell. -Rowan On 16 November 2016 at 18:56, Wout Mertens <wout.mert...@gmail.com> wrote: > well, if you have a sysadmin that has "." in their path, you could write a > database called "ls" or common misspellings of commands, and that way > execute arbitrary code if the sysadmin visits the system. > > Wout. > > On Wed, Nov 16, 2016 at 11:43 AM Rowan Worth <row...@dug.com> wrote: > > > Interesting but doesn't seem overly practical. If you're in a postiion to > > run 'busybox ash /foo/bar' then you can easily create a shell script > > through simpler means. > > > > Filesystem access via ATTACH DATABASE is worth bringing attention to > > though, as I think a lot of developers wouldn't expect that. It can be > > mitigated via something like sqlite3_limit(db, SQLITE_LIMIT_ATTACHED, 1) > if > > you don't need ATTACH functionality (maybe with a limit of zero? haven't > > tested it). > > > > Of course if you are paying proper attention to security you should > already > > be onto the SQL injection vectors that put ATTACH in user's hands anyway > :) > > > > -Rowan > > > > On 16 November 2016 at 07:10, jungle Boogie <jungleboog...@gmail.com> > > wrote: > > > > > Hi All, > > > > > > Pretty interesting article: > > > https://www.invincealabs.com/blog/2016/11/sqlite-shell-script/ > > > > > > This post documents how we were able to create a SQLite database that > > > can be executed as an ash shell script purely from SQL queries. > > > > > > > > > Found here: > > > > > https://www.reddit.com/r/netsec/comments/5cwb07/sqlite_ > as_a_shell_script/ > > > > > > > > > > > > -- > > > --- > > > inum: 883510009027723 > > > sip: jungleboo...@sip2sip.info > > > ___ > > > sqlite-users mailing list > > > sqlite-users@mailinglists.sqlite.org > > > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users > > > > > ___ > > sqlite-users mailing list > > sqlite-users@mailinglists.sqlite.org > > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users > > > ___ > sqlite-users mailing list > sqlite-users@mailinglists.sqlite.org > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users > ___ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Re: [sqlite] SQLite as a Shell Script
well, if you have a sysadmin that has "." in their path, you could write a database called "ls" or common misspellings of commands, and that way execute arbitrary code if the sysadmin visits the system. Wout. On Wed, Nov 16, 2016 at 11:43 AM Rowan Worth <row...@dug.com> wrote: > Interesting but doesn't seem overly practical. If you're in a postiion to > run 'busybox ash /foo/bar' then you can easily create a shell script > through simpler means. > > Filesystem access via ATTACH DATABASE is worth bringing attention to > though, as I think a lot of developers wouldn't expect that. It can be > mitigated via something like sqlite3_limit(db, SQLITE_LIMIT_ATTACHED, 1) if > you don't need ATTACH functionality (maybe with a limit of zero? haven't > tested it). > > Of course if you are paying proper attention to security you should already > be onto the SQL injection vectors that put ATTACH in user's hands anyway :) > > -Rowan > > On 16 November 2016 at 07:10, jungle Boogie <jungleboog...@gmail.com> > wrote: > > > Hi All, > > > > Pretty interesting article: > > https://www.invincealabs.com/blog/2016/11/sqlite-shell-script/ > > > > This post documents how we were able to create a SQLite database that > > can be executed as an ash shell script purely from SQL queries. > > > > > > Found here: > > > https://www.reddit.com/r/netsec/comments/5cwb07/sqlite_as_a_shell_script/ > > > > > > > > -- > > --- > > inum: 883510009027723 > > sip: jungleboo...@sip2sip.info > > ___ > > sqlite-users mailing list > > sqlite-users@mailinglists.sqlite.org > > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users > > > ___ > sqlite-users mailing list > sqlite-users@mailinglists.sqlite.org > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users > ___ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Re: [sqlite] SQLite as a Shell Script
Interesting but doesn't seem overly practical. If you're in a postiion to run 'busybox ash /foo/bar' then you can easily create a shell script through simpler means. Filesystem access via ATTACH DATABASE is worth bringing attention to though, as I think a lot of developers wouldn't expect that. It can be mitigated via something like sqlite3_limit(db, SQLITE_LIMIT_ATTACHED, 1) if you don't need ATTACH functionality (maybe with a limit of zero? haven't tested it). Of course if you are paying proper attention to security you should already be onto the SQL injection vectors that put ATTACH in user's hands anyway :) -Rowan On 16 November 2016 at 07:10, jungle Boogie <jungleboog...@gmail.com> wrote: > Hi All, > > Pretty interesting article: > https://www.invincealabs.com/blog/2016/11/sqlite-shell-script/ > > This post documents how we were able to create a SQLite database that > can be executed as an ash shell script purely from SQL queries. > > > Found here: > https://www.reddit.com/r/netsec/comments/5cwb07/sqlite_as_a_shell_script/ > > > > -- > --- > inum: 883510009027723 > sip: jungleboo...@sip2sip.info > ___ > sqlite-users mailing list > sqlite-users@mailinglists.sqlite.org > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users > ___ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
[sqlite] SQLite as a Shell Script
Hi All, Pretty interesting article: https://www.invincealabs.com/blog/2016/11/sqlite-shell-script/ This post documents how we were able to create a SQLite database that can be executed as an ash shell script purely from SQL queries. Found here: https://www.reddit.com/r/netsec/comments/5cwb07/sqlite_as_a_shell_script/ -- --- inum: 883510009027723 sip: jungleboo...@sip2sip.info ___ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
