Compiling Postgres library for exploiting UDF to RCE

Published in

InfoSec Write-ups

4 min readNov 23, 2021

I recently took WEB-300 course and clear the OSWE exam. WEB-300 course module includes UDF reverse shell. One thing I find difficult is how to compile libraries for specific version of postgres to be used with UDF. So I decided to share what I have learned.

Advanced Web Attacks and Exploitation (AWAE) | Offensive Security

Learn white box web app security pentesting in Advanced Web Attacks and Exploitation (WEB-300). Complete the course and…

www.offensive-security.com

Why I am writing this ?

Well there are two reasons for this:

Library required in the exploitation process are platform dependent. You can not run a library compiled on linux OS to exploit postgres running on windows and vice versa
At the same time libraries are dependent of major version of postgres

Note: If postgres version is more than 9.3 and COPY function is available with required permission, you can use payload all things command injection to get a reverse shell and not bother about UDFs :)

Compiling library on Linux

we will use docker on kali for this purpose to avoid messing up with the host machine configurations and files ( I tried to do this on host first, caused my machine to break. Thankfully I had the back up of important stuffs.)

If you don’t already have docker installed, this link has it explained properly for you https://airman604.medium.com/installing-docker-in-kali-linux-2017-1-fbaa4d1447fe
Let’s pull in the docker image of major version of postgres with the docker pull postgres:10.18 . You can easily find the postgres version if you have already exploited sql injection

3. Create a directory postgres-data in the host machine and mount it as data volume for the container to store all the database files

root💀osboxes)-[/home/osboxes]
└─# mkdir postgres-data

4. Run the docker container with commands which map the the data volume to container udf-postgres, set the password to noob@123 and map the port to 5432

──(root💀osboxes)-[/home/osboxes]
└─# docker run -d --name udf-postgres -e POSTGRES_PASSWORD=noob@123 -v /home/osboxes/postgres-data/:/var/lib/postgresql/data -p 5432:5432 postgres:10.18    
92212e425db4ce74108a95d9a891ca1233979c470d2bb2fa58092618ef7f73f1
                                                                                                                                                                          
┌──(root💀osboxes)-[/home/osboxes]
└─# docker ps                                                                                                                                           
CONTAINER ID   IMAGE            COMMAND                  CREATED          STATUS          PORTS                                       NAMES
92212e425db4   postgres:10.18   "docker-entrypoint.s…"   14 seconds ago   Up 12 seconds   0.0.0.0:5432->5432/tcp, :::5432->5432/tcp   udf-postgres

5. Exec into the running container

┌──(root💀osboxes)-[/home/osboxes]
└─# docker exec -it udf-postgres bash                                                                                                                               
root@92212e425db4:/#

6. Run apt-get update and apt-get install postgresql-server-dev-10 ( using dev-10 considering the major version of the postgres) . We need to install postgresql-server-dev cause that contain libraries which will be required for compiling UDF

root@92212e425db4:/# apt-get update

Fetched 8,448 kB in 5s (1,491 kB/s)                                   
Reading package lists... Doneroot@92212e425db4:/# apt-get install postgresql-server-dev-10

7. Install gcc inside the container

root@92212e425db4:/# apt install gcc

8. Download pg_exec.c from this github repository https://github.com/Dionach/pgexec/blob/master/pg_exec.c and move to postgres-data directory mapped to container volume

┌──(root💀osboxes)-[/home/osboxes/postgres-data]
└─# ls -la *.c
-rw-r--r-- 1 root root 255 Nov 20 04:58 pg_exec.c

9. Locate postgres.h library, cause its required for compilation

root@92212e425db4:/# find / -iname postgres.h 2>/dev/null
/usr/include/postgresql/10/server/postgres.h

10. cd to mapped directory inside container i.e. /var/lib/postgresql/data. That is were our pg_exec.c file is

11. Now compile the pg_exec.c into an .so file using below command

root@92212e425db4:/var/lib/postgresql/data# gcc -I /usr/include/postgresql/10/server/ -shared -fPIC -o pg_exec.so pg_exec.c

12. You can find the compiled binary pg_exec.so on the host server in postgres-data directory

Now all that is left is transferring the generated pg_exec.so to the target system using sql injection discovered and storing them in postgres large objects. Later copy the same binary into local file system on target for it to be called by a UDF . Here are some resources which will help you for gaining reverse shell once you have the proper binary

PostgreSQL UDF Command Execution

Metasploit framework is the most popular and powerful network penetration testing tool, used widely all around the…

blog.pentesteracademy.com

PostgreSQL 9.x Remote Command Execution - Dionach

During a recent penetration test I was able to gain access to a PostgreSQL 9.0 service. While the process for executing…

www.dionach.com

Thanks for reading. Let me know if you find any difficulty replicating above steps, will be happy to clear your doubt. Also if you need step by step instruction for creating a window DLL to be used in the UDF -> RCE exploit, just leave a message in the comment.

Connect with me on LinkedIn https://www.linkedin.com/in/niraj-kumar-choubey-7351b892/ to say hi or discuss about anything cyber security.