MACCHIATO

WEB

WEB安全

漏洞复现

CTF

常用工具

实战

代码审计

Javaweb

后渗透

内网渗透

免杀

进程注入

权限提升

漏洞复现

靶机

vulnstack

vulnhub

Root-Me

编程语言

java

逆向

PE

逆向学习

HEVD

PWN

CTF

heap

其它

关于博客

面试

杂谈

PostgreSQL注入入门

比较少见的数据库,学习一下常规的注入方法

0x01 环境搭建

1
2
3
phpstudy+docker
docker pull postgres:9.6.20
docker run  -e POSTGRES_PASSWORD=123456 -p 5432:5432 -d postgres:9.6.20

phpstudy开启php_pgsql拓展

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
DROP TABLE IF EXISTS "public"."flag";
CREATE TABLE "public"."flag" (
  "flag" varchar(255) COLLATE "pg_catalog"."default"
)
;


INSERT INTO "public"."flag" VALUES ('flag{123}');


DROP TABLE IF EXISTS "public"."users";
CREATE TABLE "public"."users" (
  "id" int4 NOT NULL,
  "username" varchar(255) COLLATE "pg_catalog"."default",
  "password" varchar(255) COLLATE "pg_catalog"."default"
)
;


INSERT INTO "public"."users" VALUES (1, 'admin', 'admin');
INSERT INTO "public"."users" VALUES (2, 'test', 'test');
INSERT INTO "public"."users" VALUES (3, 'sysadmin', '123456');
INSERT INTO "public"."users" VALUES (4, 'root', 'root');
INSERT INTO "public"."users" VALUES (5, 'administrator', 'administrator');


ALTER TABLE "public"."users" ADD CONSTRAINT "users_pkey" PRIMARY KEY ("id");

导入sql脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
<?php
   $host        = "host=192.168.163.130";
   $port        = "port=5432";
   $dbname      = "dbname=test";
   $credentials = "user=postgres password=123456";

   $db = pg_connect( "$host $port $dbname $credentials"  );

   $sql ="select * from users where id = ".$_GET['id'];

   $ret = pg_query($db, $sql);
   if(!$ret){
      echo pg_last_error($db);
      exit;
   } 
   while($row = pg_fetch_row($ret)){
      echo "username = ". $row[1] ."</br>";
      echo "password = ". $row[2] ."</br>";
   }
   pg_close($db);
?>

写一个pgsql.php

就可以开始了

0x02 常规信息

1
2
3
4
5
select version();			#查看数据库当前版本
select current_user;		#查看当前用户
select current_database();	#查看当前数据库
pg_tables					#存放数据库名和表名的模式
SELECT attname FROM pg_namespace,pg_type,pg_attribute b JOIN pg_class a ON a.oid=b.attrelid WHERE a.relnamespace=pg_namespace.oid AND pg_type.oid=b.atttypid AND attnum>0 AND a.relname='users' AND nspname='public';			#查询字段名语句

PostgreSQL也有information_schema,如果查字段不方便也可以用这个模式查(PostgreSQL里面好像已经不是库了,称为模式也不是很确定,如果各位师傅看到有错误还麻烦指正),里面的查库查表和查字段的表名和mysql一致

PostgreSQL只能查当前库的数据,查不到别的库

别的好像没有特别重要的,用到了再写

0X03 联合查询

...
Macchiato
2021-03-13
Expand all Back to top Go to bottom