HackTricks
Searchโ€ฆ
๐Ÿ‘ฝ
Network Services Pentesting
5432,5433 - Pentesting Postgresql
Support HackTricks and get benefits!

Basic Information

PostgreSQL is an _**_open source object-relational database system that uses and extends the SQL language.
Default port: 5432, and if this port is already in use it seems that postgresql will use the next port (5433 probably) which is not in use.
1
PORT STATE SERVICE
2
5432/tcp open pgsql
Copied!

Connect

1
psql -U <myuser> # Open psql console with user
2
psql -h <host> -U <username> -d <database> # Remote connection
3
psql -h <host> -p <port> -U <username> -W <password> <database> # Remote connection
Copied!
1
psql -h localhost -d <database_name> -U <User> #Password will be prompted
2
\list # List databases
3
\c <database> # use the database
4
\d # List tables
5
\du+ # Get users roles
6
โ€‹
7
#Read a file
8
CREATE TABLE demo(t text);
9
COPY demo from '[FILENAME]';
10
SELECT * FROM demo;
11
โ€‹
12
#Write ascii to a file (copy to cannot copy binary data)
13
COPY (select convert_from(decode('<B64 payload>','base64'),'utf-8')) to 'C:\\some\\interesting\path.cmd';
14
โ€‹
15
#List databases
16
SELECT datname FROM pg_database;
17
โ€‹
18
#Read credentials (usernames + pwd hash)
19
SELECT usename, passwd from pg_shadow;
20
โ€‹
21
#Check if current user is superiser
22
SELECT current_setting('is_superuser'); #If response is "on" then true, if "off" then false
23
โ€‹
24
#Check if plpgsql is enabled
25
SELECT lanname,lanacl FROM pg_language WHERE lanname = 'plpgsql'
26
โ€‹
27
#Change password
28
ALTER USER user_name WITH PASSWORD 'new_password';
29
โ€‹
30
#Check users privileges over a table (pg_shadow on this example)
31
SELECT grantee, privilege_type
32
FROM information_schema.role_table_grants
33
WHERE table_name='pg_shadow'
34
โ€‹
35
#Get users roles
36
SELECT
37
r.rolname,
38
r.rolsuper,
39
r.rolinherit,
40
r.rolcreaterole,
41
r.rolcreatedb,
42
r.rolcanlogin,
43
r.rolconnlimit, r.rolvaliduntil,
44
ARRAY(SELECT b.rolname
45
FROM pg_catalog.pg_auth_members m
46
JOIN pg_catalog.pg_roles b ON (m.roleid = b.oid)
47
WHERE m.member = r.oid) as memberof
48
, r.rolreplication
49
FROM pg_catalog.pg_roles r
50
ORDER BY 1;
Copied!

Enumeration

1
msf> use auxiliary/scanner/postgres/postgres_version
2
msf> use auxiliary/scanner/postgres/postgres_dbname_flag_injection
Copied!

โ€‹Brute forceโ€‹

Client authentication is controlled by a config file frequently named pg_hba.conf. This file has a set of records. A record may have one of the following seven formats:
Each record specifies a connection type, a client IP address range (if relevant for the connection type), a database name, a user name, and the authentication method to be used for connections matching these parameters. The first record with a matching connection type, client address, requested database, and user name is used to perform authentication. There is no "fall-through" or "backup": if one record is chosen and the authentication fails, subsequent records are not considered. If no record matches, access is denied. The password-based authentication methods are md5, crypt, and password. These methods operate similarly except for the way that the password is sent across the connection: respectively, MD5-hashed, crypt-encrypted, and clear-text. A limitation is that the crypt method does not work with passwords that have been encrypted in pg_authid.

POST

1
msf> use auxiliary/scanner/postgres/postgres_hashdump
2
msf> use auxiliary/scanner/postgres/postgres_schemadump
3
msf> use auxiliary/admin/postgres/postgres_readfile
4
msf> use exploit/linux/postgres/postgres_payload
5
msf> use exploit/windows/postgres/postgres_payload
Copied!

logging

Inside the postgresql.conf file you can enable postgresql logs changing:
1
log_statement = 'all'
2
log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log'
3
logging_collector = on
4
sudo service postgresql restart
5
#Find the logs in /var/lib/postgresql/<PG_Version>/main/log/
6
#or in /var/lib/postgresql/<PG_Version>/main/pg_log/
Copied!
Then, restart the service.

pgadmin

โ€‹pgadmin is an administration and development platform for PostgreSQL. You can find passwords inside the pgadmin4.db file You can decrypt them using the decrypt function inside the script: https://github.com/postgres/pgadmin4/blob/master/web/pgadmin/utils/crypto.pyโ€‹
1
sqlite3 pgadmin4.db ".schema"
2
sqlite3 pgadmin4.db "select * from user;"
3
sqlite3 pgadmin4.db "select * from server;"
4
string pgadmin4.db
Copied!
Support HackTricks and get benefits!