mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-22 20:53:37 +00:00
Translated ['network-services-pentesting/pentesting-postgresql.md'] to c
This commit is contained in:
parent
ba744c4ab2
commit
c970440751
1 changed files with 63 additions and 68 deletions
|
@ -15,7 +15,7 @@
|
|||
* 你在一家**网络安全公司**工作吗?想要在HackTricks中看到你的**公司广告**吗?或者你想要访问**PEASS的最新版本或下载HackTricks的PDF**吗?请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
|
||||
* 发现我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)收藏品[**The PEASS Family**](https://opensea.io/collection/the-peass-family)
|
||||
* 获取[**官方PEASS和HackTricks的衣物**](https://peass.creator-spring.com)
|
||||
* **加入**[**💬**](https://emojipedia.org/speech-balloon/) [**Discord群组**](https://discord.gg/hRep4RUj7f)或[**电报群组**](https://t.me/peass)或**关注**我在**Twitter**上的[**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**。**
|
||||
* **加入**[**💬**](https://emojipedia.org/speech-balloon/) [**Discord群组**](https://discord.gg/hRep4RUj7f)或[**电报群组**](https://t.me/peass)或**关注**我在**Twitter**上的[**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||
* **通过向**[**hacktricks repo**](https://github.com/carlospolop/hacktricks) **和**[**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud) **提交PR来分享你的黑客技巧。**
|
||||
|
||||
</details>
|
||||
|
@ -55,9 +55,9 @@ Replace `<host>` with the hostname or IP address of the PostgreSQL server, `<por
|
|||
|
||||
### 基本枚举
|
||||
|
||||
Once connected to the PostgreSQL database, you can perform basic enumeration to gather information about the database and its contents.
|
||||
Once connected to a PostgreSQL database, you can perform basic enumeration to gather information about the database and its objects.
|
||||
|
||||
一旦连接到PostgreSQL数据库,可以执行基本的枚举操作,以收集有关数据库及其内容的信息。
|
||||
一旦连接到PostgreSQL数据库,可以执行基本枚举以收集有关数据库及其对象的信息。
|
||||
|
||||
#### List Databases
|
||||
|
||||
|
@ -124,7 +124,10 @@ psql -h localhost -d <database_name> -U <User> #Password will be prompted
|
|||
\du+ # Get users roles
|
||||
|
||||
# Get current user
|
||||
Select user;
|
||||
SELECT user;
|
||||
|
||||
# Get current database
|
||||
SELECT current_catalog;
|
||||
|
||||
# List schemas
|
||||
SELECT schema_name,schema_owner FROM information_schema.schemata;
|
||||
|
@ -176,7 +179,7 @@ connect_timeout=10');
|
|||
```
|
||||
* 主机不可用
|
||||
|
||||
`详细信息:无法连接到服务器:无法到达主机。服务器是否在主机“1.2.3.4”上运行,并接受端口5678的TCP/IP连接?`
|
||||
`详细信息:无法连接到服务器:无法到达主机。服务器是否在主机“1.2.3.4”上运行,并接受端口5678上的TCP/IP连接?`
|
||||
|
||||
* 端口已关闭
|
||||
```
|
||||
|
@ -318,13 +321,22 @@ This retrieves all rows and columns from the `employees` table.
|
|||
|
||||
这将从`employees`表格中检索所有行和列。
|
||||
|
||||
Tables in PostgreSQL can also have constraints, such as primary keys, foreign keys, unique constraints, and check constraints, which enforce data integrity and consistency. These constraints can be defined when creating the table or added later using the `ALTER TABLE` statement.
|
||||
Tables can also be modified using the `ALTER TABLE` statement. For example, you can add a new column to an existing table:
|
||||
|
||||
PostgreSQL中的表格还可以具有约束,例如主键、外键、唯一约束和检查约束,用于强制数据的完整性和一致性。这些约束可以在创建表格时定义,也可以使用`ALTER TABLE`语句后期添加。
|
||||
也可以使用`ALTER TABLE`语句修改表格。例如,可以向现有表格添加一个新列:
|
||||
|
||||
In addition to creating tables, PostgreSQL also provides various commands and functions for managing tables, such as `ALTER TABLE` for modifying table structure, `DROP TABLE` for deleting tables, and `TRUNCATE TABLE` for removing all data from a table.
