来源

关联漏洞

描述

CVE-2025-1094

介绍

# CVE-2025-1094 SQL Injection to RCE via WebSocket 🔥

# ✔️ Description:

Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() allows a database input provider to achieve SQL injection in certain usage patterns. Specifically, SQL injection requires the application to use the function result to construct input to psql, the PostgreSQL interactive terminal. Similarly, improper neutralization of quoting syntax in PostgreSQL command line utility programs allows a source of command line arguments to achieve SQL injection when client_encoding is BIG5 and server_encoding is one of EUC_TW or MULE_INTERNAL. Versions before PostgreSQL `17.3`, `16.7`, `15.11`, `14.16`, and `13.19` are affected.

# 💥 Metrics

CNA: `PostgreSQL` Base Score: 8.1 🔴 HIGH Vector:  CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

# 💀 Vulnerability Details:

+ CVE ID: CVE-2025-1094
+ Vulnerable System: PostgreSQL (misconfigured functions)
+ Exploit Path: SQL Injection → WebSocket Hijacking → Remote Code Execution (RCE)

# 🔔 How It Works:

1. SQL Injection (SQLi): The attack begins with injecting malicious SQL commands into a vulnerable PostgreSQL endpoint. The payload uses lo_export to read sensitive files from the server.

2. WebSocket Hijacking: The attacker hijacks an open WebSocket connection and sends a payload to execute the RCE. This triggers a reverse shell connection back to the attacker’s system.

3. Remote Code Execution (RCE): The reverse shell provides the attacker full control over the server, allowing further exploitation.


# 📲 PoC (Proof of Concept):

```
SELECT lo_export( (SELECT convert_from(pg_read_file('/etc/passwd'), 'UTF8')), '/tmp/payload');
```

The above SQL payload reads the /etc/passwd file and saves it as /tmp/payload. Once the file is retrieved, the exploit uses WebSocket hijacking to establish a reverse shell.

# 🌟 How to Use:

1. Clone the repository:

```
sudo git clone https://github.com/B1ack4ash/Blackash-CVE-2025-1094.git
cd CVE-2025-1094
```

2. Modify the following variables in the script:

* `REVERSE_IP`: Your attacker's IP address
* `REVERSE_PORT`: The port on which your listener is running
* `TARGET_URL`: The vulnerable endpoint to attack
* `WEBSOCKET_URL`: The WebSocket URL to hijack


3. Run the script to exploit the vulnerability and establish a reverse shell.

4. Start your netcat listener on the specified port:

```
nc -lvnp <REVERSE_PORT>
```

# 🌐 Mitigation:

To protect against this vulnerability:

+ Use Prepared Statements: Replace dynamic SQL queries with prepared statements.
+ Validate User Inputs: Always validate and sanitize user inputs to prevent SQL Injection.
+ Restrict PostgreSQL Functions: Limit access to functions like lo_export to trusted users only.
+ Secure WebSocket Connections: Ensure WebSocket connections are authenticated and encrypted.
+ Keep PostgreSQL Updated: Apply the latest security patches and review your PostgreSQL configuration.


# ☣️ Disclaimer:

This exploit is intended for educational purposes only. Ensure that you have explicit permission before testing any system with this exploit. Unauthorized access to computer systems is illegal.

文件快照

 [4.0K]  /data/pocs/839a49b848c964410b51a80cedce892c54afedd8
├── [1.7K]  CVE-2025-1094.py
└── [3.2K]  README.md

0 directories, 2 files

备注