关联漏洞
标题:
PostgreSQL 安全漏洞
(CVE-2017-15099)
描述:PostgreSQL是PostgreSQL开发组所研发的一套自由的对象关系型数据库管理系统。该系统支持大部分SQL标准并且提供了许多其他特性,例如外键、触发器、视图等。 PostgreSQL中存在安全绕过漏洞。远程攻击者可利用该漏洞绕过安全限制,执行未授权的操作。以下版本受到影响:PostgreSQL 10.1之前的10.x版本,9.6.6之前的9.6.x版本,9.5.10之前的9.5.x版本。
介绍
# CVE-2022-21724: JDBC RCE PostgreSQL
## Intro
This demo will show how a non-patched JDBC driver can be used to attach PostgreSQL and gain RCE.
Affecting org.postgresql:postgresql package, versions [9.4.1208,42.2.25) [42.3.0,42.3.2)
This demo is deployed using Vagrant and will deploy the following nodes:
| Name | IP | Postgres | Remarks |
| -------- | -------- | ----- | -------- |
| attacker | 192.168.0.210 | -- | Metasploit Framework |
| vuln | 192.168.0.211 | 9.6.4 | |
| novuln | 192.168.0.212 | 16.3 | |
## Demo prep
### Pre-requisites
To deploy this demo the following needs to be installed in the PC from which you are going to deploy the demo:
- VirtualBox (https://www.virtualbox.org/)
- Vagrant (https://www.vagrantup.com/)
- Vagrant Hosts plug-in (`vagrant plugin install vagrant-hosts`)
- Vagrant Reload plug-in (`vagrant plugin install vagrant-reload`)
The environment is deloyed in a VirtualBox **public** network. Adjust the IP addresses to your needs in `vars.yml`.
### Provisioning VM's.
Provision the hosts using `vagrant up`. This will create the bare virtual machines and will take appx. 5 minutes to complete.
After provisioning, the hosts will have the current directory mounted in their filesystem under `/vagrant`
### Passwords
## Demo flow
文件快照
[4.0K] /data/pocs/91e6b1444b46bf6da96f83875d4cec8de0c59455
├── [ 96] 99-deprovision.sh
├── [ 460] bootstrap_all.sh
├── [ 355] bootstrap_attacker.sh
├── [ 468] bootstrap_novuln.sh
├── [ 752] bootstrap_vuln.sh
├── [ 227] env.sh
├── [1.3K] README.md
├── [2.0K] Vagrantfile
└── [ 105] vars.yml
0 directories, 9 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。