Skip to content

Pentest tool. Conviniently invoke RCE on many PostgreSQL servers in network

Notifications You must be signed in to change notification settings

attackercan/psql-mass-rce

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

26 Commits
 
 
 
 
 
 

Repository files navigation

Conviniently invoke RCE on PostgreSQL servers in network

How does it work?

Few examples to give you an idea:

Example Comment
./psql-mass-rce.py 10.1.1.10 192.168.0.100-150 --port 5433 Accepts any number of any targets
./psql-mass-rce.py 10.1.1.1/30 ./psql.gnmap --passfile rockyou.txt Accepts IP subnets and .gnmap files
./psql-mass-rce.py -iL ./targets.txt --userfile users.txt Load IP[:port] from local file (nmap-alike)

Scripts does the following:

  1. Checks if port is open
  2. Bruteforces credentials (using built-in dictionary or user files)
  3. Determines PostgreSQL version and OS
  4. Executes RCE if database user has enough rights

Live hosts with good credentials are saved to session file. After reconnaissance you may want to run RCE on those:
./psql-mass-rce.py --saved --command 'whoami'

Installation:

pip3 install -r requirements.txt

Which PostgreSQL versions can give me RCE?

PostgreSQL verions 9 and 10 (version 8 is in development).

Any zero-days inside?

Not yet. Technique was published almost 3 years ago.

Will it save my time?

Definately yes.

Before After
1. run nmap for port scanning
2. run patator/hydra to bruteforce credentials
3. run psql binary to connect and check version
4. copy-paste payloads, or launch MSF postgres_payload manually at each host.
./psql-mass-rce.py 10.1.1.0/24

Full help:

psql-mass-rce v0.1

Usage: psql-mass-rce.py targets [-iL TARGETS_FILE] [--userfile USERFILE]
               [--passfile PASSFILE] [--command COMMAND] [--port PORT]
               [--saved]

Necessary arguments:
  targets              Accepts any number of these: IP, subnet, or .gnmap file

Optional arguments:
  -h, --help           show this help message and exit
  -iL TARGETS_FILE     Load IP[:port] targets from local file
  --userfile USERFILE  File with a list of users
  --passfile PASSFILE  File with a list of passwords
  --command COMMAND    Command to execute on a target machine
  --port PORT          Port to connect
  --saved              Work on targets from saved session file

About

Pentest tool. Conviniently invoke RCE on many PostgreSQL servers in network

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages