Conviniently invoke RCE on PostgreSQL servers in network

How does it work?

Few examples to give you an idea:

Scripts does the following:

1. Checks if port is open
2. Bruteforces credentials (using built-in dictionary or user files)
3. Determines PostgreSQL version and OS
4. Executes RCE if database user has enough rights

Live hosts with good credentials are saved to session file. After reconnaissance you may want to run RCE on those:
./psql-mass-rce.py --saved --command 'whoami'

Installation:

pip3 install -r requirements.txt

Which PostgreSQL versions can give me RCE?

PostgreSQL verions 9 and 10 (version 8 is in development).

Any zero-days inside?

Not yet. Technique was published almost 3 years ago.

Will it save my time?

Definately yes.

Full help:

psql-mass-rce v0.1

Usage: psql-mass-rce.py targets [-iL TARGETS_FILE] [--userfile USERFILE]
               [--passfile PASSFILE] [--command COMMAND] [--port PORT]
               [--saved]

Necessary arguments:
  targets              Accepts any number of these: IP, subnet, or .gnmap file

Optional arguments:
  -h, --help           show this help message and exit
  -iL TARGETS_FILE     Load IP[:port] targets from local file
  --userfile USERFILE  File with a list of users
  --passfile PASSFILE  File with a list of passwords
  --command COMMAND    Command to execute on a target machine
  --port PORT          Port to connect
  --saved              Work on targets from saved session file