This is a post holding my notes and other work in progress items and will be updated sporadically. Last updated 16-12-2020.

The HINT in an ERROR message leaks information

The ERROR message leaks information

DROP index statement

LIST index statement (which part is reconnaissance though)

Being able to find the Postgres version

Being able to query the type of index

Being able to DELETE or an attempt was made to DELETE

Types of query actions to look for

A new role was CREATED

CREATE ROLE username NOINHERIT LOGIN PASSWORD password;
CREATE ROLE role_name;

Roles have been set

GRANT role_2 TO role_1;

Database has been deleted

DROP DATABASE [IF EXISTS] db_name;

A column has been dropped

ALTER TABLE table_name DROP COLUMN column_name;

A table has been dropped

DROP TABLE [IF EXISTS] table_name CASCADE;

Other items

How to prevent disaster recovery

No data at rest encryption

Blocks are decrypted as they are read from disk (side channel attack) - source

Is the database first nitialized with encryption in mind and that the key used for initializing the database is accessible to the server during startup.

The following are not encrypted: Transport encryption (client / server) via SSL; Encrypted replication; Fully secured replicas - source

The Client connection to the database is not encrypted (ie SSL)

Postgres SQL injections

Being able to use WAL to shutdown PostgreSQL filling up pg_xlog/ directory

Can you enumerate the PostgreSQL details - use nmap against metasploitable

Can you brute force into PostgreSQL database - use msfconsole and wordlists

Pentesters’ Guide to Postgres

Admin Postgres Auxiliary Modules on Metasploit including setup