WEB

WEB安全

漏洞复现

CTF

常用工具

实战

代码审计

后渗透

内网渗透

免杀

进程注入

权限提升

漏洞复现

靶机

vulnstack

vulnhub

Root-Me

编程语言

java

逆向

PE

逆向学习

HEVD

其它

关于博客

面试

杂谈

PostgreSQL注入入门

比较少见的数据库,学习一下常规的注入方法

0x01 环境搭建

1
2
3
phpstudy+docker
docker pull postgres:9.6.20
docker run -e POSTGRES_PASSWORD=123456 -p 5432:5432 -d postgres:9.6.20

phpstudy开启php_pgsql拓展

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
DROP TABLE IF EXISTS "public"."flag";
CREATE TABLE "public"."flag" (
"flag" varchar(255) COLLATE "pg_catalog"."default"
)
;


INSERT INTO "public"."flag" VALUES ('flag{123}');


DROP TABLE IF EXISTS "public"."users";
CREATE TABLE "public"."users" (
"id" int4 NOT NULL,
"username" varchar(255) COLLATE "pg_catalog"."default",
"password" varchar(255) COLLATE "pg_catalog"."default"
)
;


INSERT INTO "public"."users" VALUES (1, 'admin', 'admin');
INSERT INTO "public"."users" VALUES (2, 'test', 'test');
INSERT INTO "public"."users" VALUES (3, 'sysadmin', '123456');
INSERT INTO "public"."users" VALUES (4, 'root', 'root');
INSERT INTO "public"."users" VALUES (5, 'administrator', 'administrator');


ALTER TABLE "public"."users" ADD CONSTRAINT "users_pkey" PRIMARY KEY ("id");

导入sql脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
<?php
$host = "host=192.168.163.130";
$port = "port=5432";
$dbname = "dbname=test";
$credentials = "user=postgres password=123456";

$db = pg_connect( "$host $port $dbname $credentials" );

$sql ="select * from users where id = ".$_GET['id'];

$ret = pg_query($db, $sql);
if(!$ret){
echo pg_last_error($db);
exit;
}
while($row = pg_fetch_row($ret)){
echo "username = ". $row[1] ."</br>";
echo "password = ". $row[2] ."</br>";
}
pg_close($db);
?>

写一个pgsql.php

就可以开始了

0x02 常规信息

1
2
3
4
5
select version();			#查看数据库当前版本
select current_user; #查看当前用户
select current_database(); #查看当前数据库
pg_tables #存放数据库名和表名的模式
SELECT attname FROM pg_namespace,pg_type,pg_attribute b JOIN pg_class a ON a.oid=b.attrelid WHERE a.relnamespace=pg_namespace.oid AND pg_type.oid=b.atttypid AND attnum>0 AND a.relname='users' AND nspname='public'; #查询字段名语句

PostgreSQL也有information_schema,如果查字段不方便也可以用这个模式查(PostgreSQL里面好像已经不是库了,称为模式也不是很确定,如果各位师傅看到有错误还麻烦指正),里面的查库查表和查字段的表名和mysql一致

PostgreSQL只能查当前库的数据,查不到别的库

别的好像没有特别重要的,用到了再写

0X03 联合查询