Metasploitable/Postgres: Difference between revisions
From charlesreid1
(→Recon) |
|||
| Line 115: | Line 115: | ||
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . | OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . | ||
Nmap done: 1 IP address (1 host up) scanned in 27.31 seconds | Nmap done: 1 IP address (1 host up) scanned in 27.31 seconds | ||
</pre> | </pre> | ||
Revision as of 03:16, 25 March 2016
This page covers activities on the Metasploitable virtualbox related to the postgresql service that is running.
Recon
Results
Recon
Reminder, the remote machine (Metasploitable) is available at 10.0.0.27.
$ nmap -sS -sV -A 10.0.0.27 Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-22 18:30 PDT Nmap scan report for 10.0.0.27 Host is up (0.016s latency). Not shown: 977 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 |_ftp-anon: Anonymous FTP login allowed (FTP code 230) 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) | ssh-hostkey: | 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA) |_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA) 23/tcp open telnet Linux telnetd 25/tcp open smtp Postfix smtpd |_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, | ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX | Not valid before: 2010-03-17T14:07:45 |_Not valid after: 2010-04-16T14:07:45 |_ssl-date: 2016-03-23T01:31:31+00:00; +33s from scanner time. 53/tcp open domain ISC BIND 9.4.2 | dns-nsid: |_ bind.version: 9.4.2 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) |_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2 |_http-title: Metasploitable2 - Linux 111/tcp open rpcbind 2 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2 111/tcp rpcbind | 100000 2 111/udp rpcbind | 100003 2,3,4 2049/tcp nfs | 100003 2,3,4 2049/udp nfs | 100005 1,2,3 42810/tcp mountd | 100005 1,2,3 45599/udp mountd | 100021 1,3,4 34385/tcp nlockmgr | 100021 1,3,4 60702/udp nlockmgr | 100024 1 38085/udp status |_ 100024 1 52004/tcp status 139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP) 512/tcp open exec netkit-rsh rexecd 513/tcp open login? 514/tcp open tcpwrapped 1099/tcp open java-rmi Java RMI Registry 1524/tcp open shell Metasploitable root shell 2049/tcp open nfs 2-4 (RPC #100003) 2121/tcp open ftp ProFTPD 1.3.1 3306/tcp open mysql MySQL 5.0.51a-3ubuntu5 | mysql-info: | Protocol: 53 | Version: .0.51a-3ubuntu5 | Thread ID: 8 | Capabilities flags: 43564 | Some Capabilities: Support41Auth, SupportsTransactions, Speaks41ProtocolNew, SwitchToSSLAfterHandshake, ConnectWithDatabase, LongColumnFlag, SupportsCompression | Status: Autocommit |_ Salt: w$K,8vk7k8tagd@PR*zK 5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7 5900/tcp open vnc VNC (protocol 3.3) | vnc-info: | Protocol version: 3.3 | Security types: |_ Unknown security type (33554432) 6000/tcp open X11 (access denied) 6667/tcp open irc Unreal ircd | irc-info: | users: 1 | servers: 1 | lusers: 1 | lservers: 0 | server: irc.Metasploitable.LAN | version: Unreal3.2.8.1. irc.Metasploitable.LAN | uptime: 0 days, 1:05:20 | source ident: nmap | source host: 6D4CD63B.D3975B40.7B559A54.IP |_ error: Closing Link: cxfhgnbdt[10.0.0.25] (Quit: cxfhgnbdt) 8009/tcp open ajp13 Apache Jserv (Protocol v1.3) |_ajp-methods: Failed to get a valid response for the OPTION request 8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1 |_http-favicon: Apache Tomcat |_http-server-header: Apache-Coyote/1.1 |_http-title: Apache Tomcat/5.5 MAC Address: 08:00:27:47:98:AD (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 2.6.X OS CPE: cpe:/o:linux:linux_kernel:2.6 OS details: Linux 2.6.9 - 2.6.33 Network Distance: 1 hop Service Info: Hosts: metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | smb-os-discovery: | OS: Unix (Samba 3.0.20-Debian) | NetBIOS computer name: | Workgroup: WORKGROUP |_ System time: 2016-03-22T21:31:31-04:00 TRACEROUTE HOP RTT ADDRESS 1 16.11 ms 10.0.0.27 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 27.31 seconds
Search Metasploit for Exploits
msf auxiliary(postgres_version) > search postgresql Matching Modules ================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- auxiliary/admin/http/manageengine_pmp_privesc 2014-11-08 normal ManageEngine Password Manager SQLAdvancedALSearchResult.cc Pro SQL Injection auxiliary/admin/http/rails_devise_pass_reset 2013-01-28 normal Ruby on Rails Devise Authentication Password Reset auxiliary/admin/postgres/postgres_readfile normal PostgreSQL Server Generic Query auxiliary/admin/postgres/postgres_sql normal PostgreSQL Server Generic Query auxiliary/scanner/postgres/postgres_dbname_flag_injection normal PostgreSQL Database Name Command Line Flag Injection auxiliary/scanner/postgres/postgres_login normal PostgreSQL Login Utility auxiliary/scanner/postgres/postgres_version normal PostgreSQL Version Probe auxiliary/server/capture/postgresql normal Authentication Capture: PostgreSQL exploit/linux/postgres/postgres_payload 2007-06-05 excellent PostgreSQL for Linux Payload Execution exploit/multi/http/manage_engine_dc_pmp_sqli 2014-06-08 excellent ManageEngine Desktop Central / Password Manager LinkViewFetchServlet.dat SQL Injection exploit/windows/postgres/postgres_payload 2009-04-10 excellent PostgreSQL for Microsoft Windows Payload Execution post/linux/gather/enum_users_history normal Linux Gather User History
Scanner
One of the first pieces of information you will need, even before running a brute-force attack on a PostgreSQL login, is a database name.
