## https://sploitus.com/exploit?id=7B12EAF5-EBAC-5606-A1F6-EDF65F8B168D
# ๐ ๏ธ CVE-2025-1094 Lab Setup
> โ ๏ธ **Disclaimer**
> This lab is for **educational and research purposes only**.
> Do **NOT** use any of the information or techniques demonstrated here on systems you do not own or have explicit permission to test. Unauthorized use of these methods **may violate laws** and result in severe penalties.
---
## ๐ Overview
**CVE-2025-1094** is a critical vulnerability affecting **PostgreSQL**โs interactive tool **`psql`**, discovered in version **14.15** and earlier.
It allows attackers to perform **SQL Injection** which can lead to **Remote Code Execution (RCE)** under certain conditions.
---
## ๐งจ Root Cause
The vulnerability arises from **improper handling of malformed UTF-8 input** in `psql`.
Due to insufficient validation, attackers can inject arbitrary SQL or meta-commands like `!` (shell escape), and even exploit `COPY ... TO PROGRAM` to run system commands.
---
## ๐ฅ Impact and Attack Scenarios
- **SQL Injection โ RCE**: Malformed UTF-8 strings bypass validation and lead to arbitrary query execution.
- **Abuse of `COPY TO PROGRAM`**: Attackers can execute arbitrary shell commands such as:
- Reverse shells
- Reading sensitive files (`/etc/passwd`)
- Combining with other CVEs for full unauthenticated RCE
- **Integration Risk**: Software using `psql` with untrusted input (e.g., BeyondTrust PRA, Remote Support) is particularly exposed.
---
## ๐งช Lab Requirements
### ๐ณ Victim (Ubuntu)
Install Docker:
```bash
sudo apt update
sudo apt install -y apt-transport-https ca-certificates curl software-properties-common
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt update
sudo apt install -y docker-ce docker-ce-cli containerd.io
sudo systemctl enable --now docker
sudo usermod -aG docker $USER
```
๐ **Reboot** or **log out & log in again** to apply Docker group permissions.
---
### ๐ Attacker (Kali)
Install Python and dependencies:
```bash
sudo apt install -y python3 python3-pip python3-psycopg2 netcat-traditional
```
โ Ensure **network connectivity** between attacker and victim machines.
---
## โ๏ธ Step 1 โ Deploy Vulnerable PostgreSQL Container (Victim)
1. **Pull PostgreSQL 14.15 image**:
```bash
docker pull postgres:14.15
```
2. **Run the container**:
```bash
docker run --name vulnerable_postgres -e POSTGRES_USER=postgres123 -e POSTGRES_PASSWORD=StrongP@ssWord -e POSTGRES_DB=labdb -p 5432:5432 -d postgres:14.15
```
3. **Wait ~5s for initialization**, then create a demo table:
```bash
docker exec -i vulnerable_postgres psql -U postgres123 -d labdb
```
3. If successful, youโll receive a reverse shell from the vulnerable PostgreSQL container ๐
```bash
[*] Connecting to PostgreSQL server...
[+] Connected successfully!
[*] Sending payload...
[โ] Payload executed! Check your Netcat listener for a shell.
```
---
## ๐งฐ Example Exploitation Flow
1. Inject malformed UTF-8 to bypass input validation
2. Exploit `COPY ... TO PROGRAM` to execute arbitrary shell commands
3. Reverse shell connects back to the attacker machine
4. Escalate privileges or move laterally inside the environment
---
๐ก **Tip:** You can snapshot this vulnerable container and reuse it later without rebuilding the environment.