5432,5433 - Pentesting Postgresql

Support HackTricks and get benefits!
Basic Information
PostgreSQL is an _**_open source object-relational database system that uses and extends the SQL language.
Default port: 5432, and if this port is already in use it seems that postgresql will use the next port (5433 probably) which is not in use.
1
PORT     STATE SERVICE
2
5432/tcp open  pgsql
Copied!
Connect
1
psql -U <myuser> # Open psql console with user
2
psql -h <host> -U <username> -d <database> # Remote connection
3
psql -h <host> -p <port> -U <username> -W <password> <database> # Remote connection
Copied!
1
psql -h localhost -d <database_name> -U <User> #Password will be prompted
2
\list # List databases
3
\c <database> # use the database
4
\d # List tables
5
\du+ # Get users roles
6
​
7
#Read a file
8
CREATE TABLE demo(t text);
9
COPY demo from '[FILENAME]';
10
SELECT * FROM demo;
11
​
12
#Write ascii to a file (copy to cannot copy binary data)
13
COPY (select convert_from(decode('<B64 payload>','base64'),'utf-8')) to 'C:\\some\\interesting\path.cmd'; 
14
​
15
#List databases
16
SELECT datname FROM pg_database;
17
​
18
#Read credentials (usernames + pwd hash)
19
SELECT usename, passwd from pg_shadow;
20
​
21
#Check if current user is superiser
22
SELECT current_setting('is_superuser'); #If response is "on" then true, if "off" then false
23
​
24
#Check if plpgsql is enabled
25
SELECT lanname,lanacl FROM pg_language WHERE lanname = 'plpgsql'
26
​
27
#Change password
28
ALTER USER user_name WITH PASSWORD 'new_password';
29
​
30
#Check users privileges over a table (pg_shadow on this example)
31
SELECT grantee, privilege_type 
32
FROM information_schema.role_table_grants 
33
WHERE table_name='pg_shadow'
34
​
35
#Get users roles
36
SELECT 
37
      r.rolname, 
38
      r.rolsuper, 
39
      r.rolinherit,
40
      r.rolcreaterole,
41
      r.rolcreatedb,
42
      r.rolcanlogin,
43
      r.rolconnlimit, r.rolvaliduntil,
44
  ARRAY(SELECT b.rolname
45
        FROM pg_catalog.pg_auth_members m
46
        JOIN pg_catalog.pg_roles b ON (m.roleid = b.oid)
47
        WHERE m.member = r.oid) as memberof
48
, r.rolreplication
49
FROM pg_catalog.pg_roles r
50
ORDER BY 1;
Copied!
Enumeration
1
msf> use auxiliary/scanner/postgres/postgres_version
2
msf> use auxiliary/scanner/postgres/postgres_dbname_flag_injection
Copied!
​Brute force​
Client authentication is controlled by a config file frequently named pg_hba.conf. This file has a set of records. A record may have one of the following seven formats:
Each record specifies a connection type, a client IP address range (if relevant for the connection type), a database name, a user name, and the authentication method to be used for connections matching these parameters. The first record with a matching connection type, client address, requested database, and user name is used to perform authentication. There is no "fall-through" or "backup": if one record is chosen and the authentication fails, subsequent records are not considered. If no record matches, access is denied.
The password-based authentication methods are md5, crypt, and password. These methods operate similarly except for the way that the password is sent across the connection: respectively, MD5-hashed, crypt-encrypted, and clear-text. A limitation is that the crypt method does not work with passwords that have been encrypted in pg_authid.
POST
1
msf> use auxiliary/scanner/postgres/postgres_hashdump
2
msf> use auxiliary/scanner/postgres/postgres_schemadump
3
msf> use auxiliary/admin/postgres/postgres_readfile
4
msf> use exploit/linux/postgres/postgres_payload
5
msf> use exploit/windows/postgres/postgres_payload
Copied!
logging
Inside the postgresql.conf file you can enable postgresql logs changing:
1
log_statement = 'all'
2
log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log'
3
logging_collector = on
4
sudo service postgresql restart
5
#Find the logs in /var/lib/postgresql/<PG_Version>/main/log/
6
#or in /var/lib/postgresql/<PG_Version>/main/pg_log/
Copied!
Then, restart the service.
pgadmin
​pgadmin is an administration and development platform for PostgreSQL.
You can find passwords inside the pgadmin4.db file
You can decrypt them using the decrypt function inside the script: https://github.com/postgres/pgadmin4/blob/master/web/pgadmin/utils/crypto.py​
1
sqlite3 pgadmin4.db ".schema"
2
sqlite3 pgadmin4.db "select * from user;"
3
sqlite3 pgadmin4.db "select * from server;"
4
string pgadmin4.db
Copied!
Support HackTricks and get benefits!