[GSoC] Module for CVE-2019-13375, and PostgreSQL support for the library

[red0xff]

This PR adds PostgreSQL injection support to the SQL injection library, and two modules for testing, one being an auxiliary module for CVE-2019-13375, the other being a test module for testing every feature of the added library (didn't push it yet, not sure on how it would be pushed, as I wrote the vulnerable code also).

Verification

Testing the module for CVE-2019-13375:

• Start msfconsole
• use auxiliary/sqli/dlink/dlink_central_wifimanager_sqli.rb
• See the instructions in documentation/modules/auxiliary/sqli/dlink/dlink_central_wifimanager_sqli.md

Testing using the test module:

Not sure as of the best practices on this, the vulnerable code is the following:

require 'pg'
require 'socket'
sck = TCPServer.open(1337)

conn = PG.connect( dbname: 'sqli', user: 'postgres', host: '127.0.0.1', port: 5432 )
loop{
  client = sck.accept
  id = client.gets.chomp
  begin
  conn.exec( "select content from articles where id=#{id}" ) do |result|
    result = result.to_a
    if result.empty?
      client.puts('[-] No results')
    else
      client.puts(result[0]['content'])
    end
  end
  rescue Exception => e
    puts e.message
  end
  client.close
}

I also have an SQL script that should be executed (that creates the database, table, and inserts values), and some simple configuration steps for PostgreSQL, the module connects over TCP to the vulnerable Ruby program, and uses the SQL injection vulnerability to test every feature of PostgreSQL injection support.

[jmartin-tech]

Check should always return a Checkcode.

[cbrnrd]

It might be clearer to someone who's reading this to include the actual action names (ADD_ADMIN etc.)

[cbrnrd]

IIRC these should be broken up into their own dedicated subsections (like you did in #14025)

[red0xff]

Not sure if I understand the feedback, I think there would be redundancy if I include verification steps for every ACTION here (remplacing should work as in the scenarios below), because the Scenarios section already has the expected results from every action.

[cbrnrd]

See above

[h00die]

@jmartin-r7 any update on landing this?

[jmartin-tech]

High on my list, will process soon.

[red0xff]

I added the test module, the repository hosting minimalist vulnerable test applications can be found here (It's a permanent repo, will add test applications for other DBMS as I send pull-requests for supporting them).

[jmartin-tech]

Minor syntax requests. Please validate test module options for Regular/reflected case.

[jmartin-tech]

The HexEncodeStrings and Safe options cause testing failures.

msf6 auxiliary(test/postgres_sqli_test) > run
[*] Running module against 127.0.0.1

[+] dbms: PostgreSQL 13.0 (Debian 13.0-1.pgdg100+1) on x86_64-pc-linux-gnu, compiled by gcc (Debian 8.3.0-6) 8.3.0, 64-bit
[+] tables: articles
[+] articles(id, content)
[+] 	1, Over 3.8 billion people use the internet today
[+] 	 which is 40% of the worlds population.
[+] 	2, 8 billion devices will be connected to the internet by 2020.
[+] 	3, More than 570 new websites are created every minute.
[+] 	4, There are over 3.5 billion searches per day on Google.
[+] 	5, By 2020
[+] 	 video will account for about 80% of all internet traffic.
[+] 	6, 340
[+] 	000 tweets are sent per minute.
[+] 	7, 90% of the world’s data has been created in the last couple years.
[*] Auxiliary module execution completed
msf6 auxiliary(test/postgres_sqli_test) > set HexEncodeStrings true
HexEncodeStrings => true
msf6 auxiliary(test/postgres_sqli_test) > run
[*] Running module against 127.0.0.1

[-] Auxiliary failed: NoMethodError undefined method `chomp' for nil:NilClass
[-] Call stack:
[-]   /Users/jmartin/rapid7/src/r7-source/metasploit/metasploit-framework/test/modules/auxiliary/test/postgres_sqli_test.rb:70:in `block in reflected'
[-]   /Users/jmartin/rapid7/src/r7-source/metasploit/metasploit-framework/lib/msf/core/exploit/sqli/common.rb:59:in `raw_run_sql'
[-]   /Users/jmartin/rapid7/src/r7-source/metasploit/metasploit-framework/lib/msf/core/exploit/sqli/common.rb:70:in `run_sql'
[-]   /Users/jmartin/rapid7/src/r7-source/metasploit/metasploit-framework/lib/msf/core/exploit/sqli/postgresqli/common.rb:192:in `test_vulnerable'
[-]   /Users/jmartin/rapid7/src/r7-source/metasploit/metasploit-framework/test/modules/auxiliary/test/postgres_sqli_test.rb:74:in `reflected'
[-]   /Users/jmartin/rapid7/src/r7-source/metasploit/metasploit-framework/test/modules/auxiliary/test/postgres_sqli_test.rb:115:in `run'
[*] Auxiliary module execution completed
msf6 auxiliary(test/postgres_sqli_test) > set safe true
safe => true
msf6 auxiliary(test/postgres_sqli_test) > run
[*] Running module against 127.0.0.1

