This is a small POC code to extract data from order-by blind SQL injection.
This tool was tested with a server connecting into a PSQL database.
The methods that are used are described here:
https://pulsesecurity.co.nz/articles/postgres-sqli
https://www.onsecurity.io/blog/pentesting-postgresql-with-sql-injections/
You can use the tool to:
- Extract data from the DB using side channel attack (time based)
- Extract OS files from DB
- Write files to the DB
- Update the
config.json
file with the necessary details, look at the code from more options - Run
pip install -r requirements.txt
- To start the data extraction, run:
python extract_data.py