Sort out postgresql Injection

Source: Internet
Author: User
Tags psql

From accidentally climbing the blog

PostgreSQL is a powerful open-source relational database system. after more than 15 years of development, it has won an excellent reputation in terms of reliability, data integrity, and correctness. it runs on all major operating systems, including Linux, UNIX (AIX, BSD, HP-UX, sgi irix, Mac OS X, Solaris, Tru64) and Windows. it fully complies with ACID principles and fully supports foreign keys, joins, views, triggers, and stored procedures (in multiple languages ).

It contains most data types of SQL92 and SQL99, including INTEGER, NUMERIC, BOOLEAN, CHAR, VARCHAR, DATE, INTERVAL, and TIMESTAMP. it also supports storing binary giant objects, including images, sounds, and videos. it has local programming interfaces, C/C ++, Java ,. net, Perl, Python, Ruby, Tcl, and ODBC. postgreSQL is proud of its implementation standards.

It implements the ANSI-SQL 92/99 standard. it fully supports subqueries (including sub-selection of FROM clauses), read-committed (read-committed), and serialization transaction isolation level. although PostgreSQL has a fully-relational system catalog (catalog) that supports multiple schemas of each database, its catalog can also be defined by the standard SQL outline Information (Information schema) to access. data Integrity features include (composite) Primary keys, foreign keys for restriction and cascading update/deletion, CHECK constraints, UNIQUE constraints, and non-null constraints. it also has many extensions and advanced features. the column values are automatically added in order, and some result sets can be returned by LIMIT/OFFSET. postgreSQL supports conformity, uniqueness, locality, and function indexes. You can use B-tree, R-tree, hash, or any of the GiST storage methods.


1. windows: Download the windows Installation Package on the official website (, the latest version is 8.3, here you need to pay attention to, when installing PostgreSQL will add a postgres user in the System user, in addition, Postgresql password in windows comes with something similar to a security policy. Setting a password requires a restriction on complexity and length. after the installation, You need to configure the system environment variables .. /PostgreSQL/binning to system environment changes. In this case, you can directly execute psql(mysqlin mysql.exe under windows ).

2. * install on nix: you can download the corresponding installation package or install it online on the official website. The installation process does not show the step of setting the password. The default password is null, when using psql, you need to switch postgres user logon.

Basic syntax

Since the database certainly follows the SQL language, create, insert, update and so on are called PL/PgSQL, but it is not very clear that there are too many syntaxes for a database, let's just talk about the several syntaxes that are useful to Tom.

1. annotation, end mark, Connector

A. Since PostgreSQL follows the SQL language, it certainly supports -- Annotations;

B. PostgreSQL supports/* And/*/annotations, which is similar to Mysql;

C. When using psql for PostgreSQL databases, you need to add the; (semicolon) or g after the command to indicate that the statement has ended to execute the query.

D. PostgreSQL uses the | symbol to connect strings. Be careful when using ^. | escape.

2. Automatic match

PostgreSQL does not automatically match fields like Mysql, which is similar to oracle. Therefore, you must pay attention to the injection and support union queries by default;

3. Connect to PostgreSQL

By default, external connections are not allowed. If you want to remotely manage the PostgreSQL database, you need to modify it .. for the/PostgreSQL/data/pg_bha.conf file, see the PostgreSQL learning manual. postgreSQL uses ipvs by default (similar to mysql root), and the default port is 5432. The default system library is ipvs.

Use psql-h ip-d dataname-p port-U username. Note that the-U parameter is in upper case. If the local machine is installed by default, directly Using psql-U postgres will prompt you to enter the password. After you enter the password correctly, the postgres = # character (similar to mysql> in mysql) will appear, you can use psql normally.

? Instructions on displaying pgsql commands

H. Description of SQL commands displayed

Q: quit.

L all databases in the real system

4. pgAdmin III and phpPgAdmin

A. pgAdmin III is an interface-based database management program provided by PostgreSQL. It can query all fields, functions, sequences, data table structures, related attributes, trigger functions, and views in the PostgreSQL database.

B. phpPgAdmin has the same name as phpMyAdmin of mysql. It is a web-based database management program developed using php. It has powerful functions. Friends who have used phpMyAdmin know that phpMyAdmin is powerful, phpPgAdmin is equally powerful for PostgreSQL databases.

