Interesting but doesn't seem overly practical. If you're in a postiion to run 'busybox ash /foo/bar' then you can easily create a shell script through simpler means.
Filesystem access via ATTACH DATABASE is worth bringing attention to though, as I think a lot of developers wouldn't expect that. It can be mitigated via something like sqlite3_limit(db, SQLITE_LIMIT_ATTACHED, 1) if you don't need ATTACH functionality (maybe with a limit of zero? haven't tested it). Of course if you are paying proper attention to security you should already be onto the SQL injection vectors that put ATTACH in user's hands anyway :) -Rowan On 16 November 2016 at 07:10, jungle Boogie <jungleboog...@gmail.com> wrote: > Hi All, > > Pretty interesting article: > https://www.invincealabs.com/blog/2016/11/sqlite-shell-script/ > > This post documents how we were able to create a SQLite database that > can be executed as an ash shell script purely from SQL queries. > > > Found here: > https://www.reddit.com/r/netsec/comments/5cwb07/sqlite_as_a_shell_script/ > > > > -- > ------- > inum: 883510009027723 > sip: jungleboo...@sip2sip.info > _______________________________________________ > sqlite-users mailing list > sqlite-users@mailinglists.sqlite.org > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users > _______________________________________________ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
