HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 19 guests and 1 member online
EH-Net Donations

Enter Amount:
$
Google Ads
EH-Net News Feeds
Latest Additions
Book Recommendations



 
Advertisement

You are here: Home arrow Forum arrow Ethical Hacking Discussions and Related Certificationsarrow Network Pen Testingarrow Postgree SQL Injection help...
Ethical Hacker Community Forums
December 04, 2008, 07:27:36 PM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: ChicagoCon 2-Day Ethical Hacking Conference with MS Blue Hats Oct 31 - Nov 1. Tickets Only $100! www.chicagocon.com/content/view/103/51/
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: Postgree SQL Injection help...  (Read 1923 times)
0 Members and 1 Guest are viewing this topic.
zgrp
Newbie
*
Offline Offline

Posts: 6


View Profile
« on: August 05, 2006, 07:29:53 PM »
Hy there,

I'm pen-testing a host that is well patched, the unique vector I found is a SQL Injection in a search form and based in the return I detected it's Postgree. The argument I passed is used as second argument to a function called to_tsquery().

Looking into google I discovered it's a kind of to_tsvector() but doesn't accept spaces, instead it use some logics like AND, OR, etc.

If I simple insert in the form a string "'--" I get the following:

Quote
InternalError

ADODB_Exception: postgres7 error: [-1: ERROR:  syntax error at or near "WHERE" at character 123] in EXECUTE("SELECT
               COUNT ( * ) as total
               FROM
                  public.indice_pesquisa,
                  to_tsquery('simple', ''--') AS q
               WHERE
                  vetor_descricao @@ q
                  OR vetor_titulo @@ q")

#0 C:\sites\victim.com.br\prado\Data\adodb\adodb.inc.php(874): adodb_throw('postgres7', 'EXECUTE', -1, 'ERROR:  syntax ...', 'SELECT?Huh???CO...', false, Object(ADODB_postgres7))
#1 C:\sites\victim.com.br\prado\Data\adodb\adodb.inc.php(848): ADOConnection->_Execute('SELECT?Huh???CO...', false)
#2 C:\sites\victim.com.br\prado\Data\adodb\adodb.inc.php(1256): ADOConnection->Execute('SELECT?Huh???CO...', false)
#3 [internal function]: ADOConnection->GetOne('SELECT?Huh???CO...')
#4 C:\sites\victim.com.br\prado\Data\TAdodb.php(114): call_user_func_array(Array, Array)
#5 [internal function]: TAdodb->__call('getOne', Array)
#6 C:\sites\victim.com.br\wwwroot\global\SearchGeral.php(74): TAdodb->getOne('SELECT?Huh???CO...')
#7 C:\sites\victim.com.br\wwwroot\publico\SearchPage.php(16): SearchGeral->pesquisar(''--', 0, 10)
#8 C:\sites\victim.com.br\wwwroot\publico\SearchPage.php(38): SearchPage->Searchr()
#9 C:\sites\victim.com.br\prado\Web\UI\TControl.php(416): SearchPage->onPreRender(Object(TEventParameter))
#10 C:\sites\victim.com.br\prado\Web\UI\TPage.php(1076): TControl->onPreRenderRecursive(Object(TEventParameter))
#11 C:\sites\victim.com.br\prado\Web\UI\TPage.php(947): TPage->onPreRenderRecursive(Object(TEventParameter))
#12 C:\sites\victim.com.br\prado\TApplication.php(481): TPage->execute()
#13 C:\sites\victim.com.br\wwwroot\index.php(10): TApplication->run()
#14 {main}

Well, I never had played with Postgree before but it show a bunch of information like PATH where website is, version of postgree and also the query which is very intersting.

As we can see the query is:

Quote
SELECT COUNT ( * ) as total FROM public.indice_pesquisa, to_tsquery('simple', ''--') AS q WHERE vetor_descricao @@ q OR vetor_titulo @@ q")

Well, I tryed some combinations that I thinked to exploit it but without sucess.... I even doesn't understand Postgree SQL very well, so I'm studying it. Someone can give me some examples to query to test to retrive some "intersting information"?

I know it can appear a little lammer, but I really tryed some querys using UNION for example and can't extract values from the database. Sad

Any help is appreciated.

Thank you,

Cheers
« Last Edit: August 05, 2006, 07:31:31 PM by zgrp » Logged
pcsneaker
Jr. Member
**
Offline Offline

Posts: 73


View Profile
« Reply #1 on: August 07, 2006, 11:25:22 AM »
to_tsquery is a function provided by tsearch2 which is a module for postgres.

Quote
The tsearch2 module provides a to_tsquery() function for creating queries that uses the same process as to_tsvector() uses to reduce words to lexemes. For instance, it will remove the -s from the plurals:

=# SELECT to_tsquery('(leads|forks) & !crawl')
           to_tsquery           
--------------------------------
 ( 'lead' | 'fork' ) & !'crawl'
(1 row)

So what you are doing is basically that you provide an expression ('--) to a lexical function. Even if they are not filtering the simple quote (which would be a good idea) I don't see a way to use that for sql injection because that function doesn't do any sql, as you can see in the quote above it's just intended to transform (in that case remove a letter) your input.

BTW the query in question just counts some occurences of the text you input without taking into account if it's singular or pural...
Logged
MCSA:Security (W2k, W2k3)
MCSE:Security (W2k, W2k3)
CPTS, Network+
zgrp
Newbie
*
Offline Offline

Posts: 6


View Profile
« Reply #2 on: August 07, 2006, 12:48:00 PM »
Hi pcsneaker,

It's really a bad news...  Cry

Doesn't have a way to use this injection to "enclose" the to_tsquery() in a form that I can pass a dumy value to it and union with other query or make a kind of subselect? Or it's impossible because as text say it call "a separeted process" to do this task?

Well, any help is appreciated since things are getting dark... heheh

Thank you,

Cheers
Logged
pcsneaker
Jr. Member
**
Offline Offline

Posts: 73


View Profile
« Reply #3 on: August 07, 2006, 01:06:19 PM »
SQL injection means that you "inject" something into a sql query.

The function in question doesn't do any sql query, so you can't inject anything.

The only possible approach - if any - would be to test that function if there could be a possible buffer overflow. For that you need to go through the source code of tsearch2 and possibly postgres - but I don't think that this is promising...
Logged
MCSA:Security (W2k, W2k3)
MCSE:Security (W2k, W2k3)
CPTS, Network+
zgrp
Newbie
*
Offline Offline

Posts: 6


View Profile
« Reply #4 on: August 11, 2006, 06:45:26 AM »
yo pcsneaker,

not i understood, this is too bad. Sad

Thank youf for the information, keep the good working.

cheers
Logged
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.7 | SMF © 2006-2008, Simple Machines LLC
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.06 seconds with 22 queries.
 
Sponsors

cwnp_moto__120x90.gif

Polls
During the most recent election, I:
 
Support EH-Net

Support EH-Net by
Buying all of your
Amazon items using
the search bar above.
cbtnuggets_logo_125.jpg
Try CBT Nuggets Free!
Recent Forum Topics
Vote For EH-Net

progenic.com
Click here to Vote!

Sadikhov.com
Top IT Cert Sites

binarica.com
Binarica Logo

Add to Technorati Favorites
technorati fave

 
         
Advertisement

© 2008 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.