.

Postgree SQL Injection help...

<<

zgrp

Newbie
Newbie

Posts: 6

Joined: Wed Apr 12, 2006 1:32 am

Post Sat Aug 05, 2006 7:29 pm

Postgree SQL Injection help...

Hy there,

I'm pen-testing a host that is well patched, the unique vector I found is a SQL Injection in a search form and based in the return I detected it's Postgree. The argument I passed is used as second argument to a function called to_tsquery().

Looking into google I discovered it's a kind of to_tsvector() but doesn't accept spaces, instead it use some logics like AND, OR, etc.

If I simple insert in the form a string "'--" I get the following:

InternalError

ADODB_Exception: postgres7 error: [-1: ERROR:  syntax error at or near "WHERE" at character 123] in EXECUTE("SELECT
COUNT ( * ) as total
FROM
public.indice_pesquisa,
to_tsquery('simple', ''--') AS q
WHERE
vetor_descricao @@ q
OR vetor_titulo @@ q")

#0 C:\sites\victim.com.br\prado\Data\adodb\adodb.inc.php(874): adodb_throw('postgres7', 'EXECUTE', -1, 'ERROR:  syntax ...', 'SELECT???????CO...', false, Object(ADODB_postgres7))
#1 C:\sites\victim.com.br\prado\Data\adodb\adodb.inc.php(848): ADOConnection->_Execute('SELECT???????CO...', false)
#2 C:\sites\victim.com.br\prado\Data\adodb\adodb.inc.php(1256): ADOConnection->Execute('SELECT???????CO...', false)
#3 [internal function]: ADOConnection->GetOne('SELECT???????CO...')
#4 C:\sites\victim.com.br\prado\Data\TAdodb.php(114): call_user_func_array(Array, Array)
#5 [internal function]: TAdodb->__call('getOne', Array)
#6 C:\sites\victim.com.br\wwwroot\global\SearchGeral.php(74): TAdodb->getOne('SELECT???????CO...')
#7 C:\sites\victim.com.br\wwwroot\publico\SearchPage.php(16): SearchGeral->pesquisar(''--', 0, 10)
#8 C:\sites\victim.com.br\wwwroot\publico\SearchPage.php(38): SearchPage->Searchr()
#9 C:\sites\victim.com.br\prado\Web\UI\TControl.php(416): SearchPage->onPreRender(Object(TEventParameter))
#10 C:\sites\victim.com.br\prado\Web\UI\TPage.php(1076): TControl->onPreRenderRecursive(Object(TEventParameter))
#11 C:\sites\victim.com.br\prado\Web\UI\TPage.php(947): TPage->onPreRenderRecursive(Object(TEventParameter))
#12 C:\sites\victim.com.br\prado\TApplication.php(481): TPage->execute()
#13 C:\sites\victim.com.br\wwwroot\index.php(10): TApplication->run()
#14 {main}


Well, I never had played with Postgree before but it show a bunch of information like PATH where website is, version of postgree and also the query which is very intersting.

As we can see the query is:

SELECT COUNT ( * ) as total FROM public.indice_pesquisa, to_tsquery('simple', ''--') AS q WHERE vetor_descricao @@ q OR vetor_titulo @@ q")


Well, I tryed some combinations that I thinked to exploit it but without sucess.... I even doesn't understand Postgree SQL very well, so I'm studying it. Someone can give me some examples to query to test to retrive some "intersting information"?

I know it can appear a little lammer, but I really tryed some querys using UNION for example and can't extract values from the database. :(

Any help is appreciated.

Thank you,

Cheers
Last edited by zgrp on Sat Aug 05, 2006 7:31 pm, edited 1 time in total.
<<

pcsneaker

Jr. Member
Jr. Member

Posts: 73

Joined: Mon Nov 07, 2005 12:23 pm

Post Mon Aug 07, 2006 11:25 am

Re: Postgree SQL Injection help...

to_tsquery is a function provided by tsearch2 which is a module for postgres.

The tsearch2 module provides a to_tsquery() function for creating queries that uses the same process as to_tsvector() uses to reduce words to lexemes. For instance, it will remove the -s from the plurals:

=# SELECT to_tsquery('(leads|forks) & !crawl')
          to_tsquery         
--------------------------------
( 'lead' | 'fork' ) & !'crawl'
(1 row)


So what you are doing is basically that you provide an expression ('--) to a lexical function. Even if they are not filtering the simple quote (which would be a good idea) I don't see a way to use that for sql injection because that function doesn't do any sql, as you can see in the quote above it's just intended to transform (in that case remove a letter) your input.

BTW the query in question just counts some occurences of the text you input without taking into account if it's singular or pural...
MCSA:Security (W2k, W2k3)
MCSE:Security (W2k, W2k3)
CPTS, Network+
<<

zgrp

Newbie
Newbie

Posts: 6

Joined: Wed Apr 12, 2006 1:32 am

Post Mon Aug 07, 2006 12:48 pm

Re: Postgree SQL Injection help...

Hi pcsneaker,

It's really a bad news...  :'(

Doesn't have a way to use this injection to "enclose" the to_tsquery() in a form that I can pass a dumy value to it and union with other query or make a kind of subselect? Or it's impossible because as text say it call "a separeted process" to do this task?

Well, any help is appreciated since things are getting dark... heheh

Thank you,

Cheers
<<

pcsneaker

Jr. Member
Jr. Member

Posts: 73

Joined: Mon Nov 07, 2005 12:23 pm

Post Mon Aug 07, 2006 1:06 pm

Re: Postgree SQL Injection help...

SQL injection means that you "inject" something into a sql query.

The function in question doesn't do any sql query, so you can't inject anything.

The only possible approach - if any - would be to test that function if there could be a possible buffer overflow. For that you need to go through the source code of tsearch2 and possibly postgres - but I don't think that this is promising...
MCSA:Security (W2k, W2k3)
MCSE:Security (W2k, W2k3)
CPTS, Network+
<<

zgrp

Newbie
Newbie

Posts: 6

Joined: Wed Apr 12, 2006 1:32 am

Post Fri Aug 11, 2006 6:45 am

Re: Postgree SQL Injection help...

yo pcsneaker,

not i understood, this is too bad. :(

Thank youf for the information, keep the good working.

cheers

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software