PostgreSQL Database Name Command Line Flag Injection - Metasploit

This page contains detailed information about how to use the auxiliary/scanner/postgres/postgres_dbname_flag_injection metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Module Overview

---

Name: PostgreSQL Database Name Command Line Flag Injection
Module: auxiliary/scanner/postgres/postgres_dbname_flag_injection
Source code: modules/auxiliary/scanner/postgres/postgres_dbname_flag_injection.rb
Disclosure date: -
Last modification time: 2017-07-24 06:26:21 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): 5432
List of CVEs: CVE-2013-1899

This module can identify PostgreSQL 9.0, 9.1, and 9.2 servers that are vulnerable to command-line flag injection through CVE-2013-1899. This can lead to denial of service, privilege escalation, or even arbitrary code execution.

Module Ranking and Traits

---

Module Ranking:

• normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.

Basic Usage

---

This module is a scanner module, and is capable of testing against multiple hosts.

msf > use auxiliary/scanner/postgres/postgres_dbname_flag_injection
msf auxiliary(postgres_dbname_flag_injection) > show options
    ... show and set options ...
msf auxiliary(postgres_dbname_flag_injection) > set RHOSTS ip-range
msf auxiliary(postgres_dbname_flag_injection) > exploit

Other examples of setting the RHOSTS option:

Example 1:

msf auxiliary(postgres_dbname_flag_injection) > set RHOSTS 192.168.1.3-192.168.1.200 

Example 2:

msf auxiliary(postgres_dbname_flag_injection) > set RHOSTS 192.168.1.1/24

Example 3:

msf auxiliary(postgres_dbname_flag_injection) > set RHOSTS file:/tmp/ip_list.txt

Required Options

---

• RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'

Go back to menu.

Msfconsole Usage

---

Here is how the scanner/postgres/postgres_dbname_flag_injection auxiliary module looks in the msfconsole:

msf6 > use auxiliary/scanner/postgres/postgres_dbname_flag_injection

msf6 auxiliary(scanner/postgres/postgres_dbname_flag_injection) > show info

       Name: PostgreSQL Database Name Command Line Flag Injection
     Module: auxiliary/scanner/postgres/postgres_dbname_flag_injection
    License: Metasploit Framework License (BSD)
       Rank: Normal

Provided by:
  hdm <[email protected]>

Check supported:
  No

Basic options:
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  RHOSTS                    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
  RPORT    5432             yes       The target port (TCP)
  THREADS  1                yes       The number of concurrent threads (max one per host)

Description:
  This module can identify PostgreSQL 9.0, 9.1, and 9.2 servers that 
  are vulnerable to command-line flag injection through CVE-2013-1899. 
  This can lead to denial of service, privilege escalation, or even 
  arbitrary code execution.

References:
  https://nvd.nist.gov/vuln/detail/CVE-2013-1899
  http://www.postgresql.org/support/security/faq/2013-04-04/

Module Options

---

This is a complete list of options available in the scanner/postgres/postgres_dbname_flag_injection auxiliary module:

msf6 auxiliary(scanner/postgres/postgres_dbname_flag_injection) > show options

Module options (auxiliary/scanner/postgres/postgres_dbname_flag_injection):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS                    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT    5432             yes       The target port (TCP)
   THREADS  1                yes       The number of concurrent threads (max one per host)

Advanced Options

---

Here is a complete list of advanced options supported by the scanner/postgres/postgres_dbname_flag_injection auxiliary module:

msf6 auxiliary(scanner/postgres/postgres_dbname_flag_injection) > show advanced

Module advanced options (auxiliary/scanner/postgres/postgres_dbname_flag_injection):

   Name                 Current Setting  Required  Description
   ----                 ---------------  --------  -----------
   CHOST                                 no        The local client address
   CPORT                                 no        The local client port
   ConnectTimeout       10               yes       Maximum number of seconds to establish a TCP connection
   Proxies                               no        A proxy chain of format type:host:port[,type:host:port][...]
   SSL                  false            no        Negotiate SSL/TLS for outgoing connections
   SSLCipher                             no        String for SSL cipher - "DHE-RSA-AES256-SHA" or "ADH"
   SSLVerifyMode        PEER             no        SSL verification method (Accepted: CLIENT_ONCE, FAIL_IF_NO_PEER_CERT, NONE, PEER)
   SSLVersion           Auto             yes       Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
   ShowProgress         true             yes       Display progress messages during a scan
   ShowProgressPercent  10               yes       The interval in percent that progress should be shown
   VERBOSE              false            no        Enable detailed status messages
   WORKSPACE                             no        Specify the workspace for this module

