关联漏洞
标题:
pgAdmin 安全漏洞
(CVE-2025-2945)
描述:pgAdmin是pgAdmin开源的一个用于开源数据库 PostgreSQL 的开源管理和开发平台。 pgAdmin 4 9.2之前版本存在安全漏洞,该漏洞源于不安全地将参数传递给eval函数,可能导致远程代码执行。
描述
pgAdmin Proof of Concept
介绍
# CVE-2025-2945_PoC
pgAdmin Proof of Concept
# pgAdmin Query Tool RCE (CVE-2025-2945) – Python Proof of Concept
⚠️ **Disclaimer**
This repository contains a proof-of-concept exploit for CVE-2025-2945, a critical remote code execution vulnerability in pgAdmin 4 versions prior to 9.2. Use this code **only** in environments you own or have explicit permission to test. The author is not responsible for any misuse or damage caused by this software.
---
## Table of Contents
1. [Overview](#overview)
2. [Vulnerability Details (CVE-2025-2945)](#vulnerability-details-cve-2025-2945)
3. [Prerequisites](#prerequisites)
4. [Setup & Installation](#setup--installation)
5. [Usage](#usage)
6. [Exploit Workflow](#exploit-workflow)
7. [Detection & Mitigation](#detection--mitigation)
8. [License](#license)
---
## Overview
This repository provides a standalone Python script—`pgadmin_rce.py`—that replicates the functionality of the Metasploit module for CVE-2025-2945. When run against a vulnerable pgAdmin 4 instance (versions 8.10–9.1), it will:
1. Authenticate to pgAdmin 4 using valid credentials.
2. Initialize the Query Tool (SQL editor) session.
3. Discover a valid server‐connection ID (server group & server ID).
4. Submit a malicious payload via the `query_commited` parameter to trigger an `eval()` on the server.
5. Observe an HTTP 500 response (indicating the payload executed on the backend).
Because the vulnerable endpoints rely on Python’s built-in `eval()` without sanitizing user input, an authenticated user can force pgAdmin to run **arbitrary Python code** on the host machine, resulting in full RCE.
---
## Vulnerability Details (CVE-2025-2945)
- **Affected Software**:
- pgAdmin 4 versions **8.10** through **9.1** (inclusive)
- **Fixed In**:
- pgAdmin 4 version **9.2** (released April 4, 2025)
- **CVSS v3.1 Score**: 9.9 (Critical)
- **Impact**:
- An authenticated attacker can send a specially crafted `query_commited` (or `high_availability` in the Cloud Deployment module) parameter to an `eval()` call on the server, resulting in arbitrary code execution under the pgAdmin service account.
- **References**:
- [Mitre CVE-2025-2945](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-2945)
- [NVD Entry (CVSS 9.9)](https://nvd.nist.gov/vuln/detail/CVE-2025-2945)
- [Tenable Analysis](https://www.tenable.com/security/research/tra-2025-2945)
- [Rapid7 Metasploit Module](https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/multi/http/pgadmin_query_tool_rce)
---
## Prerequisites
1. **Python 3.7+**
2. Python packages (install via `pip`):
- `requests`
- `faker`
```bash
pip install requests faker
文件快照
[4.0K] /data/pocs/725511675a843923ca90e11fb7fad37589953a81
├── [1.0K] LICENSE
├── [ 11K] poc.py
└── [2.7K] README.md
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。