Start with an exploit to obtain a PostgreSQL database name:
Postgres dbname flag injection
Use the postgres_dbname_flag_injection exploit:
msf > use auxiliary/scanner/postgres/postgres_dbname_flag_injection
Information about Exploit
These two commands will show some
msf auxiliary(postgres_dbname_flag_injection) > info auxiliary/scanner/postgres/postgres_dbname_flag_injection msf auxiliary(postgres_dbname_flag_injection) > advanced auxiliary/scanner/postgres/postgres_dbname_flag_injection
Here is the output of basic information:
msf auxiliary(postgres_dbname_flag_injection) > info auxiliary/scanner/postgres/postgres_dbname_flag_injection
Name: PostgreSQL Database Name Command Line Flag Injection
Module: auxiliary/scanner/postgres/postgres_dbname_flag_injection
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
hdm <x@hdm.io>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
RPORT 5432 yes The target port
THREADS 1 yes The number of concurrent threads
Description:
This module can identify PostgreSQL 9.0, 9.1, and 9.2 servers that
are vulnerable to command-line flag injection through CVE-2013-1899.
This can lead to denial of service, privilege escalation, or even
arbitrary code execution.
References:
http://cvedetails.com/cve/2013-1899/
http://www.postgresql.org/support/security/faq/2013-04-04/
We can show the basic options: msf auxiliary(postgres_dbname_flag_injection) > show options Module options (auxiliary/scanner/postgres/postgres_dbname_flag_injection): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target address range or CIDR identifier RPORT 5432 yes The target port THREADS 1 yes The number of concurrent threads <pre> msf auxiliary(postgres_dbname_flag_injection) > set RHOSTS 10.0.0.27 RHOSTS => 10.0.0.27 msf auxiliary(postgres_dbname_flag_injection) > set RPORT 5432 RPORT => 5432 |
Now we can show the advanced options:
msf auxiliary(postgres_dbname_flag_injection) > advanced
Module advanced options (auxiliary/scanner/postgres/postgres_dbname_flag_injection):
Name : CHOST
Current Setting:
Description : The local client address
Name : CPORT
Current Setting:
Description : The local client port
Name : ConnectTimeout
Current Setting: 10
Description : Maximum number of seconds to establish a TCP connection
Name : Proxies
Current Setting:
Description : A proxy chain of format type:host:port[,type:host:port][...]
Name : SSL
Current Setting: false
Description : Negotiate SSL for outgoing connections
Name : SSLCipher
Current Setting:
Description : String for SSL cipher - "DHE-RSA-AES256-SHA" or "ADH"
Name : SSLVerifyMode
Current Setting: PEER
Description : SSL verification method (Accepted: CLIENT_ONCE,
FAIL_IF_NO_PEER_CERT, NONE, PEER)
Name : SSLVersion
Current Setting: TLS1
Description : Specify the version of SSL/TLS to be used (TLS and SSL23 are
auto-negotiate) (Accepted: SSL2, SSL3, SSL23, TLS, TLS1, TLS1.1,
TLS1.2)
Name : ShowProgress
Current Setting: true
Description : Display progress messages during a scan
Name : ShowProgressPercent
Current Setting: 10
Description : The interval in percent that progress should be shown
Name : VERBOSE
Current Setting: false
Description : Enable detailed status messages
Name : WORKSPACE
Current Setting:
Description : Specify the workspace for this module
|
When an Exploit Doesn't Work
This version of PostgreSQL is actually too old to be vulnerable to the postgres_dbname_flag_injection exploit.
msf auxiliary(postgres_dbname_flag_injection) > set RHOSTS 10.0.0.27 RHOSTS => 10.0.0.27 msf auxiliary(postgres_dbname_flag_injection) > run [*] 10.0.0.27:5432 does not appear to be vulnerable to CVE-2013-1899 [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
Related