|
||||
```sql
|
||||
ALTER TABLE employees
|
||||
ADD COLUMN department VARCHAR(50);
|
||||
```
|
||||
|
||||
除了创建表格,PostgreSQL还提供了各种用于管理表格的命令和函数,例如用于修改表格结构的`ALTER TABLE`,用于删除表格的`DROP TABLE`,以及用于从表格中删除所有数据的`TRUNCATE TABLE`。
|
||||
This adds a new column named `department` to the `employees` table with a `VARCHAR` data type and a maximum length of 50 characters.
|
||||
|
||||
这将向`employees`表格添加一个名为`department`的新列,该列具有`VARCHAR`数据类型和最大长度为50个字符。
|
||||
|
||||
Tables are a fundamental component of a PostgreSQL database and understanding how to create, insert, retrieve, and modify data in tables is essential for effective database management.
|
||||
|
||||
表格是PostgreSQL数据库的基本组成部分,了解如何创建、插入、检索和修改表格中的数据对于有效的数据库管理至关重要。
|
||||
```sql
|
||||
# Get owners of tables
|
||||
select schemaname,tablename,tableowner from pg_tables;
|
||||
|
@ -346,89 +358,72 @@ Functions in PostgreSQL are named blocks of code that can be executed by calling
|
|||
|
||||
To create a function, you need to use the `CREATE FUNCTION` statement followed by the function name, input parameters (if any), return type, and the code block enclosed in `BEGIN` and `END`.
|
||||
|
||||
要创建一个函数,您需要使用`CREATE FUNCTION`语句,后面跟着函数名称、输入参数(如果有的话)、返回类型以及用`BEGIN`和`END`括起来的代码块。
|
||||
要创建一个函数,您需要使用`CREATE FUNCTION`语句,后面跟着函数名称、输入参数(如果有)、返回类型以及用`BEGIN`和`END`括起来的代码块。
|
||||
|
||||
Here is an example of a simple function that adds two numbers and returns the result:
|
||||
Here is an example of a simple function that calculates the square of a number:
|
||||
|
||||
下面是一个简单函数的示例,它将两个数字相加并返回结果:
|
||||
下面是一个简单函数的示例,用于计算一个数的平方:
|
||||
|
||||
```sql
|
||||
CREATE FUNCTION add_numbers(a INTEGER, b INTEGER)
|
||||
RETURNS INTEGER AS $$
|
||||
CREATE FUNCTION square(num INTEGER) RETURNS INTEGER AS $$
|
||||
BEGIN
|
||||
RETURN a + b;
|
||||
RETURN num * num;
|
||||
END;
|
||||
$$ LANGUAGE plpgsql;
|
||||
```
|
||||
|
||||
You can call the function by using its name and passing the required arguments:
|
||||
In this example, the function is named `square` and it accepts an integer parameter `num`. It returns the square of the input number.
|
||||
|
||||
您可以通过使用函数的名称并传递所需的参数来调用函数:
|
||||
在这个例子中,函数名为`square`,它接受一个整数参数`num`,并返回输入数字的平方。
|
||||
|
||||
To call a function, you simply use its name followed by the input parameter values enclosed in parentheses.
|
||||
|
||||
要调用一个函数,只需使用函数名,后面跟着用括号括起来的输入参数值。
|
||||
|
||||
```sql
|
||||
SELECT add_numbers(5, 10);
|
||||
SELECT square(5);
|
||||
```
|
||||
|
||||
This will return the result of adding 5 and 10, which is 15.
|
||||
This will return the value `25`, which is the square of `5`.
|
||||
|
||||
这将返回5和10相加的结果,即15。
|
||||
这将返回值`25`,即`5`的平方。
|
||||
|
||||
Functions can also have output parameters, which allow them to return multiple values. To define an output parameter, you need to use the `OUT` keyword before the parameter name.
|
||||
Functions can also have output parameters, which allow them to return multiple values. To define an output parameter, you need to specify the `OUT` keyword before the parameter name.
