Having_Fun_With_PostgreSQL.pdf

《Having_Fun_With_PostgreSQL.pdf》由会员上传分享，免费在线阅读，更多相关内容在学术论文-天天文库。

1、HavingFunWithPostgreSQLNicoLeideckernfl@portcullis-security.comJune0520071CONTENTSHavingFunWithPostgreSQLContents1Preface32dblink:TheRootOfAllEvil32.1PrivilegeEscalation...................................32.2Brute-ForcingUserAccounts..............................5

2、2.3Port-ScanningViaRemoteAccess...........................73MappingLibraryFunctions83.1GettingAShell......................................93.2UploadingFiles......................................94FromSleepingAndCopyingInPostgreSQL8.2105RecommendationAndPrevention

3、106Introducingpgshell107Contact&Copyright112HavingFunWithPostgreSQLElephantOnTheRisePostgreSQLisanopen-sourcedatabasemanagementsystem(DBMS),releasedundertheBSDlicensewiththecurrentstableversionof8.2.3.ItderivedfromthePOSTGRESprojectattheUniversityofCalifornia,Ber

4、keleystartingin19861.POSTGRES’sfinalperformanceinversion4.2dated19942whilePostgreSQLbecameoneofthemostpopularDBMStoday.Inversion8.0approximately1milliondownloadswererecordedwithinsevenmonthsofitsrelease.ThePostgreSQLprojectregistersanumberofsignificantuserslikeBASF

5、,Fujitsu,SunMicrosystemsortheU.S.CenterForDiseaseControlandPrevention3.1PrefaceThisdocumentpresentsacoupleofideasforexploitingweaknessesintypicalPostgreSQLcon-figurations.Mostoftheseideaswon’tbenewbutarestilldifficulttofindoreasytomiss,mostdocumentationaimedatdatabas

6、eadministratorsoftendonotaddressoroverlooktheseissues.ThefollowingexampleswheretestedonPostgreSQL8.1andmaydifferfrompreviousversions.Version8.2bringsfurthersignificantchangesthatarediscussedinsection4.2dblink:TheRootOfAllEvilTheDatabaseLinklibrary(dblink)hasbeenpar

7、tofthePostgreSQLprojectsinceversion7.2.Asthenamesuggestsitisusedforinterconnetionsbetweenremotedatabases.Thecontributioncomesinhandy,when,forinstance,datafromaremotedatabaseneedstobeincludedintoalocaldatabase.Typicalusageforthefunctioniscreatingaviewfromaremotely

8、executedquery:CREATEVIEWentry_statesASSELECT*FROMdblink(’host=1.2.3.4dbname=remotedbuser=dbuserpassword=secretpass’,’SELECTid,titleFROMentries’)ASremote_entrie