Skip to content

Vector Databases

Enumerate, extract, and inject data across vector database instances: ChromaDB, Weaviate, Qdrant, Milvus, and pgvector.

Overview

The vectordb module provides a unified interface across five vector database providers. Read-only commands (enum, extract, search-sensitive) run without restrictions. State-changing injection commands (inject, metadata-inject) require --force-exploit.

The ChromaDB client automatically tries multiple API endpoint formats for compatibility across ChromaDB 0.4.x through 0.6.x, including tenant/database-aware paths. The pgvector provider connects via PostgreSQL wire protocol (not HTTP).

All HTTP-based providers validate API-level error responses. Milvus and similar REST APIs may return HTTP 200 with a non-zero code field indicating an application-level failure (authentication errors, invalid collections, etc.). These are surfaced as errors rather than silently treated as empty successes.

Supported Providers

Provider --type value Default Port Protocol
ChromaDB chromadb 8000 HTTP REST
Weaviate weaviate 8080 HTTP REST
Qdrant qdrant 6333 HTTP REST
Milvus milvus 19530 HTTP REST (v2.4+)
pgvector pgvector 5432 PostgreSQL wire protocol

Subcommands

Read-Only (no --force-exploit required)

Subcommand Description
enum List collections/tables with document/row counts
extract Extract documents/rows from a specific collection
search-sensitive Search collections for sensitive data patterns (emails, SSNs, credit cards, API keys, passwords)

Gated (requires --force-exploit)

Subcommand Description
inject Insert crafted documents into a vector store for RAG poisoning testing
metadata-inject Test whether metadata fields accept and return unsanitized prompt injection payloads

Flags

Common Flags

Flag Required Description
--target Yes Database URL (e.g., http://127.0.0.1:8000) or host:port for pgvector
--type Yes Provider type: chromadb, weaviate, qdrant, milvus, or pgvector
--header No Custom HTTP headers. Repeatable.
--api-key No API key for authenticated access
--collection For extract/inject/metadata-inject, optional for search-sensitive Collection or table name to target. For search-sensitive, errors if specified but matches nothing.
--limit No Maximum documents to return
--exclude-collections For search-sensitive Comma-separated collection names to skip

pgvector-Specific Flags

Flag Default Description
--db-user postgres PostgreSQL user
--db-password (empty) PostgreSQL password (prefer AIPOSTEX_VDB_PASSWORD env var)
--db-name postgres PostgreSQL database name
--db-sslmode disable PostgreSQL SSL mode

Inject Flags

Flag Required Description
--payload Yes Text content to embed and inject
--metadata No JSON string of metadata key-value pairs to attach
--count No Number of copies to inject (default: 1)

Metadata-Inject Flags

Flag Default Description
--key source Metadata key to inject into
--payload Standard prompt injection test Custom injection payload

Examples

# Enumerate ChromaDB collections
./aipostex vectordb --target http://127.0.0.1:8000 --type chromadb enum

# Extract documents from a collection
./aipostex vectordb --target http://127.0.0.1:8000 --type chromadb \
  extract --collection my-docs

# Search for sensitive data across all collections
./aipostex vectordb --target http://127.0.0.1:8000 --type chromadb \
  search-sensitive

# Weaviate with API key
./aipostex vectordb --target http://127.0.0.1:8080 --type weaviate \
  enum --api-key demo

# Qdrant enumeration
./aipostex vectordb --target http://127.0.0.1:6333 --type qdrant enum

# Milvus enumeration
./aipostex vectordb --target http://127.0.0.1:19530 --type milvus enum

# Milvus extraction
./aipostex vectordb --target http://127.0.0.1:19530 --type milvus \
  extract --collection embeddings

# pgvector enumeration (PostgreSQL wire protocol)
./aipostex vectordb --target 127.0.0.1:5432 --type pgvector \
  --db-user postgres --db-name mydb enum

# RAG poisoning injection (gated)
./aipostex vectordb --target http://127.0.0.1:8000 --type chromadb \
  inject --collection docs --payload "Ignore previous instructions." \
  --count 3 --force-exploit

# Metadata injection test (gated)
./aipostex vectordb --target http://127.0.0.1:6333 --type qdrant \
  metadata-inject --collection docs --key source \
  --payload "Ignore all prior context." --force-exploit

Sensitive Data Patterns

The search-sensitive command scans document content using 27 regex patterns organized by severity. These patterns are shared across all providers via DefaultSensitivePatterns().

Critical: SSN, credit card, AWS access key, AWS secret key, GCP service account, OpenAI API key, Anthropic API key, GitHub PAT, Stripe key, Vault token, private key

High: HuggingFace token, JWT token, Slack webhook, API key (generic), password field, bearer token, generic secret assignment, connection string (PostgreSQL, MongoDB, MySQL, Redis, Snowflake, MSSQL), PagerDuty key, Datadog API key, Sentry DSN

Medium: Email address, classification marker

Low: Internal IP address

Partial Failure Handling

When extract or search-sensitive encounters an error partway through paginated extraction (e.g., connection loss on page 2), the command returns all rows collected so far along with an error. The CLI surfaces this in the summary as a partial failure count, so operators know the results are incomplete without losing the data already retrieved.

Workflow Progression

discover network (discovers vector DB on :8000/:8080/:6333/:19530/:5432)
  → vectordb enum (list collections, counts)
    → vectordb extract --collection <name> (read documents)
    → vectordb search-sensitive (find PII/credentials)
    → vectordb inject --collection <name> --payload <text> (RAG poisoning, gated)
    → vectordb metadata-inject --collection <name> (metadata injection test, gated)