[-] Auxiliary failed: NoMethodError undefined method `chomp' for nil:NilClass
[-] Call stack:
[-]   /Users/jmartin/rapid7/src/r7-source/metasploit/metasploit-framework/test/modules/auxiliary/test/postgres_sqli_test.rb:70:in `block in reflected'
[-]   /Users/jmartin/rapid7/src/r7-source/metasploit/metasploit-framework/lib/msf/core/exploit/sqli/common.rb:59:in `raw_run_sql'
[-]   /Users/jmartin/rapid7/src/r7-source/metasploit/metasploit-framework/lib/msf/core/exploit/sqli/common.rb:70:in `run_sql'
[-]   /Users/jmartin/rapid7/src/r7-source/metasploit/metasploit-framework/lib/msf/core/exploit/sqli/postgresqli/common.rb:192:in `test_vulnerable'
[-]   /Users/jmartin/rapid7/src/r7-source/metasploit/metasploit-framework/test/modules/auxiliary/test/postgres_sqli_test.rb:74:in `reflected'
[-]   /Users/jmartin/rapid7/src/r7-source/metasploit/metasploit-framework/test/modules/auxiliary/test/postgres_sqli_test.rb:115:in `run'
[*] Auxiliary module execution completed

Vulnerable app output during this test:

db_1      | 2020-10-26 19:28:30.893 UTC [82] ERROR:  syntax error at or near "x4f" at character 59
db_1      | 2020-10-26 19:28:30.893 UTC [82] STATEMENT:  select content from articles where id=0 union select chr(0x4f)||chr(0x50)||chr(0x42)||chr(0x37)||chr(0x39)||chr(0x46)||chr(0x77)||chr(0x73)||chr(0x6c) --
client_1  | #<PG::SyntaxError: ERROR:  syntax error at or near "x4f"
client_1  | LINE 1: ...ontent from articles where id=0 union select chr(0x4f)||chr(...
client_1  |                                                              ^
client_1  | >
client_1  | "ERROR:  syntax error at or near \"x4f\"\nLINE 1: ...ontent from articles where id=0 union select chr(0x4f)||chr(...\n                                                             ^\n"
client_1  | ["/app/ruby_client.rb:9:in `exec'", "/app/ruby_client.rb:9:in `block in <main>'", "/app/ruby_client.rb:5:in `loop'", "/app/ruby_client.rb:5:in `<main>'"]
client_1  | #<PG::SyntaxError: ERROR:  syntax error at or near "x41"
client_1  | LINE 1: ...ontent from articles where id=0 union select chr(0x41)||chr(...
client_1  |                                                              ^
client_1  | >
client_1  | "ERROR:  syntax error at or near \"x41\"\nLINE 1: ...ontent from articles where id=0 union select chr(0x41)||chr(...\n                                                             ^\n"
client_1  | ["/app/ruby_client.rb:9:in `exec'", "/app/ruby_client.rb:9:in `block in <main>'", "/app/ruby_client.rb:5:in `loop'", "/app/ruby_client.rb:5:in `<main>'"]
db_1      | 2020-10-26 19:29:19.662 UTC [82] ERROR:  syntax error at or near "x41" at character 59
db_1      | 2020-10-26 19:29:19.662 UTC [82] STATEMENT:  select content from articles where id=0 union select chr(0x41)||chr(0x71)||chr(0x54)||chr(0x79)||chr(0x4c)||chr(0x6f)||chr(0x32)||chr(0x54)||chr(0x6d) --

[red0xff]

The issue is in HexEncodeStrings, Safe fails in your test because HexEncodeStrings is still enabled.
Happens because 0x61-style hex numbers are not valid in postgresql, fixed using decimals instead.
I also added encoding for the empty strings to avoid quotes.
There is still an issue that happens on hex_encode_strings, for strings that contain escaped quotes, 'hello\'' for example, the hex_encode_strings method would consider the escaped quote as a delimiter, this doesn't happen often, but I'm thinking of a way to fix it

[jmartin-tech]

Added 7c4e421 && 78a2fd1 to address merge conflict and autoload support changes.

[jmartin-tech]

Original Release Notes
GSoC 2020 project supporting SQLi library usage with PostgreSQL. This support comes with a new module utilizing CVE-2019-13375 to dump database information or insert additional users into D-Link Central WiFi Manager CWM(100) before v1.03R0100_BETA6.

[gwillcox-r7]

@jmartin-r7 Added the missing rn-enhancement label to cover the enhancements listed here but I think this also deserves a rn-module label as well. Just not sure if both tags will mess up the release notes automation, but it would be good to also note that we now have a module for CVE-2019-13375.

[pbarry-r7]

Release Notes

New module auxiliary/sqli/dlink/dlink_central_wifimanager_sqli utilizes CVE-2019-13375 to dump database information or insert additional users into D-Link Central WiFi Manager CWM(100) versions prior to v1.03R0100_BETA6. This module takes advantage of updated SQLi library in Framework for PostgreSQL targets.