|
||||
|
||||
函数还可以具有输出参数,允许它们返回多个值。要定义输出参数,您需要在参数名称之前使用`OUT`关键字。
|
||||
函数还可以具有输出参数,允许它们返回多个值。要定义一个输出参数,您需要在参数名称之前指定`OUT`关键字。
|
||||
|
||||
Here is an example of a function that calculates the sum and difference of two numbers and returns both values:
|
||||
Here is an example of a function that calculates both the square and cube of a number:
|
||||
|
||||
下面是一个计算两个数字的和与差并返回这两个值的函数的示例:
|
||||
下面是一个计算一个数的平方和立方的函数的示例:
|
||||
|
||||
```sql
|
||||
CREATE FUNCTION calculate_sum_diff(a INTEGER, b INTEGER, OUT sum INTEGER, OUT diff INTEGER)
|
||||
RETURNS RECORD AS $$
|
||||
CREATE FUNCTION square_and_cube(num INTEGER, OUT square_result INTEGER, OUT cube_result INTEGER) AS $$
|
||||
BEGIN
|
||||
sum := a + b;
|
||||
diff := a - b;
|
||||
square_result := num * num;
|
||||
cube_result := num * num * num;
|
||||
END;
|
||||
$$ LANGUAGE plpgsql;
|
||||
```
|
||||
|
||||
You can call the function and retrieve the output parameters using the `SELECT` statement:
|
||||
In this example, the function is named `square_and_cube` and it accepts an integer parameter `num`. It has two output parameters `square_result` and `cube_result`, which will store the square and cube of the input number, respectively.
|
||||
|
||||
您可以使用`SELECT`语句调用函数并检索输出参数:
|
||||
在这个例子中,函数名为`square_and_cube`,它接受一个整数参数`num`。它有两个输出参数`square_result`和`cube_result`,分别存储输入数字的平方和立方。
|
||||
|
||||
To call this function and retrieve the output parameters, you need to use the `SELECT` statement and assign the output parameters to variables.
|
||||
|
||||
要调用这个函数并检索输出参数,您需要使用`SELECT`语句,并将输出参数赋值给变量。
|
||||
|
||||
```sql
|
||||
SELECT * FROM calculate_sum_diff(10, 5);
|
||||
SELECT square_and_cube(3, square_result, cube_result);
|
||||
```
|
||||
|
||||
This will return a single row with the sum and difference values.
|
||||
This will return a single row with the values `9` and `27`, which are the square and cube of `3`, respectively.
|
||||
|
||||
这将返回一个包含和与差值的单行。
|
||||
这将返回一个包含值`9`和`27`的单行,分别是`3`的平方和立方。
|
||||
|
||||
Functions can also be used to modify data in the database. For example, you can create a function that updates a specific column in a table based on certain conditions.
|
||||
Functions are powerful tools in PostgreSQL that allow you to encapsulate complex logic and reuse it whenever needed. They can greatly simplify your code and make it more modular and maintainable.
|
||||
|
||||
函数还可以用于修改数据库中的数据。例如,您可以创建一个函数,根据特定条件更新表中的特定列。
|
||||
|
||||
```sql
|
||||
CREATE FUNCTION update_salary(employee_id INTEGER, new_salary INTEGER)
|
||||
RETURNS VOID AS $$
|
||||
BEGIN
|
||||
UPDATE employees
|
||||
SET salary = new_salary
|
||||
WHERE id = employee_id;
|
||||
END;
|
||||
$$ LANGUAGE plpgsql;
|
||||
```
|
||||
|
||||
You can call this function to update the salary of an employee:
|
||||
|
||||
您可以调用此函数来更新员工的薪水:
|
||||
|
||||
```sql
|
||||
SELECT update_salary(1, 5000);
|
||||
```
|
||||
|
||||
This will update the salary of the employee with ID 1 to 5000.
