9Eyl
Is it possible to test for Postgres BlindSQL injection using pg_sleep() in a WHERE clause?
In mysql, I am familiar with using the following payloads to test for blindsql when the WHERE clause is vulnerable (all payload examples from fuzzdb):
1 or sleep(TIME)#
" or sleep(TIME)#
' or sleep(TIME)#
In postgres, my first instinct was to try the following:
1 or pg_sleep(TIME)--
" or pg_sleep(TIME)--
' or pg_sleep(TIME)--
Unfortunately, the postgres payloads don't work because pg_sleep() returns VOID and hence is disallowed in a boolean expression.
I have tried the following workarounds:
- Casting pg_sleep() to some other data type (void -> bool type conversion is disallowed)
- I have considered trying to create my own pg_sleep() function, but this doesn't work in the black box environment that I audit in..
ex:CREATE function pg_sleep(int) RETURNS int AS '/lib/libc.so.6', 'sleep' LANGUAGE 'C' STRICT
Any ideas?
I have tried looking in the docs for other functions that may be used in place of pg_sleep() that do not return void, but I have not had any luck.