From 371642ad1a12060c9e9676da1380edf8764c8485 Mon Sep 17 00:00:00 2001
From: pussycat0x <65701233+pussycat0x@users.noreply.github.com>
Date: Wed, 28 Jun 2023 18:16:54 +0530
Subject: [PATCH] PostgreSQL - User Enumeration

---
 network/enumeration/psql-user-enum.yaml | 41 +++++++++++++++++++++++++
 1 file changed, 41 insertions(+)
 create mode 100644 network/enumeration/psql-user-enum.yaml

diff --git a/network/enumeration/psql-user-enum.yaml b/network/enumeration/psql-user-enum.yaml
new file mode 100644
index 0000000000..557dfb4d5a
--- /dev/null
+++ b/network/enumeration/psql-user-enum.yaml
@@ -0,0 +1,41 @@
+id: psql-user-enum
+
+info:
+  name: PostgreSQL - User Enumeration
+  author: pussycat0x
+  severity: low
+  description: |
+    PSQL user enumeration.
+  reference:
+    - https://medium.com/@netscylla/pentesters-guide-to-postgresql-hacking-59895f4f007
+  metadata:
+    verified: "true"
+    shodan-query: port:5432 product:"PostgreSQL"
+  tags: network,postgresql,db,unauth,enum,psql
+
+tcp:
+  - inputs:
+      - data: "{{hex_encode('\u0000\u0000\u0000{{str}}\u0000\u0003\u0000\u0000user\u0000{{users}}\u0000database\u0000{{users}}\u0000application_name\u0000psql\u0000client_encoding\u0000UTF8\u0000\u0000')}}"
+        type: hex
+
+    host:
+      - "{{Hostname}}"
+      - "{{Host}}:5432"
+
+    attack: clusterbomb
+    payloads:
+      users:
+        - postgres
+        - tst
+      str:
+        - J
+        - T
+        - R
+
+    matchers:
+      - type: word
+        part: raw
+        words:
+          - "client_encoding"
+          - "integer_datetimes"
+        condition: and
\ No newline at end of file