|
||||
|
||||
这将把ID为1的员工的薪水更新为5000。
|
||||
函数是PostgreSQL中的强大工具,可以让您封装复杂的逻辑,并在需要时重复使用。它们可以极大地简化您的代码,使其更具模块化和可维护性。
|
||||
```sql
|
||||
# Interesting functions are inside pg_catalog
|
||||
\df * #Get all
|
||||
|
@ -585,7 +580,7 @@ Postgresql的**配置文件**是由运行数据库的**postgres用户**拥有写
|
|||
|
||||
* `ssl_key_file = '/etc/ssl/private/ssl-cert-snakeoil.key'` 数据库私钥的路径
|
||||
* `ssl_passphrase_command = ''` 如果私钥文件受密码保护(加密),Postgresql将**执行此属性中指定的命令**。
|
||||
* `ssl_passphrase_command_supports_reload = off` 如果此属性为**on**,则在执行`pg_reload_conf()`时,如果密钥受密码保护,将**执行命令**。
|
||||
* `ssl_passphrase_command_supports_reload = off` 如果此属性为**on**,则在执行`pg_reload_conf()`时,如果密钥受密码保护,将**执行**命令。
|
||||
|
||||
然后,攻击者需要:
|
||||
|
||||
|
@ -662,7 +657,7 @@ host all all ::1/128 trust
|
|||
|
||||
### **ALTER TABLE提权**
|
||||
|
||||
在[这篇**文章**](https://www.wiz.io/blog/the-cloud-has-an-isolation-problem-postgresql-vulnerabilities)中,解释了如何通过滥用授予用户的ALTER TABLE权限,在Postgres GCP中进行**提权**。
|
||||
在[这篇**文章**](https://www.wiz.io/blog/the-cloud-has-an-isolation-problem-postgresql-vulnerabilities)中,解释了如何通过滥用授予用户的ALTER TABLE权限来在Postgres GCP中进行**提权**。
|
||||
|
||||
当您尝试将另一个用户设置为表的所有者时,应该会出现**错误**阻止此操作,但显然GCP允许非超级用户postgres用户进行此操作:
|
||||
|
||||
|
@ -718,7 +713,7 @@ port=5432
|
|||
user=someuser
|
||||
password=supersecret
|
||||
dbname=somedb',
|
||||
'Select usename,passwd from pg_shadow')
|
||||
'SELECT usename,passwd from pg_shadow')
|
||||
RETURNS (result TEXT);
|
||||
```
|
||||
{% hint style="warning" %}
|
||||
|
@ -733,7 +728,7 @@ CREATE EXTENSION dblink;
|
|||
SELECT * FROM dblink('host=127.0.0.1
|
||||
user=someuser
|
||||
dbname=somedb',
|
||||
'Select usename,passwd from pg_shadow')
|
||||
'SELECT usename,passwd from pg_shadow')
|
||||
RETURNS (result TEXT);
|
||||
```
|
||||
可以使用以下方法来检查该函数是否存在:
|
||||
|
@ -742,7 +737,7 @@ SELECT * FROM pg_proc WHERE proname='dblink' AND pronargs=2;
|
|||
```
|
||||
### **具有** SECURITY DEFINER **的自定义定义函数**
|
||||
|
||||
在[这篇文章](https://www.wiz.io/blog/hells-keychain-supply-chain-attack-in-ibm-cloud-databases-for-postgresql)中,渗透测试人员能够在由IBM提供的postgres实例中提升权限,因为他们**发现了具有** SECURITY DEFINER **标志的这个函数**:
|
||||
在[**这篇文章**](https://www.wiz.io/blog/hells-keychain-supply-chain-attack-in-ibm-cloud-databases-for-postgresql)中,渗透测试人员能够在由IBM提供的postgres实例中提升权限,因为他们**发现了具有** SECURITY DEFINER **标志的这个函数**:
|
||||
|
||||
<pre class="language-sql"><code class="lang-sql">CREATE OR REPLACE FUNCTION public.create_subscription(IN subscription_name text,IN host_ip text,IN portnum text,IN password text,IN username text,IN db_name text,IN publisher_name text)
|
||||
RETURNS text
|
||||
|
@ -763,7 +758,7 @@ PERFORM dblink_disconnect();
|
|||
…
|
||||
</code></pre>
|
||||
|
||||
正如[文档中所解释的](https://www.postgresql.org/docs/current/sql-createfunction.html),具有**SECURITY DEFINER的函数**以**拥有它的用户的权限**执行。因此,如果函数**容易受到SQL注入攻击**,或者使用由攻击者控制的参数执行一些**特权操作**,则可以滥用该函数来**提升在postgres中的权限**。
