def main():
#Parse Args
parser = argparse.ArgumentParser(description=DESCRIPTION, formatter_class=argparse.RawTextHelpFormatter)
#1- Parent parsers
parser.add_argument('--version', action='version', version=CURRENT_VERSION)
#1.0- Parent parser: optional
PPoptional = argparse.ArgumentParser(add_help=False,formatter_class=lambda prog: argparse.HelpFormatter(prog, max_help_position=MAX_HELP_POSITION))
PPoptional._optionals.title = "optional arguments"
PPoptional.add_argument('-v', dest='verbose', action='count', default=0, help='enable verbosity')
PPoptional.add_argument('--sleep', dest='timeSleep', required=False, type=float, default=DEFAULT_TIME_SLEEP, help='time sleep between each test or request (default: %(default)s)')
#1.1- Parent parser: connection options
PPconnection = argparse.ArgumentParser(add_help=False,formatter_class=lambda prog: argparse.HelpFormatter(prog, max_help_position=MAX_HELP_POSITION))
PPconnection._optionals.title = "connection options"
PPconnection.add_argument('-s', dest='server', required=True, help='server')
PPconnection.add_argument('-p', dest='port', default=1521, required=False, help='port (Default 1521)')
PPconnection.add_argument('-U', dest='user', required=False, help='Oracle username')
PPconnection.add_argument('-P', dest='password', required=False, default=None, help='Oracle password')
PPconnection.add_argument('-d', dest='sid', required=False, help='Oracle System ID (SID)')
PPconnection.add_argument('--sysdba', dest='SYSDBA', action='store_true', default=False, help='connection as SYSDBA')
PPconnection.add_argument('--sysoper', dest='SYSOPER', action='store_true', default=False, help='connection as SYSOPER')
#1.2- Parent parser: output options
PPoutput = argparse.ArgumentParser(add_help=False,formatter_class=lambda prog: argparse.HelpFormatter(prog, max_help_position=MAX_HELP_POSITION))
PPoutput._optionals.title = "output configurations"
PPoutput.add_argument('--no-color', dest='no-color', required=False, action='store_true', help='no color for output')
PPoutput.add_argument('--output-file',dest='outputFile',default=None,required=False,help='save results in this file')
#1.3- Parent parser: all option
PPallModule = argparse.ArgumentParser(add_help=False,formatter_class=lambda prog: argparse.HelpFormatter(prog, max_help_position=MAX_HELP_POSITION))
PPallModule._optionals.title = "all module options"
PPallModule.add_argument('-C', dest='credentielsFile', action='store_true', required=False, default=False, help='use credentiels stored in the --accounts-file file (disable -P and -U)')
#1.3- Parent parser: TNS cmd
PPTnsCmd = argparse.ArgumentParser(add_help=False,formatter_class=lambda prog: argparse.HelpFormatter(prog, max_help_position=MAX_HELP_POSITION))
PPTnsCmd._optionals.title = "TNS cmd options"
PPTnsCmd.add_argument('--ping', dest='ping', action='store_true', required=False, default=False, help='send a TNS ping command to get alias')
PPTnsCmd.add_argument('--version', dest='version', action='store_true', required=False, default=False, help='send a TNS version command to try to get verion')
PPTnsCmd.add_argument('--status', dest='status', action='store_true', required=False, default=False, help='send a TNS status command to get the status')
#1.3- Parent parser: SID Guesser
PPsidguesser = argparse.ArgumentParser(add_help=False,formatter_class=lambda prog: argparse.HelpFormatter(prog, max_help_position=MAX_HELP_POSITION))
PPsidguesser._optionals.title = "SID guesser options"
PPsidguesser.add_argument('--sids-max-size',dest='sids-max-size',required=False, type=int, default=DEFAULT_SID_MAX_SIZE, help='maximum size of SIDs for the bruteforce (default: %(default)s)')
PPsidguesser.add_argument('--sid-charset',dest='sid-charset',required=False, default=DEFAULT_SID_CHARSET, help='charset for the sid bruteforce (default: %(default)s)')
PPsidguesser.add_argument('--sids-file',dest='sids-file',required=False,metavar="FILE",default=DEFAULT_SID_FILE, help='file containing SIDs (default: %(default)s)')
PPsidguesser.add_argument('--no-alias-like-sid',dest='no-alias-like-sid',action='store_true',required=False, help='no try listener ALIAS like SIDs (default: %(default)s)')
#1.4- Parent parser: Password Guesser
PPpassguesser = argparse.ArgumentParser(add_help=False,formatter_class=lambda prog: argparse.HelpFormatter(prog, max_help_position=MAX_HELP_POSITION))
PPpassguesser._optionals.title = "password guesser options"
