Ah, I stand corrected. Thanks for pointing that out! Although if you try running a "db" script in an interactive shell:
bash 4.1.2 says: bash: /tmp/db: cannot execute binary file zsh 4.3.10 says: zsh: /tmp/db: cannot execute binary file dash 0.5.5.1 says: /tmp/db: /tmp/db: cannot execute binary file tcsh 6.17.00 says: /tmp/db: /tmp/db: cannot execute binary file busybox ash 1.15.1 says: /tmp/db: /tmp/db: cannot execute binary file When explicitly pointed at the db (ie. "zsh /tmp/db"), bash was the only one to complain. So in general it seems there's a difference between the treatment of an executable-file-sans-shebang and script-named-on-command-line. -Rowan On 17 November 2016 at 22:31, Wout Mertens <wout.mert...@gmail.com> wrote: > actually, if a file is executable and missing a proper shebang, it is just > interpreted by the shell. But getting that executable flag is indeed not > trivial. > > On Wed, Nov 16, 2016 at 1:17 PM Rowan Worth <row...@dug.com> wrote: > > > Not true. You can go ahead and create a database called "ls", but: > > > > a) it will not be executable, and > > b) the file will start with "SQLite format 3" rather than the requisite > > "#!/bin/busybox ash" > > > > So the sysadmin would still have to manually execute the "script" with an > > appropriate shell. > > -Rowan > > > > On 16 November 2016 at 18:56, Wout Mertens <wout.mert...@gmail.com> > wrote: > > > > > well, if you have a sysadmin that has "." in their path, you could > write > > a > > > database called "ls" or common misspellings of commands, and that way > > > execute arbitrary code if the sysadmin visits the system. > > > > > > Wout. > > > > > > On Wed, Nov 16, 2016 at 11:43 AM Rowan Worth <row...@dug.com> wrote: > > > > > > > Interesting but doesn't seem overly practical. If you're in a > postiion > > to > > > > run 'busybox ash /foo/bar' then you can easily create a shell script > > > > through simpler means. > > > > > > > > Filesystem access via ATTACH DATABASE is worth bringing attention to > > > > though, as I think a lot of developers wouldn't expect that. It can > be > > > > mitigated via something like sqlite3_limit(db, SQLITE_LIMIT_ATTACHED, > > 1) > > > if > > > > you don't need ATTACH functionality (maybe with a limit of zero? > > haven't > > > > tested it). > > > > > > > > Of course if you are paying proper attention to security you should > > > already > > > > be onto the SQL injection vectors that put ATTACH in user's hands > > anyway > > > :) > > > > > > > > -Rowan > > > > > > > > On 16 November 2016 at 07:10, jungle Boogie <jungleboog...@gmail.com > > > > > > wrote: > > > > > > > > > Hi All, > > > > > > > > > > Pretty interesting article: > > > > > https://www.invincealabs.com/blog/2016/11/sqlite-shell-script/ > > > > > > > > > > This post documents how we were able to create a SQLite database > that > > > > > can be executed as an ash shell script purely from SQL queries. > > > > > > > > > > > > > > > Found here: > > > > > > > > > https://www.reddit.com/r/netsec/comments/5cwb07/sqlite_ > > > as_a_shell_script/ > > > > > > > > > > > > > > > > > > > > -- > > > > > ------- > > > > > inum: 883510009027723 > > > > > sip: jungleboo...@sip2sip.info > > > > > _______________________________________________ > > > > > sqlite-users mailing list > > > > > sqlite-users@mailinglists.sqlite.org > > > > > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/ > sqlite-users > > > > > > > > > _______________________________________________ > > > > sqlite-users mailing list > > > > sqlite-users@mailinglists.sqlite.org > > > > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users > > > > > > > _______________________________________________ > > > sqlite-users mailing list > > > sqlite-users@mailinglists.sqlite.org > > > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users > > > > > _______________________________________________ > > sqlite-users mailing list > > sqlite-users@mailinglists.sqlite.org > > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users > > > _______________________________________________ > sqlite-users mailing list > sqlite-users@mailinglists.sqlite.org > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users > _______________________________________________ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