Auxiliary Actions

---

This is a list of all auxiliary actions that the scanner/postgres/postgres_dbname_flag_injection module can do:

msf6 auxiliary(scanner/postgres/postgres_dbname_flag_injection) > show actions

Auxiliary actions:

   Name  Description
   ----  -----------

Evasion Options

---

Here is the full list of possible evasion options supported by the scanner/postgres/postgres_dbname_flag_injection auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):

msf6 auxiliary(scanner/postgres/postgres_dbname_flag_injection) > show evasion

Module evasion options:

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   TCP::max_send_size  0                no        Maxiumum tcp segment size.  (0 = disable)
   TCP::send_delay     0                no        Delays inserted before every send.  (0 = disable)

Go back to menu.

Error Messages

---

This module may fail with the following error messages:

Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.

<RHOST>:<RPORT> does not allow connections from us

---

Here is a relevant code snippet related to the "<RHOST>:<RPORT> does not allow connections from us" error message:

60:	        :name	=> self.name,
61:	        :info	=> "Vulnerable: " + proof,
62:	        :refs   => self.references
63:	      })
64:	    elsif resp.to_s =~ /pg_hba\.conf/
65:	      print_error("#{rhost}:#{rport} does not allow connections from us")
66:	    else
67:	      print_status("#{rhost}:#{rport} does not appear to be vulnerable to CVE-2013-1899")
68:	    end
69:	  end
70:	end

<RHOST>:<RPORT> does not appear to be vulnerable to CVE-2013-1899

---

Here is a relevant code snippet related to the "<RHOST>:<RPORT> does not appear to be vulnerable to CVE-2013-1899" error message:

60:	        :name	=> self.name,
61:	        :info	=> "Vulnerable: " + proof,
62:	        :refs   => self.references
63:	      })
64:	    elsif resp.to_s =~ /pg_hba\.conf/
65:	      print_error("#{rhost}:#{rport} does not allow connections from us")
66:	    else
67:	      print_status("#{rhost}:#{rport} does not appear to be vulnerable to CVE-2013-1899")
68:	    end
69:	  end
70:	end

Go back to menu.

Related Pull Requests

---

• #8716 Merged Pull Request: Print_Status -> Print_Good (And OCD bits 'n bobs)
• #8338 Merged Pull Request: Fix msf/core and self.class msftidy warnings
• #6655 Merged Pull Request: use MetasploitModule as a class name
• #6648 Merged Pull Request: Change metasploit class names
• #2525 Merged Pull Request: Change module boilerplate
• #1711 Merged Pull Request: Improve Postgres CVE-2013-1899 to detect unauthorized connections
• #1702 Merged Pull Request: Adds a PostgreSQL scanner module

References

---

• CVE-2013-1899
• http://www.postgresql.org/support/security/faq/2013-04-04/

See Also

---

Check also the following modules related to this module:

• auxiliary/admin/postgres/postgres_readfile
• auxiliary/admin/postgres/postgres_sql
• auxiliary/scanner/postgres/postgres_hashdump
• auxiliary/scanner/postgres/postgres_login
• auxiliary/scanner/postgres/postgres_schemadump
• auxiliary/scanner/postgres/postgres_version
• auxiliary/server/capture/postgresql
• exploit/linux/postgres/postgres_payload
• exploit/multi/postgres/postgres_copy_from_program_cmd_exec
• exploit/multi/postgres/postgres_createlang
• exploit/windows/postgres/postgres_payload
• auxiliary/admin/http/wp_symposium_sql_injection
• auxiliary/gather/ie_uxss_injection
• auxiliary/scanner/http/error_sql_injection
• auxiliary/scanner/http/host_header_injection
• auxiliary/scanner/http/wordpress_content_injection

Related Nessus plugins:

• Mac OS X 10.8.x < 10.8.5 Multiple Vulnerabilities
• Mac OS X Multiple Vulnerabilities (Security Update 2013-004)

Authors

---

• hdm

Version

---

This page has been produced using Metasploit Framework version 6.1.27-dev. For more modules, visit the Metasploit Module Library.

Go back to menu.