PostgreSQL Injection

Since PostgreSQL is an RDBMS, the structure of all databases in the system will be stored in the system database, so it is relatively convenient to inject. Since the annotation method is the same as that of mysql, how can we determine what database it is? I don't have a standard answer to this. I think I can scan port 5432 (how can the web and database be separated) and use the result returned by the version () function to judge, use the query statement such as select * from pg_class/select * from pg_group to determine the database type. because the directory page of PostgreSQL has information_schema, and I have no injection point for the PostgreSQL database, I do not know if I can use select schema_name from information_schema_schemata to judge it. Sorry, I only thought about using information_schema. If you have any conditions, verify it.

Describes the intrusion applications of PostgreSQL's built-in functions, tables, and views.

Current_database () Current Database Name

Session_user session user |

Current_user: username in the current execution environment | () is not required for calling these three functions ()

User is the same as session_user |

Inet_client_port () remote port

Cast (sourcetype AS targettype) defines type conversion

Current_setting () obtains the current value set by setting_name as a query.

Convert () encoding conversion

Pg_stat_user_tables stores views of all system table names. The keyword field is relname. select relname from pg_stat_user_tables limit offset and 1 is used to read table names one by one.

The pg_stat_all_tables and pg_stat_all_tables views have the same functions.

Pg_shadow: Do you think of/etc/shadow when you see shadow? This table contains information about database users, including the keyword username, passwd, and usesuper ), however, this table is configured with permissions.

The structure of the table pg_user is the same as that of pg_shadow, but the table is globally readable. The passwd field may be cleared or encrypted.

Pg_group defines the group and the information of which users belong to the group, and the key field groname

Information_schema.columns all fields are saved in the directory object. The key field is column_name. Use select column_name from information_columns where table_name = tablename limit offset. 1 to read the fields of each table name.


Traverse all tables in the current PostgreSQL database

SELECT tablename FROM pg_tables
WHERE tablename not like pg %
AND tablename not like SQL _ %
Order by tablename;

Query all tables in the PostgreSQL database, including system tables.

Select relname as table_name from pg_class where relkind = r;

This is similar to the master in mssql.
Then you can use SELECT datname FROM pg_database to view all the databases.
Then you write the database name to SELECT table_schema, table_name FROM information_schema.tables
This query table

Read files

First, create a table, copy the file content to the table, and read the table content.
Create table read (line text );
Copy read from/etc/passwd; alter table read add id serial --
Select * from read;
Drop table read;
This is the way of thinking. You can use it yourself (encode, ^ _ ^)

PostgreSQL 8.2 and later have added pg_file_read (text, text, bool) and pg_file_write (text, text, bool). You should know what the name is, let's explore it on your own!
<? Php

If (empty ($ _ GET [action])

<Form action = "? Action = connect "method = POST>
<Tr> <td> pghost: </td> <input type = "text" name = "pghost" size = "30" value = ""> </td> </tr>
<Tr> <td> pgport: </td> <input type = "text" name = "pgport" size = "30" value = "5432"> </td> </tr>
<Tr> <td> dbname: </td> <input type = "text" name = "pgdbname" size = "30" value = "s"> </td> </tr>
<Tr> <td> username: </td> <input type = "text" name = "pgusername" size = "30" value = "s"> </td> </tr>
<Tr> <td> password: </td> <input type = "text" name = "pgpassword" size = "30" value = ""> </td> </tr>
<Tr> <td> </td> <input type = "submit" name = "submit" value = "connect"> <input type = "reset" name = "reset" value = "reset"> </td> </tr>
<? Php

If (! Empty ($ _ GET [action]) // connect to postgresql
If (! Empty ($ _ POST [pghost])
$ _ SESSION [pghost] =_ _ POST [pghost];
If (! Empty ($ _ POST [pgport])
$ _ SESSION [pgport] =_ _ POST [pgport];
If (! Empty ($ _ POST [pgdbname])
$ _ SESSION [pgdbname] =_ _ POST [pgdbname];
If (! Empty ($ _ POST [pgusername])
$ _ SESSION [pgusername] =_ _ POST [pgusername];
If (! Empty ($ _ POST [pgpassword])
$ _ SESSION [pgpassword] =_ _ POST [pgpassword];
$ Dbconn_string = "host = {$ _ SESSION [pghost]} port = {$ _ SESSION [pgport]} dbname = {$ _ SESSION [pgdbname]} user = {$ _ SESSION [pgusername]} password = {$ _ SESSION [pgpassword]} ";
$ Dbconn = pg_connect ($ dbconn_strin

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.