Caleb Cushing's Blog

Beware of SQL injection with Spring Boot and Flyway

So this is a hard to accomplish exploit, and is really only accomplishable by first exploiting another exploit first, or by an employee with some level of trusted access, though this employee might not normally have actual database access. I do believe you should be aware of it, as it leaves open an avenue you may not be thinking of. A sample application So the first thing we need is an application that uses Flyway, let’s just use the Spring Boot Flyway Sample. Read more →

empty() function for postgresql in sql

In PostgreSQL the ASCII NUL or empty string \0 is seen as NOT NULL. This is because postgres developers consider any characters data. I know there are better discussions on it but I can’t find them right now. Unfortunately the programming language you are using probably doesn’t see it the same way. There’s a good chance that initialized variables are set to \0 and so when you try to insert from your language to a NOT NULL field with variables that are seen as undefined in your language, postgres accepts it, and now you have fields that you probably consider to have no data but are NOT NULL. Read more →

PostgreSQL initial setup (authentication) Part 2

I ran into so problems and lack of information with my last post on this topic. Firstly my syntax for local all all to local all all ident devel doesn’t seem to work in my current setup. It’s possible that it has something to do with the configuration of the Debian/Ubuntu server I was basing that against, and now my targets are Arch Linux and Slackware. So our goal here will be to provide an alternate user that can log in as postgres via ident. Read more →

postgresql initial setup (users and databases)

This guide assumes that you’ve managed to install and start the postgres server. I’m ignoring these because they are well documented in several places, probably including your distribution, however, what to do next isn’t. First you need to connect to the Postgres database with psql as postgres, on gentoo* distributions you must be in the Postgres group to do this. In the event this doesn’t work you may have to su to the postgres unix user account somehow and run psql from there. Read more →

PostgreSQL \edit and Syntax Highlighting

If you’ve ever used \edit with PostgreSQL you’ve probably noticed that it’s not using syntax highlighting that your favorite editor most likely supports. I’ve wondered why this is for a while, Postgres uses vim on my system which supports robust highlighting among other things. I had a few things suggested to me, such as setting putting settings in my .vimrc, most of which would have forced filetype=sql on files that weren’t sql, and would have been active outside of psql. Read more →