2023-12-26

New payloads to exploit Error-based SQL injection - PostgreSQL database

 Pranaam to all 🙏

In previous blogpost  we explored a new payload to exploit error-based SQL injection in Oracle database. Now let's go for PostgreSQL related stuff as initially I was working on it only.

Before proceeding, just one meme 😅 


Lab setup:

    👉 PHP  

    👉 PostgreSQL Database

    👉 Apache web server

Sample vulnerable PHP code and database dump are available on my Github account:

https://github.com/incredibleindishell/SQLI_b0x/tree/main/PostgreSQL

In my case, I have vulnerable API with following scenarions:

Select statement:

    👉 Where clause

    👉 Like clause

    👉 Order by clause

    

Functions which are our friend 😍

During the experiment phase, I found multiple database function which can be used to perform exploitation of error-based SQL Injection in case of PostgreSQL Database.

Here Goes the list:

  1. box
  2. currval
  3. setval
  4. nextval
  5. polygon
  6. circle
  7. path
  8. point
  9. lseg
  10. pg_has_role
  11. pg_get_viewdef
  12. has_database_privilege
  13. has_any_column_privilege

ETC.

box()

box keyword is my favorite 😎so I am gonna pick this one. 

Select Statement - Where Clause 

Lets start with case of Where clause when user supplied data is getting pass as value to where clause in a Select statement. For example, below mentioned is the vulnerable SQL query:


To exploit this injection point we can use below mentioned payload to execute SQL query and force Database to reveal the output in Database error message:

👉 Payload to extract the current SQL server username:


👉 Payload to extract the name of current database:


👉 Payload to extract the name of first table in current database:



Select Statement - Like Clause 

Lets start with case of Like clause when user supplied data is getting pass to like clause in a Select statement. For example, below mentioned is the vulnerable SQL query:


How to exploit it? There we go..

👉 Payload to extract the current SQL server username:





👉 Payload to extract the name of first table in current database:





Select Statement - Order By Clause 

Let's suppose, we have below mentioned vulnerable SQL query:



👉 Payload to extract the current SQL server  username:



👉 Payload to extract the name of first table in current database:




Other Functions usage

Similarly, we can use below mentioned PostgreSQL functions as well to exploit error based SQL Injection. All we need to do is, just replace the box() with any of the functions mentioned below and change the SQL query/variable mentioned in them (current_database()) with the one which we want : 

Different functions to extract the current database:

For now, we are done and I will be back with some new stuff. 
Thanks for your time. 

With Love from 
❤️ --==[ IndiShell-Lab ]]==-- ❤️
Share this post

0 comments

© 2009 Start With Linux | Mannu Linux
Designed by cyb3r.gladiat0r
Posts RSSComments RSS
Back to top