pwneglyph logo

Note

web php sqlite loadextension shared-object rce

Load a previously written .so through SQLite extension loading — a cleaner native code-loading boundary than hijacking sendmail.

SQLite3::loadExtension() as an RCE Pivot

SQLite extension loading is another native code-loading boundary. If enabled, it can be cleaner than hijacking sendmail — you already have a .so on disk and just need deterministic execution.

Why It Works

  • loadExtension() dlopens an attacker-controlled shared object, running its entry point in the PHP process.

Vulnerable Pattern

  • PHP SQLite3 extension enabled, an attacker-reachable code path, and a readable shared object already placed on disk.

Exploit Flow

  1. Confirm whether extension loading is allowed — many environments compile it in but disable runtime loading.
  2. If available, prefer it when you already have a .so path and need deterministic execution without relying on mail infrastructure.

Common Blockers

  • Disabled extension loading, incompatible shared-object exports, or Snuffleupagus restrictions.

PoC Sketch

$db = new SQLite3('/tmp/test.db');
$db->loadExtension('/path/to/hook.so');

Good Situations To Use It

  • PHP SQLite3 is available and runtime extension loading isn't disabled.
  • You already have a readable .so on disk.
  • You want execution without depending on mail()/sendmail.

Sources

  • fcsc2026/web/secure_mood_notes_2