PPpassguesser.add_argument('--accounts-file',dest='accounts-file',required=False,metavar="FILE",default=DEFAULT_ACCOUNT_FILE,help='file containing Oracle credentials (default: %(default)s)')
PPpassguesser.add_argument('--force-retry',dest='force-retry',action='store_true',help='allow to test multiple passwords for a user without ask you')
#1.5- Parent parser: URL_HTTP
PPutlhttp = argparse.ArgumentParser(add_help=False,formatter_class=lambda prog: argparse.HelpFormatter(prog, max_help_position=MAX_HELP_POSITION))
PPutlhttp._optionals.title = "http commands"
PPutlhttp.add_argument('--send',dest='send',default=None,required=False,nargs=3,metavar=('ip','port','namefile'),help='send the GET or POST request stored in namefile to ip:port')
PPutlhttp.add_argument('--scan-ports',dest='scan-ports',default=None,required=False,nargs=2,metavar=('ip','ports'),help='scan tcp ports of a remote engine')
PPutlhttp.add_argument('--save-reponse',dest='save-reponse',default=None,required=False,metavar='FILE',help='store the response server in this file')
PPutlhttp.add_argument('--test-module',dest='test-module',action='store_true',help='test the module before use it')
#1.5- Parent parser: HTTPURITYPE
PPhttpuritype = argparse.ArgumentParser(add_help=False,formatter_class=lambda prog: argparse.HelpFormatter(prog, max_help_position=MAX_HELP_POSITION))
PPhttpuritype._optionals.title = "http commands"
PPhttpuritype.add_argument('--url',dest='httpUrl',default=None,required=False,help='send a http GET request')
PPhttpuritype.add_argument('--scan-ports',dest='scan-ports',default=None,required=False,nargs=2,metavar=('ip','ports'),help='scan tcp ports of a remote engine')
PPhttpuritype.add_argument('--save-reponse',dest='save-reponse',default=None,required=False,metavar='FILE',help='store the response server in this file')
PPhttpuritype.add_argument('--test-module',dest='test-module',action='store_true',help='test the module before use it')
#1.6- Parent parser: DBSMAdvisor
PPdbmsadvisor = argparse.ArgumentParser(add_help=False,formatter_class=lambda prog: argparse.HelpFormatter(prog, max_help_position=MAX_HELP_POSITION))
PPdbmsadvisor._optionals.title = "DBMSAdvisor commands"
PPdbmsadvisor.add_argument('--putFile',dest='putFile',default=None,required=False,nargs=3,metavar=('remotePath','remoteNamefile','localFile'),help='put a file on the remote database server')
PPdbmsadvisor.add_argument('--test-module',dest='test-module',action='store_true',help='test the module before use it')
#1.7- Parent parser: DBSMScheduler
PPdbmsscheduler = argparse.ArgumentParser(add_help=False,formatter_class=lambda prog: argparse.HelpFormatter(prog, max_help_position=MAX_HELP_POSITION))
PPdbmsscheduler._optionals.title = "DBMSScheduler commands"
PPdbmsscheduler.add_argument('--exec',dest='exec',default=None,required=False,help='execute a system command on the remote system')
PPdbmsscheduler.add_argument('--reverse-shell',dest='reverse-shell',required=False,nargs=2,metavar=('ip','port'),help='get a reverse shell')
PPdbmsscheduler.add_argument('--test-module',dest='test-module',action='store_true',help='test the module before use it')
#1.8- Parent parser: Java
PPjava = argparse.ArgumentParser(add_help=False,formatter_class=lambda prog: argparse.HelpFormatter(prog, max_help_position=MAX_HELP_POSITION))
PPjava._optionals.title = "java commands"
PPjava.add_argument('--exec',dest='exec',default=None,required=False,help='execute a system command on the remote system')
PPjava.add_argument('--shell',dest='shell',action='store_true',required=False,help='get a shell on the remote system')
PPjava.add_argument('--reverse-shell',dest='reverse-shell',required=False,nargs=2,metavar=('ip','port'),help='get a reverse shell')
PPjava.add_argument('--test-module',dest='test-module',action='store_true',help='test the module before use it')
#1.9- Parent parser: Ctxsys
PPctxsys = argparse.ArgumentParser(add_help=False,formatter_class=lambda prog: argparse.HelpFormatter(prog, max_help_position=MAX_HELP_POSITION))
PPctxsys._optionals.title = "ctxsys commands"
PPctxsys.add_argument('--getFile',dest='getFile',default=None,required=False,help='read a file on the remote server')
PPctxsys.add_argument('--test-module',dest='test-module',action='store_true',help='test the module before use it')
#1.10- Parent parser: Passwords
PPpasswords = argparse.ArgumentParser(add_help=False,formatter_class=lambda prog: argparse.HelpFormatter(prog, max_help_position=MAX_HELP_POSITION))