|
||||
正如[**文档中所解释的**](https://www.postgresql.org/docs/current/sql-createfunction.html),具有**SECURITY DEFINER的函数**以**拥有它的用户的权限**执行。因此,如果函数**容易受到SQL注入攻击**,或者使用由攻击者控制的参数执行一些**特权操作**,则可以滥用该函数来**提升在postgres中的权限**。
|
||||
|
||||
在上述代码的第4行中,您可以看到该函数具有**SECURITY DEFINER**标志。
|
||||
```sql
|
||||
|
@ -794,7 +789,7 @@ msf> use exploit/windows/postgres/postgres_payload
|
|||
```
|
||||
### 日志记录
|
||||
|
||||
在 _**postgresql.conf**_ 文件中,您可以通过更改以下内容来启用postgresql日志记录:
|
||||
在 _**postgresql.conf**_ 文件中,您可以通过更改以下内容来启用 PostgreSQL 日志记录:
|
||||
```bash
|
||||
log_statement = 'all'
|
||||
log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log'
|
||||
|
@ -808,7 +803,7 @@ sudo service postgresql restart
|
|||
### pgadmin
|
||||
|
||||
[pgadmin](https://www.pgadmin.org) 是用于 PostgreSQL 的管理和开发平台。\
|
||||
您可以在 _**pgadmin4.db**_ 文件中找到**密码**。\
|
||||
您可以在 _**pgadmin4.db**_ 文件中找到 **密码**。\
|
||||
您可以使用脚本中的 _**decrypt**_ 函数对其进行解密:[https://github.com/postgres/pgadmin4/blob/master/web/pgadmin/utils/crypto.py](https://github.com/postgres/pgadmin4/blob/master/web/pgadmin/utils/crypto.py)
|
||||
```bash
|
||||
sqlite3 pgadmin4.db ".schema"
|
||||
|
@ -822,14 +817,14 @@ string pgadmin4.db
|
|||
|
||||
![](https://lh4.googleusercontent.com/Ff8YbD3ppYmN2Omp-4M-0AAVhLsr4c2i7d7HUjgkE-O6NZ5zbaST1hdMPrp1AL\_xTXJalYe0HYxUk76vWJUfHZ5GuCDvIL1A-sMV44Z0CYSVgLM9ttFTDu-BhzewBGc7FeMarTLqsu\_N1ztXJg)
|
||||
|
||||
**每个**记录**指定**一个**连接类型**,一个**客户端 IP 地址范围**(如果对于连接类型有关),一个**数据库名称**,一个**用户名**,以及用于匹配这些参数的连接的**认证方法**。选择与连接类型、客户端地址、请求的数据库和用户名匹配的**第一个记录**用于执行认证。没有“逐级”或“备份”:**如果选择了一个记录并且认证失败,则不考虑后续记录**。如果没有记录匹配,则拒绝访问。\
|
||||
**每个**记录**指定**一个**连接类型**,一个**客户端 IP 地址范围**(如果对于连接类型有关),一个**数据库名称**,一个**用户名**,以及用于匹配这些参数的连接的**认证方法**。选择与连接类型、客户端地址、请求的数据库和用户名**匹配的第一个记录**用于执行认证。没有“逐级”或“备份”:**如果选择了一个记录并且认证失败,则不考虑后续记录**。如果没有记录匹配,则拒绝访问。\
|
||||
基于密码的认证方法有 **md5**、**crypt** 和 **password**。这些方法的操作方式类似,只是密码在连接中发送的方式不同:分别是 MD5 哈希、crypt 加密和明文。一个限制是 crypt 方法不能与在 pg\_authid 中加密的密码一起使用。
|
||||
|
||||
<details>
|
||||
|
||||
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||
|
||||
* 你在一家**网络安全公司**工作吗?想要在 HackTricks 中**宣传你的公司**吗?或者想要**获取最新版本的 PEASS 或下载 PDF 格式的 HackTricks**吗?查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
|
||||
* 你在一家**网络安全公司**工作吗?想要在 HackTricks 中**宣传你的公司**吗?或者想要**获取 PEASS 的最新版本或下载 HackTricks 的 PDF**吗?查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
|
||||
* 发现我们的独家 [**NFTs**](https://opensea.io/collection/the-peass-family) 集合 [**The PEASS Family**](https://opensea.io/collection/the-peass-family)
|
||||
* 获取[**官方 PEASS & HackTricks 商品**](https://peass.creator-spring.com)
|
||||
* **加入** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord 群组**](https://discord.gg/hRep4RUj7f) 或 [**Telegram 群组**](https://t.me/peass),或者在 **Twitter** 上**关注**我 [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**。**
|
||||
|
|
Loading…
Reference in a new issue