Trying to exploit SQL injection for my assignment. Is it possible to execute delete or drop query after order by in select query without using the semicolon in Postgresql?

This is my sample query:

Select * 
from table 
order by {sql injection payload}

Without using the semicolon in the payload, can we delete data or drop a table?

https://stackoverflow.com/a/6800585

Do we have similar to this Postgrsql?

I tried

Select * from (delete from table_name returning *) a

But getting sql error as 'syntax error at or near from'

CodePudding user response：

Check this document it says we can bypass forbidden character by CHR()

https://book.hacktricks.xyz/pentesting-web/sql-injection/postgresql-injection

CodePudding user response：

DELETE cannot be put inside a subquery. Nor can DELETE be part of a UNION.

So aside from running a second query (that is, separated by a semicolon), there's almost no way you can do what you describe.

You could invoke a stored procedure or function, if you knew of an existing function that performs a DELETE. Example:

Select * 
from table 
order by {sql injection payload}

After your payload modifies this query:

Select * 
from table 
order by SomeFunctionThatDeletes()

Another type which works because you can select from a procedure in PostgreSQL:

Select * 
from table 
order by id
UNION
Select * 
from SomeProcedureThatDeletes()

You can't create the function or procedure with SQL injection, so that routine must exist already, and you would need to know its name and how to call it.

DELETE or DROP TABLE are not the only bad things that can happen from SQL injection. It could be a problem if the query returns data that the current user shouldn't have privilege to see. For example, records about a different user's purchases or medical history.

SQL injection can also be accidental instead of malicious. I would even say that most instances of SQL injection result in simple errors instead of data breaches. Those aren't really attacks, but they lead to an unsatisfactory experience for your users.