Hy there,
I'm pen-testing a host that is well patched, the unique vector I found is a SQL Injection in a search form and based in the return I detected it's Postgree. The argument I passed is used as second argument to a function called to_tsquery().
Looking into google I discovered it's a kind of to_tsvector() but doesn't accept spaces, instead it use some logics like AND, OR, etc.
If I simple insert in the form a string "'--" I get the following:
InternalError
ADODB_Exception: postgres7 error: [-1: ERROR: syntax error at or near "WHERE" at character 123] in EXECUTE("SELECT
COUNT ( * ) as total
FROM
public.indice_pesquisa,
to_tsquery('simple', ''--') AS q
WHERE
vetor_descricao @@ q
OR vetor_titulo @@ q")
#0 C:\sites\victim.com.br\prado\Data\adodb\adodb.inc.php(874): adodb_throw('postgres7', 'EXECUTE', -1, 'ERROR: syntax ...', 'SELECT?
???CO...', false, Object(ADODB_postgres7))
#1 C:\sites\victim.com.br\prado\Data\adodb\adodb.inc.php(848): ADOConnection->_Execute('SELECT?
???CO...', false)
#2 C:\sites\victim.com.br\prado\Data\adodb\adodb.inc.php(1256): ADOConnection->Execute('SELECT?
???CO...', false)
#3 [internal function]: ADOConnection->GetOne('SELECT?
???CO...')
#4 C:\sites\victim.com.br\prado\Data\TAdodb.php(114): call_user_func_array(Array, Array)
#5 [internal function]: TAdodb->__call('getOne', Array)
#6 C:\sites\victim.com.br\wwwroot\global\SearchGeral.php(74): TAdodb->getOne('SELECT?
???CO...')
#7 C:\sites\victim.com.br\wwwroot\publico\SearchPage.php(16): SearchGeral->pesquisar(''--', 0, 10)
#8 C:\sites\victim.com.br\wwwroot\publico\SearchPage.php(38): SearchPage->Searchr()
#9 C:\sites\victim.com.br\prado\Web\UI\TControl.php(416): SearchPage->onPreRender(Object(TEventParameter))
#10 C:\sites\victim.com.br\prado\Web\UI\TPage.php(1076): TControl->onPreRenderRecursive(Object(TEventParameter))
#11 C:\sites\victim.com.br\prado\Web\UI\TPage.php(947): TPage->onPreRenderRecursive(Object(TEventParameter))
#12 C:\sites\victim.com.br\prado\TApplication.php(481): TPage->execute()
#13 C:\sites\victim.com.br\wwwroot\index.php(10): TApplication->run()
#14 {main}
Well, I never had played with Postgree before but it show a bunch of information like PATH where website is, version of postgree and also the query which is very intersting.
As we can see the query is:
SELECT COUNT ( * ) as total FROM public.indice_pesquisa, to_tsquery('simple', ''--') AS q WHERE vetor_descricao @@ q OR vetor_titulo @@ q")
Well, I tryed some combinations that I thinked to exploit it but without sucess.... I even doesn't understand Postgree SQL very well, so I'm studying it. Someone can give me some examples to query to test to retrive some "intersting information"?
I know it can appear a little lammer, but I really tryed some querys using UNION for example and can't extract values from the database.
Any help is appreciated.
Thank you,
Cheers
OSCP - Offensive Security Certified Professional : Failed my first attempt at the OSCP exam
