• caglararli@hotmail.com
  • 05386281520

Is it possible to test for Postgres BlindSQL injection using pg_sleep() in a WHERE clause?

Çağlar Arlı      -    5 Views

Is it possible to test for Postgres BlindSQL injection using pg_sleep() in a WHERE clause?

In mysql, I am familiar with using the following payloads to test for blindsql when the WHERE clause is vulnerable (all payload examples from fuzzdb):
1 or sleep(TIME)#
" or sleep(TIME)#
' or sleep(TIME)#

In postgres, my first instinct was to try the following:
1 or pg_sleep(TIME)--
" or pg_sleep(TIME)--
' or pg_sleep(TIME)--

Unfortunately, the postgres payloads don't work because pg_sleep() returns VOID and hence is disallowed in a boolean expression.

I have tried the following workarounds:

  1. Casting pg_sleep() to some other data type (void -> bool type conversion is disallowed)
  2. I have considered trying to create my own pg_sleep() function, but this doesn't work in the black box environment that I audit in..
    ex: CREATE function pg_sleep(int) RETURNS int AS '/lib/libc.so.6', 'sleep' LANGUAGE 'C' STRICT

Any ideas?

I have tried looking in the docs for other functions that may be used in place of pg_sleep() that do not return void, but I have not had any luck.