id: psql-user-enum

info:
  name: PostgreSQL - User Enumeration
  author: pussycat0x
  severity: low
  description: |
    PSQL user enumeration.
  reference:
    - https://medium.com/@netscylla/pentesters-guide-to-postgresql-hacking-59895f4f007
  metadata:
    max-request: 1
    shodan-query: port:5432 product:"PostgreSQL"
    verified: "true"
  tags: network,postgresql,db,unauth,enum,psql

tcp:
  - inputs:
      - data: "{{hex_encode('\u0000\u0000\u0000{{str}}\u0000\u0003\u0000\u0000user\u0000{{users}}\u0000database\u0000{{users}}\u0000application_name\u0000psql\u0000client_encoding\u0000UTF8\u0000\u0000')}}"
        type: hex

    host:
      - "{{Hostname}}"
    port: 5432

    attack: clusterbomb
    payloads:
      users:
        - postgres
        - tst
      str:
        - J
        - T
        - R

    matchers:
      - type: word
        part: raw
        words:
          - "client_encoding"
          - "integer_datetimes"
        condition: and
# digest: 4a0a0047304502205c1b89f765228107b8af43b0c61e7c55712499df754e5c34eb162f893c07d9c9022100b9cdcc525b6a68dc67bc7245c854416f42aed52b6156162870dbd910fac88407:922c64590222798bb761d5b6d8e72950