Pranaam to all 🙏
In previous blogpost we explored a new payload to exploit error-based SQL injection in Oracle database. Now let's go for PostgreSQL related stuff as initially I was working on it only.
Before proceeding, just one meme 😅
Lab setup:
👉 PHP
👉 PostgreSQL Database
👉 Apache web server
Sample vulnerable PHP code and database dump are available on my Github account:
https://github.com/incredibleindishell/SQLI_b0x/tree/main/PostgreSQL
In my case, I have vulnerable API with following scenarions:
Select statement:
👉 Where clause
👉 Like clause
👉 Order by clause
Functions which are our friend 😍
During the experiment phase, I found multiple database function which can be used to perform exploitation of error-based SQL Injection in case of PostgreSQL Database.
Here Goes the list:
- box
- currval
- setval
- nextval
- polygon
- circle
- path
- point
- lseg
- pg_has_role
- pg_get_viewdef
- has_database_privilege
- has_any_column_privilege
ETC.
box()
box keyword is my favorite 😎so I am gonna pick this one.
Select Statement - Where Clause
Lets start with case of Where clause when user supplied data is getting pass as value to where clause in a Select statement. For example, below mentioned is the vulnerable SQL query:
To exploit this injection point we can use below mentioned payload to execute SQL query and force Database to reveal the output in Database error message:
👉 Payload to extract the current SQL server username:
👉 Payload to extract the name of current database:
👉 Payload to extract the name of first table in current database:
Select Statement - Like Clause :
Lets start with case of Like clause when user supplied data is getting pass to like clause in a Select statement. For example, below mentioned is the vulnerable SQL query:
How to exploit it? There we go..👉 Payload to extract the current SQL server username:
Select Statement - Order By Clause :
Let's suppose, we have below mentioned vulnerable SQL query:
Other Functions usage
Similarly, we can use below mentioned PostgreSQL functions as well to exploit error based SQL Injection. All we need to do is, just replace the box() with any of the functions mentioned below and change the SQL query/variable mentioned in them (current_database()) with the one which we want :
Different functions to extract the current database:
For now, we are done and I will be back with some new stuff.Thanks for your time.
With Love from
0 comments