modules/auxiliary/scanner/postgres/postgres_version.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::Postgres
  include Msf::Auxiliary::Scanner
  include Msf::Auxiliary::Report
  include Msf::OptionalSession::PostgreSQL

  # Creates an instance of this module.
  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'PostgreSQL Version Probe',
        'Description' => %q{
          Enumerates the version of PostgreSQL servers.
        },
        'Author' => [ 'todb' ],
        'License' => MSF_LICENSE,
        'References' => [
          [ 'URL', 'https://www.postgresql.org/' ]
        ],
        'Notes' => {
          'Reliability' => UNKNOWN_RELIABILITY,
          'Stability' => UNKNOWN_STABILITY,
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
        }
      )
    )

    register_options([ ]) # None needed.

    deregister_options('SQL', 'RETURN_ROWSET')
  end

  # Loops through each host in turn. Note the current IP address is both
  # ip and datastore['RHOST']
  def run_host(ip)
    self.postgres_conn = session.client if session
    user = datastore['USERNAME']
    pass = postgres_password
    do_fingerprint(user, pass, datastore['DATABASE'])
  end

  # Alias for RHOST
  def rhost
    postgres_conn&.peerhost || datastore['RHOST']
  end

  # Alias for RPORT
  def rport
    postgres_conn&.peerport || datastore['RPORT']
  end

  def report_cred(opts)
    service_data = {
      address: opts[:ip],
      port: opts[:port],
      service_name: opts[:service_name],
      protocol: 'tcp',
      workspace_id: myworkspace_id
    }

    credential_data = {
      origin_type: :service,
      module_fullname: fullname,
      username: opts[:user],
      private_data: opts[:password],
      private_type: :password
    }.merge(service_data)

    login_data = {
      core: create_credential(credential_data),
      status: Metasploit::Model::Login::Status::UNTRIED,
      proof: opts[:proof]
    }.merge(service_data)

    create_credential_login(login_data)
  end

  def do_fingerprint(user = nil, pass = nil, database = nil)
    begin
      msg = "#{rhost}:#{rport} Postgres -"
      password = pass || postgres_password
      vprint_status("#{msg} Trying username:'#{user}' with password:'#{password}' against #{rhost}:#{rport} on database '#{database}'") unless postgres_conn
      result = postgres_fingerprint(
        :db => database,
        :username => user,
        :password => password
      )
      if result[:auth]
        vprint_good "#{rhost}:#{rport} Postgres - Logged in to '#{database}' with '#{user}':'#{password}'" unless session
        print_status "#{rhost}:#{rport} Postgres - Version #{result[:auth]} (Post-Auth)"
      elsif result[:preauth]
        print_good "#{rhost}:#{rport} Postgres - Version #{result[:preauth]} (Pre-Auth)"
      else # It's something we don't know yet
        vprint_status "#{rhost}:#{rport} Postgres - Authentication Error Fingerprint: #{result[:unknown]}"
        print_status "#{rhost}:#{rport} Postgres - Version Unknown (Pre-Auth)"
      end

      # Reporting
      report_service(
        :host => rhost,
        :port => rport,
        :name => "postgres",
        :info => result.values.first
      )

      if self.postgres_conn
        report_cred(
          ip: rhost,
          port: rport,
          service_name: 'postgres',
          user: user,
          password: password,
          proof: "postgres_conn = #{self.postgres_conn.inspect}"
        )
      end

      if result[:unknown]
        report_note(
          :host => rhost,
          :proto => 'tcp',
          :sname => 'postgres',
          :port => rport,
          :ntype => 'postgresql.fingerprint',
          :data => { :unknown_pre_auth_fingerprint => result[:unknown] }
        )
      end

