well, if you have a sysadmin that has "." in their path, you could write a database called "ls" or common misspellings of commands, and that way execute arbitrary code if the sysadmin visits the system.
Wout. On Wed, Nov 16, 2016 at 11:43 AM Rowan Worth <row...@dug.com> wrote: > Interesting but doesn't seem overly practical. If you're in a postiion to > run 'busybox ash /foo/bar' then you can easily create a shell script > through simpler means. > > Filesystem access via ATTACH DATABASE is worth bringing attention to > though, as I think a lot of developers wouldn't expect that. It can be > mitigated via something like sqlite3_limit(db, SQLITE_LIMIT_ATTACHED, 1) if > you don't need ATTACH functionality (maybe with a limit of zero? haven't > tested it). > > Of course if you are paying proper attention to security you should already > be onto the SQL injection vectors that put ATTACH in user's hands anyway :) > > -Rowan > > On 16 November 2016 at 07:10, jungle Boogie <jungleboog...@gmail.com> > wrote: > > > Hi All, > > > > Pretty interesting article: > > https://www.invincealabs.com/blog/2016/11/sqlite-shell-script/ > > > > This post documents how we were able to create a SQLite database that > > can be executed as an ash shell script purely from SQL queries. > > > > > > Found here: > > > https://www.reddit.com/r/netsec/comments/5cwb07/sqlite_as_a_shell_script/ > > > > > > > > -- > > ------- > > inum: 883510009027723 > > sip: jungleboo...@sip2sip.info > > _______________________________________________ > > sqlite-users mailing list > > sqlite-users@mailinglists.sqlite.org > > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users > > > _______________________________________________ > sqlite-users mailing list > sqlite-users@mailinglists.sqlite.org > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users > _______________________________________________ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users