HackTricks
Search…
Pentesting
5432,5433 - Pentesting Postgresql

Basic Information

PostgreSQL is an **open source object-relational database system that uses and extends the SQL language.
Default port: 5432, and if this port is already in use it seems that postgresql will use the next port (5433 probably) which is not in use.
1
PORT STATE SERVICE
2
5432/tcp open pgsql
Copied!

Connect

1
psql -U <myuser> # Open psql console with user
2
psql -h <host> -U <username> -d <database> # Remote connection
3
psql -h <host> -p <port> -U <username> -W <password> <database> # Remote connection
Copied!
1
psql -h localhost -d <database_name> -U <User> #Password will be prompted
2
\list # List databases
3
\c <database> # use the database
4
\d # List tables
5
\du+ # Get users roles
6
7
#Read a file
8
CREATE TABLE demo(t text);
9
COPY demo from '[FILENAME]';
10
SELECT * FROM demo;
11
12
#Write ascii to a file (copy to cannot copy binary data)
13
COPY (select convert_from(decode('<B64 payload>','base64'),'utf-8')) to 'C:\\some\\interesting\path.cmd';
14
15
#List databases
16
SELECT datname FROM pg_database;
17
18
#Read credentials (usernames + pwd hash)
19
SELECT usename, passwd from pg_shadow;
20
21
#Check if current user is superiser
22
SELECT current_setting('is_superuser'); #If response is "on" then true, if "off" then false
23
24
#Check if plpgsql is enabled
25
SELECT lanname,lanacl FROM pg_language WHERE lanname = 'plpgsql'
26
27
#Change password
28
ALTER USER user_name WITH PASSWORD 'new_password';
29
30
#Check users privileges over a table (pg_shadow on this example)
31
SELECT grantee, privilege_type
32
FROM information_schema.role_table_grants
33
WHERE table_name='pg_shadow'
34
35
#Get users roles
36
SELECT
37
r.rolname,
38
r.rolsuper,
39
r.rolinherit,
40
r.rolcreaterole,
41
r.rolcreatedb,
42
r.rolcanlogin,
43
r.rolconnlimit, r.rolvaliduntil,
44
ARRAY(SELECT b.rolname
45
FROM pg_catalog.pg_auth_members m
46
JOIN pg_catalog.pg_roles b ON (m.roleid = b.oid)
47
WHERE m.member = r.oid) as memberof
48
, r.rolreplication
49
FROM pg_catalog.pg_roles r
50
ORDER BY 1;
Copied!

Enumeration

1
msf> use auxiliary/scanner/postgres/postgres_version
2
msf> use auxiliary/scanner/postgres/postgres_dbname_flag_injection
Copied!
Client authentication is controlled by a config file frequently named pg_hba.conf. This file has a set of records. A record may have one of the following seven formats:
Each record specifies a connection type, a client IP address range (if relevant for the connection type), a database name, a user name, and the authentication method to be used for connections matching these parameters. The first record with a matching connection type, client address, requested database, and user name is used to perform authentication. There is no "fall-through" or "backup": if one record is chosen and the authentication fails, subsequent records are not considered. If no record matches, access is denied. The password-based authentication methods are md5, crypt, and password. These methods operate similarly except for the way that the password is sent across the connection: respectively, MD5-hashed, crypt-encrypted, and clear-text. A limitation is that the crypt method does not work with passwords that have been encrypted in pg_authid.

POST

1
msf> use auxiliary/scanner/postgres/postgres_hashdump
2
msf> use auxiliary/scanner/postgres/postgres_schemadump
3
msf> use auxiliary/admin/postgres/postgres_readfile
4
msf> use exploit/linux/postgres/postgres_payload
5
msf> use exploit/windows/postgres/postgres_payload
Copied!

logging

Inside the postgresql.conf file you can enable postgresql logs changing:
1
log_statement = 'all'
2
log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log'
3
logging_collector = on
4
sudo service postgresql restart
5
#Find the logs in /var/lib/postgresql/<PG_Version>/main/log/
6
#or in /var/lib/postgresql/<PG_Version>/main/pg_log/
Copied!
Then, restart the service.

pgadmin

pgadmin is an administration and development platform for PostgreSQL. You can find passwords inside the pgadmin4.db file You can decrypt them using the decrypt function inside the script: https://github.com/postgres/pgadmin4/blob/master/web/pgadmin/utils/crypto.py
1
sqlite3 pgadmin4.db ".schema"
2
sqlite3 pgadmin4.db "select * from user;"
3
sqlite3 pgadmin4.db "select * from server;"
4
string pgadmin4.db
Copied!
Last modified 2mo ago