we have found SQL injection on a PostgreSQL database. Stacked and UNION payloads. We have created a table to store data as needed and the UNION to extract either from the table or to pull out data such as version()
So, I learned about database_to_xml which is a system function for emitting the contents of a PostgreSQL database as XML. I ended up with the payload below:
encode(database_to_xml(false,true,'')::text::bytea,'base64')
When I use it, the response takes a while indictaing that something is happening but it never gets inserted into the table or output to screen. Creating a syntax error in the payload makes the server respond instantly. Likewise having a simple payload e.g. 'id=1-- brings back the record quite quickly i.e. database_to_xml does seem to be running. We're not battling with a WAF.
Any suggestions as to why it may not be working as intended i.e. why is the data not being inserted into the table (field is type TEXT) or being displayed on the page?
Thank you
database_to_xmlwork there. Try also similar functions, liketable_to_xmlto see if it's a size problem. Not sure why you need a table to dump a DB when you already have a UNION payload (and stacked queries!).table_to_xmlto the rescue. The DB was little over 4Gb with 750 tables, hence why it probably started and then failed. Thank you! We didn't have a list of all tables when we first started and wanted to see what other functionality we could use.