id: pgsql-detect info: name: PostgreSQL Authentication - Detect author: nybble04 severity: info description: | PostgreSQL authentication error messages which could reveal information useful in formulating further attacks were detected. reference: - https://www.postgresql.org/docs/current/errcodes-appendix.html - https://www.postgresql.org/docs/current/client-authentication-problems.html classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N cwe-id: CWE-200 metadata: max-request: 1 shodan-query: port:5432 product:"PostgreSQL" verified: true tags: network,postgresql,db,detect tcp: - inputs: - data: "000000500003000075736572006e75636c6569006461746162617365006e75636c6569006170706c69636174696f6e5f6e616d65007073716c00636c69656e745f656e636f64696e6700555446380000" type: hex - data: "7000000036534352414d2d5348412d32353600000000206e2c2c6e3d2c723d000000000000000000000000000000000000000000000000" type: hex host: - "{{Hostname}}" port: 5432 read-size: 2048 matchers-condition: and matchers: - type: word part: body words: - "28000" # Error code for invalid_authorization_specification - "28P01" # Error code for invalid_password - "SCRAM-SHA-256" # Authentication prompt - "pg_hba.conf" # Client authentication config file - "user \"nuclei\"" # The user nuclei (sent in request) doesn't exist - "database \"nuclei\"" # The db nuclei (sent in request) doesn't exist" condition: or - type: word words: - "HTTP/1.1" negative: true