From SSRF to RCE: A 7-Step Chain Against PostHog
嗯,用户让我帮忙总结一篇文章,控制在100字以内,而且不需要用特定的开头。首先,我需要理解文章的主要内容。看起来这篇文章讲的是PostHog的一个安全漏洞,涉及到SSRF、ClickHouse的0day和PostgreSQL的默认凭据。 用户可能是一位安全研究人员或者开发人员,他们想快速了解这个漏洞的情况。深层需求可能是希望知道这个漏洞是如何被利用的,以及它对系统的影响。所以,总结的时候要突出关键点:SSRF绕过、SQL注入、默认凭据导致远程代码执行。 接下来,我要确保内容简洁明了,不超过100字。可能需要提到每个关键步骤如何连接起来,最终导致系统被完全控制。这样用户就能一目了然地理解整个攻击链。 </think> PostHog的SSRF漏洞、ClickHouse 0day和默认PostgreSQL凭据被用于构建7步远程代码执行链。通过绕过SSRF验证、利用SQL注入和静态凭据,攻击者最终实现系统完全控制。 2025-12-26 04:17:54 Author: infosecwriteups.com(查看原文) 阅读量:7 收藏

Pawan Jaiswal

Press enter or click to view image in full size

When a 24-hour research window turned into a 7-step RCE chain, we found that PostHog’s SSRF, a ClickHouse 0day, and default PostgreSQL credentials were the perfect storm for a full remote code execution.

A deep dive into how overlooked validations, a SQL escaping bug, and static credentials turned a simple webhook into a full system compromise.

Source: Mehmet Ince @mdisec — Source link

Highlights

Press enter or click to view image in full size

Key points

  • PostHog’s webhook save endpoint bypassed SSRF validations applied during testing.
  • The Rust webhook worker followed HTTP redirects, allowing POST to GET conversion for ClickHouse access.
  • ClickHouse table functions accepted user input that was improperly escaped for PostgreSQL queries.
  • Dollar quoting ($$) bypassed ClickHouse’s backslash escaping, enabling SQL injection into PostgreSQL.
  • Static Docker names and default PostgreSQL credentials formed the final pivot point.
  • The chain culminated in a reverse shell via COPY FROM PROGRAM on the PostgreSQL…

文章来源: https://infosecwriteups.com/from-ssrf-to-rce-a-7-step-chain-against-posthog-d0954b3f26b0?source=rss----7b722bfd1b8d---4
如有侵权请联系:admin#unsafe.sh