Tuesday, March 27, 2012

sqlitespy for Sqlite Database Analysis

By Gursev Kalra.

Sqlite is the ubiquitous database for iPad, iPhone and Android applications. It is also used by certain internet browsers, web application frameworks, and software products for their local storage needs. While doing penetration tests, we often see sensitive information like usernames, passwords, account numbers, SSN etc… insecurely stored in these databases. Thus, every penetration test requires comprehensive analysis of the local databases being used.

While analyzing databases, a penetration tester repeatedly does the following:

  1. Opens the database in sqlite reader (sqlite3 or other readers)
  2. Views various tables and columns to understand database layout and schema
  3. Analyzes the storage for sensitive information

As the number and size of database increases, the analysis time increases exponentially. To escape the recurring pain, I wrote a ruby script to automate this process. The script achieves the following:
  1. Analyzes multiple databases in a single run.
  2. Queries and displays database schema
  3. Provides an option to run search on Table and Column Names for quick analysis
  4. Looks for search strings in the following:
    1. Table Name
    2. Column Names
    3. Actual Data
  5. Performs case-insensitive regular expression search (default). This can be controlled with command line options to one’s requirements
  6. Displays Database, Tables and Row Number reference for every successful match
  7. Dumps database rows on a successful match


Download Link - http://www.opensecurityresearch.com/files/sqlitespy.rb.bz2

Sqlitespy dependencies are listed below
  1. Ruby - http://www.ruby-lang.org/en/
  2. Sequel Gem - http://rubygems.org/gems/sequel
  3. sqlite3 - http://sqlite.org/download.html


sqlitespy help:

sqlite sample run with multiple search strings and row information dump for a successful match:

sqlite sample run with minimal information:

sqlite database schema dump:

No comments:

Post a Comment