actually, if a file is executable and missing a proper shebang, it is just interpreted by the shell. But getting that executable flag is indeed not trivial.
On Wed, Nov 16, 2016 at 1:17 PM Rowan Worth <row...@dug.com> wrote: > Not true. You can go ahead and create a database called "ls", but: > > a) it will not be executable, and > b) the file will start with "SQLite format 3" rather than the requisite > "#!/bin/busybox ash" > > So the sysadmin would still have to manually execute the "script" with an > appropriate shell. > -Rowan > > On 16 November 2016 at 18:56, Wout Mertens <wout.mert...@gmail.com> wrote: > > > well, if you have a sysadmin that has "." in their path, you could write > a > > database called "ls" or common misspellings of commands, and that way > > execute arbitrary code if the sysadmin visits the system. > > > > Wout. > > > > On Wed, Nov 16, 2016 at 11:43 AM Rowan Worth <row...@dug.com> wrote: > > > > > Interesting but doesn't seem overly practical. If you're in a postiion > to > > > run 'busybox ash /foo/bar' then you can easily create a shell script > > > through simpler means. > > > > > > Filesystem access via ATTACH DATABASE is worth bringing attention to > > > though, as I think a lot of developers wouldn't expect that. It can be > > > mitigated via something like sqlite3_limit(db, SQLITE_LIMIT_ATTACHED, > 1) > > if > > > you don't need ATTACH functionality (maybe with a limit of zero? > haven't > > > tested it). > > > > > > Of course if you are paying proper attention to security you should > > already > > > be onto the SQL injection vectors that put ATTACH in user's hands > anyway > > :) > > > > > > -Rowan > > > > > > On 16 November 2016 at 07:10, jungle Boogie <jungleboog...@gmail.com> > > > wrote: > > > > > > > Hi All, > > > > > > > > Pretty interesting article: > > > > https://www.invincealabs.com/blog/2016/11/sqlite-shell-script/ > > > > > > > > This post documents how we were able to create a SQLite database that > > > > can be executed as an ash shell script purely from SQL queries. > > > > > > > > > > > > Found here: > > > > > > > https://www.reddit.com/r/netsec/comments/5cwb07/sqlite_ > > as_a_shell_script/ > > > > > > > > > > > > > > > > -- > > > > ------- > > > > inum: 883510009027723 > > > > sip: jungleboo...@sip2sip.info > > > > _______________________________________________ > > > > sqlite-users mailing list > > > > sqlite-users@mailinglists.sqlite.org > > > > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users > > > > > > > _______________________________________________ > > > sqlite-users mailing list > > > sqlite-users@mailinglists.sqlite.org > > > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users > > > > > _______________________________________________ > > sqlite-users mailing list > > sqlite-users@mailinglists.sqlite.org > > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users > > > _______________________________________________ > sqlite-users mailing list > sqlite-users@mailinglists.sqlite.org > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users > _______________________________________________ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users