id: psql-user-enum

info:
  name: PostgreSQL - User Enumeration
  author: pussycat0x
  severity: low
  description: |
    PSQL user enumeration.
  reference:
    - https://medium.com/@netscylla/pentesters-guide-to-postgresql-hacking-59895f4f007
  metadata:
    verified: "true"
    max-request: 1
    shodan-query: port:5432 product:"PostgreSQL"
  tags: network,postgresql,db,unauth,enum,psql,tcp
tcp:
  - inputs:
      - data: "{{hex_encode('\u0000\u0000\u0000{{str}}\u0000\u0003\u0000\u0000user\u0000{{users}}\u0000database\u0000{{users}}\u0000application_name\u0000psql\u0000client_encoding\u0000UTF8\u0000\u0000')}}"
        type: hex

    host:
      - "{{Hostname}}"
    port: 5432

    attack: clusterbomb
    payloads:
      users:
        - postgres
        - tst
      str:
        - J
        - T
        - R

    matchers:
      - type: word
        part: raw
        words:
          - "client_encoding"
          - "integer_datetimes"
        condition: and
# digest: 4b0a004830460221008095acce0587a9fd82cde4ec9084cb6787f82467508236f363180f91d3e48ff50221008910881e6fe3c644dab9e5d005f2d67eb2a06a2369e7965f53253ab5b0dd9140:922c64590222798bb761d5b6d8e72950