CVE-2019-9193 PoC — PostgreSQL 操作系统命令注入漏洞

Source

https://github.com/b4keSn4ke/CVE-2019-9193

Associated Vulnerability

Title:PostgreSQL 操作系统命令注入漏洞 (CVE-2019-9193)
Description:PostgreSQL是PostgreSQL组织的一套自由的对象关系型数据库管理系统。该系统支持大部分SQL标准并且提供了许多其他特性，例如外键、触发器、视图等。 PostgreSQL 9.3至11.2版本中的导入导出数据命令‘COPY TO/FROM PROGRAM’存在操作系统命令注入漏洞。攻击者可利用该漏洞获取数据库超级用户权限，从而执行任意系统命令。

Description

CVE-2019–9193 - PostgreSQL 9.3-12.3 Authenticated Remote Code Execution

Readme

# CVE-2019–9193 - PostgreSQL 9.3-12.3 Authenticated Remote Code Execution

## Proof of Concept

PostgreSQL Database from version 9.3 to 12.3 (latest tested) are vulnerable to Authenticated Remote Code Execution.<br>
Even if it isn't considered to be a vulnerability itself by the development team, this could be leveraged to gain access to a misconfigured system.

### Help Menu
---
![Help Menu - Proof Of Concept](img/poc-help.png)

### Exploitation example
---
![Exploit - Proof Of Concept](img/poc-example.png)

## References

- NVD: [https://nvd.nist.gov/vuln/detail/CVE-2019-9193](https://nvd.nist.gov/vuln/detail/CVE-2019-9193)
- CVE Details: [https://www.cvedetails.com/cve/CVE-2019-9193/](https://www.cvedetails.com/cve/CVE-2019-9193/)
- PostgreSQL: [https://www.postgresql.org/about/news/cve-2019-9193-not-a-security-vulnerability-1935/](https://www.postgresql.org/about/news/cve-2019-9193-not-a-security-vulnerability-1935/)

File Snapshot


 [4.0K]  /data/pocs/954841675f5e44e4e168bb677e93c93e284a36f4
├── [4.1K]  cve-2019-9193.py
├── [4.0K]  img
│   ├── [ 83K]  poc-example.png
│   └── [ 66K]  poc-help.png
└── [ 937]  README.md

1 directory, 4 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!