      # Logout
      postgres_logout if self.postgres_conn && session.blank?
    rescue Rex::ConnectionError
      vprint_error "#{rhost}:#{rport} Connection Error: #{$!}"
      return :done
    end
  end
end
Fixes #811 by implementing an enumerator for PostgreSQL. 2010-02-05 15:20:59 +00:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Fixes #811 by implementing an enumerator for PostgreSQL. 2010-02-05 15:20:59 +00:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Auxiliary`
Fixes #811 by implementing an enumerator for PostgreSQL. 2010-02-05 15:20:59 +00:00			`include Msf::Exploit::Remote::Postgres`
			`include Msf::Auxiliary::Scanner`
			`include Msf::Auxiliary::Report`
Use individual session mixins 2024-02-12 11:52:48 +00:00			`include Msf::OptionalSession::PostgreSQL`
Retab modules 2013-08-30 16:28:54 -05:00
Fixes #811 by implementing an enumerator for PostgreSQL. 2010-02-05 15:20:59 +00:00			`# Creates an instance of this module.`
			`def initialize(info = {})`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`super(`
			`update_info(`
			`info,`
			`'Name' => 'PostgreSQL Version Probe',`
			`'Description' => %q{`
			`Enumerates the version of PostgreSQL servers.`
			`},`
			`'Author' => [ 'todb' ],`
			`'License' => MSF_LICENSE,`
			`'References' => [`
fix URLs not resolving 2022-01-23 15:28:32 -05:00			`[ 'URL', 'https://www.postgresql.org/' ]`
Adds sentinel values to modules missing notes 2025-06-23 12:00:29 +01:00			`],`
			`'Notes' => {`
Update info -d markdown 2025-06-23 12:43:46 +01:00			`'Reliability' => UNKNOWN_RELIABILITY,`
			`'Stability' => UNKNOWN_STABILITY,`
			`'SideEffects' => UNKNOWN_SIDE_EFFECTS`
Adds sentinel values to modules missing notes 2025-06-23 12:00:29 +01:00			`}`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`)`
			`)`
Retab modules 2013-08-30 16:28:54 -05:00
Fix msf/core and self.class msftidy warnings 2017-05-03 15:42:21 -05:00			`register_options([ ]) # None needed.`
Retab modules 2013-08-30 16:28:54 -05:00
Fixes #811 by implementing an enumerator for PostgreSQL. 2010-02-05 15:20:59 +00:00			`deregister_options('SQL', 'RETURN_ROWSET')`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Fixes #811 by implementing an enumerator for PostgreSQL. 2010-02-05 15:20:59 +00:00			`# Loops through each host in turn. Note the current IP address is both`
			`# ip and datastore['RHOST']`
			`def run_host(ip)`
Use PostgreSQL session type for modules 2024-01-24 13:47:22 +00:00			`self.postgres_conn = session.client if session`
Fixes #811 by implementing an enumerator for PostgreSQL. 2010-02-05 15:20:59 +00:00			`user = datastore['USERNAME']`
			`pass = postgres_password`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`do_fingerprint(user, pass, datastore['DATABASE'])`
Fixes #811 by implementing an enumerator for PostgreSQL. 2010-02-05 15:20:59 +00:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Fixes #811 by implementing an enumerator for PostgreSQL. 2010-02-05 15:20:59 +00:00			`# Alias for RHOST`
			`def rhost`
Fix postgres version logging 2024-03-22 16:50:01 +00:00			`postgres_conn&.peerhost \|\| datastore['RHOST']`
Fixes #811 by implementing an enumerator for PostgreSQL. 2010-02-05 15:20:59 +00:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Fix typo in title. Thanks ragecyr! 2010-03-30 17:57:22 +00:00			`# Alias for RPORT`
Fixes #811 by implementing an enumerator for PostgreSQL. 2010-02-05 15:20:59 +00:00			`def rport`
Fix postgres version logging 2024-03-22 16:50:01 +00:00			`postgres_conn&.peerport \|\| datastore['RPORT']`
Fixes #811 by implementing an enumerator for PostgreSQL. 2010-02-05 15:20:59 +00:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Use the latest credential API, no more report_auth_info 2015-09-04 03:04:14 -05:00			`def report_cred(opts)`
			`service_data = {`
			`address: opts[:ip],`
			`port: opts[:port],`
			`service_name: opts[:service_name],`
			`protocol: 'tcp',`
			`workspace_id: myworkspace_id`
			`}`

			`credential_data = {`
			`origin_type: :service,`
			`module_fullname: fullname,`
			`username: opts[:user],`
			`private_data: opts[:password],`
			`private_type: :password`
			`}.merge(service_data)`

			`login_data = {`
			`core: create_credential(credential_data),`
			`status: Metasploit::Model::Login::Status::UNTRIED,`
			`proof: opts[:proof]`
			`}.merge(service_data)`

