0x22bb
/
hacktricks
mirror of https://github.com/carlospolop/hacktricks.git
1
2
Fork 0
Code Releases Activity

GitBook: [#3658] No subject

This commit is contained in:
CPol 2022-11-08 23:13:00 +00:00 committed by gitbook-bot
parent 2cab8836f1
commit 7432ca3683
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
1 changed files with 49 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

95
network-services-pentesting/pentesting-postgresql.md
View File

@ -64,6 +64,9 @@ SELECT lanname,lanacl FROM pg_language;
# Show installed extensions
SHOW rds.extensions;
# Get history of commands executed
\s
```
For more information about **how to abuse a PostgreSQL database** check:
@ -81,6 +84,52 @@ msf> use auxiliary/scanner/postgres/postgres_dbname_flag_injection
### [**Brute force**](../generic-methodologies-and-resources/brute-force.md#postgresql)
### **Port scanning**
According to [**this research**](https://www.exploit-db.com/papers/13084), when a connection attempt fails, `dblink` throws an `sqlclient_unable_to_establish_sqlconnection` exception including an explanation of the error. Examples of these details are listed below.
```sql
SELECT * FROM dblink_connect('host=1.2.3.4
port=5678
user=name
password=secret
dbname=abc
connect_timeout=10');
```
* Host is down
`DETAIL: could not connect to server: No route to host Is the server running on host "1.2.3.4" and accepting TCP/IP connections on port 5678?`
* Port is closed
```
DETAIL: could not connect to server: Connection refused Is the server
running on host "1.2.3.4" and accepting TCP/IP connections on port 5678?
```
* Port is open
```
DETAIL: server closed the connection unexpectedly This probably means
the server terminated abnormally before or while processing the request
```
or
```
DETAIL: FATAL: password authentication failed for user "name"
```
* Port is open or filtered
```
DETAIL: could not connect to server: Connection timed out Is the server
running on host "1.2.3.4" and accepting TCP/IP connections on port 5678?
```
Unfortunately, there does not seem to be a way of getting the exception details within a PL/pgSQL function. But you can get the details if you can connect directly to the PostgreSQL server. If it is not possible to get usernames and passwords directly out of the system tables, the wordlist at- tack described in the previous section might prove successful.
## Enumeration of Privileges
### Roles
@ -192,52 +241,6 @@ ORDER BY routines.routine_name, parameters.ordinal_position;
SELECT * FROM pg_proc;
```
### **Port scanning**
According to [**this research**](https://www.exploit-db.com/papers/13084), when a connection attempt fails, `dblink` throws an `sqlclient_unable_to_establish_sqlconnection` exception including an explanation of the error. Examples of these details are listed below.
```sql
SELECT * FROM dblink_connect('host=1.2.3.4
port=5678
user=name
password=secret
dbname=abc
connect_timeout=10');
```
* Host is down
`DETAIL: could not connect to server: No route to host Is the server running on host "1.2.3.4" and accepting TCP/IP connections on port 5678?`
* Port is closed
```
DETAIL: could not connect to server: Connection refused Is the server
running on host "1.2.3.4" and accepting TCP/IP connections on port 5678?
```
* Port is open
```
DETAIL: server closed the connection unexpectedly This probably means
the server terminated abnormally before or while processing the request
```
or
```
DETAIL: FATAL: password authentication failed for user "name"
```
* Port is open or filtered
```
DETAIL: could not connect to server: Connection timed out Is the server
running on host "1.2.3.4" and accepting TCP/IP connections on port 5678?
```
Unfortunately, there does not seem to be a way of getting the exception details within a PL/pgSQL function. But you can get the details if you can connect directly to the PostgreSQL server. If it is not possible to get usernames and passwords directly out of the system tables, the wordlist at- tack described in the previous section might prove successful.
## **Postgres Privesc**
### CREATEROLE Privesc