Hello guys! I have been working on PostgreSQL database and attempting to attack it since a few days.
The reason for this is, I want to get access to my college database and gain some juicy information.
So what I did firstly is I scanned the entire network for open ports using nmap. Since I’m using
Kali Linux, it is directly available from the terminal by typing nmap. You can scan a server and
get a list of open ports and the services running at it just by typing, nmap -sV [ip_address].
The above command scans the entire 1024 trusted ports in the victim’s computer and gives a list of open
ports, services running at the ports. The programs that run at a particular port are known as daemons.
The scanning of servers for open ports and daemons is known as ‘port scanning’.
Note: Port scanning a server without any permissions is illegal and may lead you behind the bars.
I highly recommend you to use a paid VPN connection (Virtual Private Network) before you go attempting
to port scan and hack into any server.
As you can see from the above image, the port number 5432 is open and the service running over there is
‘postgres‘. You can also see the version of the daemon, that is, 8.1. After I found this service running
I searched for a vulnerability using metasploit.
Hope you have the basic knowledge about metasploit, as I have already given an article on it.
If not then you can request for articles by contacting us. You can run metasploit by typing ‘msfconsole‘
in the terminal. For searching an exploit, auxiliary or a payload you can use the command ‘search [keyword]‘.
To update the exploits you can type ‘msfupdate’. You can use the professional version of it my typing
‘go_pro‘, but you need to register for that.
So let’s begin…
When I search for postgres, I got a list of auxiliaries and exploits. Below is the screen shot of what I
Take a look on the above results. You’ll find an auxiliary named ‘auxiliary/scanner/postgres/postgres_login‘
and it says PostgreSQL login utility. This auxiliary brute forces the default usernames and passwords and
shows you the correct username and password.
To use this auxiliary type ‘use auxiliary/scanner/postgres/postgres_login‘.
Now you have to provide it with the details where you need to exploit this metasploit auxiliary, that is,
the host ip address. Here in my case it is ‘172.20.0.1‘, this is an internal server so don’t try to exploit
this ip, you won’t find any server running at this server!
To give the host ip just type ‘set RHOST 172.20.0.1‘. This sets the host ip address, replace ‘172.20.0.1‘
to your desired ip address of server within which you want access for. Remember, this will connect only when
the remote server is running ‘psql‘. Have a look at the image below to have an idea of what I’m talking about.
So now what we finally need to do is, to exploit. Just type ‘exploit‘ and hit enter.
Screen-shot of the details which I got after exploiting.
You can see, it attempted various default passwords and shown as ‘Success’ for the attempts which where correct.
Hence we know the psql login details of the server. The username is “postgres” and the password is blank.
Trust me, the world is full of stupids! As you can see they have not setup any password for authentication.
Now we connect with the psql server by just typing ‘pqsl -h 172.20.0.1 -U postgres‘.
Note: Remember, you will have to come out of msfconsole and type the above command, i.e., you will have to close
the metasploit session by typing exit and then you have to proceed at the ‘root’ terminal.
Here, to get the list of databases we have to type \l. Below is the screen-shot showing the existing databases.
Now since you know the names of the databases in psql you can now directly login from terminal by typing
“psql -h 172.20.0.1 -U postgres -d apexserver“. Here apexserver is the name of the database and ‘-d’ specifies that
the preceding keyword will be the name of the database. So when I type this at the new terminal you can see
that I am directly getting into database.
Check the image below to see how the above command worked
Once you got into the database it’s a ball game from here. You just need to know few SQL commands to explore and
exploit the database. But in this article I will just show you how to get access to the database and steal the
usernames and passwords.
So now, to view the tables inside the database you just have to type ‘\d‘. If you type ‘\d+‘ then you will get
some additional information about size of the table.
In the above image you can see the list of the tables present in the database named ‘apexserver‘.
Now if you want to access the data present in a database, then you have to type the following command,
‘SELECT * FROM table_name‘. Here, I choose to access the credentials in the table ‘userpassword‘.
So, my command will be ‘SELECT * FROM userpassword‘.
As you can see in the above image, I have got the complete list of usernames and passwords existing in that
particular table. Now we can also change the content in the database but I am not going to describe that too.
So that’s all for now! Have fun and please comment your views…