			`create_credential_login(login_data)`
			`end`

Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`def do_fingerprint(user = nil, pass = nil, database = nil)`
Fixes #811 by implementing an enumerator for PostgreSQL. 2010-02-05 15:20:59 +00:00			`begin`
Indentation fixes (wrapping everything in a begin;rescue;end, didn't want 2010-02-16 18:09:51 +00:00			`msg = "#{rhost}:#{rport} Postgres -"`
			`password = pass \|\| postgres_password`
Use PostgreSQL session type for modules 2024-01-24 13:47:22 +00:00			`vprint_status("#{msg} Trying username:'#{user}' with password:'#{password}' against #{rhost}:#{rport} on database '#{database}'") unless postgres_conn`
Indentation fixes (wrapping everything in a begin;rescue;end, didn't want 2010-02-16 18:09:51 +00:00			`result = postgres_fingerprint(`
			`:db => database,`
			`:username => user,`
			`:password => password`
Fixes #811 by implementing an enumerator for PostgreSQL. 2010-02-05 15:20:59 +00:00			`)`
Indentation fixes (wrapping everything in a begin;rescue;end, didn't want 2010-02-16 18:09:51 +00:00			`if result[:auth]`
Fix postgres version logging 2024-03-22 16:50:01 +00:00			`vprint_good "#{rhost}:#{rport} Postgres - Logged in to '#{database}' with '#{user}':'#{password}'" unless session`
			`print_status "#{rhost}:#{rport} Postgres - Version #{result[:auth]} (Post-Auth)"`
Indentation fixes (wrapping everything in a begin;rescue;end, didn't want 2010-02-16 18:09:51 +00:00			`elsif result[:preauth]`
Fix postgres version logging 2024-03-22 16:50:01 +00:00			`print_good "#{rhost}:#{rport} Postgres - Version #{result[:preauth]} (Pre-Auth)"`
Indentation fixes (wrapping everything in a begin;rescue;end, didn't want 2010-02-16 18:09:51 +00:00			`else # It's something we don't know yet`
Fix postgres version logging 2024-03-22 16:50:01 +00:00			`vprint_status "#{rhost}:#{rport} Postgres - Authentication Error Fingerprint: #{result[:unknown]}"`
			`print_status "#{rhost}:#{rport} Postgres - Version Unknown (Pre-Auth)"`
Indentation fixes (wrapping everything in a begin;rescue;end, didn't want 2010-02-16 18:09:51 +00:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Indentation fixes (wrapping everything in a begin;rescue;end, didn't want 2010-02-16 18:09:51 +00:00			`# Reporting`
			`report_service(`
Fix postgres version logging 2024-03-22 16:50:01 +00:00			`:host => rhost,`
			`:port => rport,`
Indentation fixes (wrapping everything in a begin;rescue;end, didn't want 2010-02-16 18:09:51 +00:00			`:name => "postgres",`
			`:info => result.values.first`
Fixes #811 by implementing an enumerator for PostgreSQL. 2010-02-05 15:20:59 +00:00			`)`
Retab modules 2013-08-30 16:28:54 -05:00
Indentation fixes (wrapping everything in a begin;rescue;end, didn't want 2010-02-16 18:09:51 +00:00			`if self.postgres_conn`
Use the latest credential API, no more report_auth_info 2015-09-04 03:04:14 -05:00			`report_cred(`
Fix postgres version logging 2024-03-22 16:50:01 +00:00			`ip: rhost,`
			`port: rport,`
Use the latest credential API, no more report_auth_info 2015-09-04 03:04:14 -05:00			`service_name: 'postgres',`
			`user: user,`
			`password: password,`
			`proof: "postgres_conn = #{self.postgres_conn.inspect}"`
Indentation fixes (wrapping everything in a begin;rescue;end, didn't want 2010-02-16 18:09:51 +00:00			`)`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Indentation fixes (wrapping everything in a begin;rescue;end, didn't want 2010-02-16 18:09:51 +00:00			`if result[:unknown]`
			`report_note(`
Fix postgres version logging 2024-03-22 16:50:01 +00:00			`:host => rhost,`
Fixes #3655 . Subbed out all the :proto's that were really :snames for all the note reporting. This was getting caught anyway in most cases, but it's better to have the modules themselves actually be correct for future copy-pasters. 2011-02-04 01:54:32 +00:00			`:proto => 'tcp',`
style compliance fixes, naughty naughty 2011-02-22 20:49:44 +00:00			`:sname => 'postgres',`
Fix postgres version logging 2024-03-22 16:50:01 +00:00			`:port => rport,`
Add the missing note type 2011-06-03 00:49:45 +00:00			`:ntype => 'postgresql.fingerprint',`
Fixes modules to now correctly use a hash with report note 2025-05-21 10:45:08 +01:00			`:data => { :unknown_pre_auth_fingerprint => result[:unknown] }`
Indentation fixes (wrapping everything in a begin;rescue;end, didn't want 2010-02-16 18:09:51 +00:00			`)`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Indentation fixes (wrapping everything in a begin;rescue;end, didn't want 2010-02-16 18:09:51 +00:00			`# Logout`
Use PostgreSQL session type for modules 2024-01-24 13:47:22 +00:00			`postgres_logout if self.postgres_conn && session.blank?`
Fixes #808 . Removes the pre-connect test from login and version. 2010-02-16 18:05:51 +00:00			`rescue Rex::ConnectionError`
These modules should use vprint_xxx() instead of print_xxx() ... if datastore['VERBOSE'] 2012-01-30 13:08:35 -06:00			`vprint_error "#{rhost}:#{rport} Connection Error: #{$!}"`
Fixes #808 . Removes the pre-connect test from login and version. 2010-02-16 18:05:51 +00:00			`return :done`
			`end`
Fixes #811 by implementing an enumerator for PostgreSQL. 2010-02-05 15:20:59 +00:00			`end`
			`end`