PPpasswords._optionals.title = "passwords commands"
PPpasswords.add_argument('--get-passwords',dest='get-passwords',action='store_true',required=False,help='get Oracle hashed passwords')
PPpasswords.add_argument('--get-passwords-from-history',dest='get-passwords-from-history',action='store_true',required=False,help='get Oracle hashed passwords from history')
PPpasswords.add_argument('--test-module',dest='test-module',action='store_true',help='test the module before use it')
#1.11- Parent parser: dbmsxslprocessor
PPdbmsxslprocessor = argparse.ArgumentParser(add_help=False,formatter_class=lambda prog: argparse.HelpFormatter(prog, max_help_position=MAX_HELP_POSITION))
PPdbmsxslprocessor._optionals.title = "DBMSXslprocessor commands"
PPdbmsxslprocessor.add_argument('--putFile',dest='putFile',default=None,required=False,nargs=3,metavar=('remotePath','remoteNamefile','localFile'),help='put a file on the remote database server')
PPdbmsxslprocessor.add_argument('--test-module',dest='test-module',action='store_true',help='test the module before use it')
#1.12- Parent parser: externalTable
PPexternaltable = argparse.ArgumentParser(add_help=False,formatter_class=lambda prog: argparse.HelpFormatter(prog, max_help_position=MAX_HELP_POSITION))
PPexternaltable._optionals.title = "ExternalTable commands"
PPexternaltable.add_argument('--exec',dest='exec',default=None,required=False,nargs=2,metavar=('remotePath','file'),help='execute a system command on the remote system (options no allowed)')
PPexternaltable.add_argument('--getFile',dest='getFile',default=None,required=False,nargs=3,metavar=('remotePath','remoteNamefile','localFile'),help='get a file from the remote database server')
PPexternaltable.add_argument('--test-module',dest='test-module',action='store_true',help='test the module before use it')
#1.13- Parent parser: utlfile
PPutlfile = argparse.ArgumentParser(add_help=False,formatter_class=lambda prog: argparse.HelpFormatter(prog, max_help_position=MAX_HELP_POSITION))
PPutlfile._optionals.title = "utlfile commands"
PPutlfile.add_argument('--getFile',dest='getFile',default=None,required=False,nargs=3,metavar=('remotePath','remoteNamefile','localFile'),help='get a file from the remote database server')
PPutlfile.add_argument('--putFile',dest='putFile',default=None,required=False,nargs=3,metavar=('remotePath','remoteNamefile','localFile'),help='put a file to the remote database server')
PPutlfile.add_argument('--removeFile',dest='removeFile',default=None,required=False,nargs=2,metavar=('remotePath','remoteNamefile'),help='remove a file on the remote database server')
PPutlfile.add_argument('--test-module',dest='test-module',action='store_true',help='test the module before use it')
#1.14- Parent parser: UTL_TCP
PPutltcp = argparse.ArgumentParser(add_help=False,formatter_class=lambda prog: argparse.HelpFormatter(prog, max_help_position=MAX_HELP_POSITION))
PPutltcp._optionals.title = "utltcp commands"
PPutltcp.add_argument('--send-packet',dest='send-packet',default=None,required=False,nargs=3,metavar=('ip','port','filename'),help='send a packet')
PPutltcp.add_argument('--scan-ports',dest='scan-ports',default=None,required=False,nargs=2,metavar=('ip','ports'),help='scan tcp ports of a remote engine')
PPutltcp.add_argument('--test-module',dest='test-module',action='store_true',help='test the module before use it')
#1.15- Parent parser: STEAL_REMOTE_PASSWORDS
PPstealRemotePass = argparse.ArgumentParser(add_help=False,formatter_class=lambda prog: argparse.HelpFormatter(prog, max_help_position=MAX_HELP_POSITION))
PPstealRemotePass._optionals.title = "stealRemotePasswords commands"
PPstealRemotePass.add_argument('-s', dest='server', required=True, help='server')
PPstealRemotePass.add_argument('-p', dest='port', default=1521, required=False, help='port (Default 1521)')
PPstealRemotePass.add_argument('-d', dest='sid', required=False, help='Oracle System ID (SID)')
PPstealRemotePass.add_argument('-U', dest='user', required=False, help='Valid Oracle username')
PPstealRemotePass.add_argument('-P', dest='password', required=False, default=None, help='Valid Oracle password')
PPstealRemotePass.add_argument('--get-all-passwords',dest='get-all-passwords',action='store_true',default=None,required=False,help='get all hashed passwords thanks to the user/password list')
PPstealRemotePass.add_argument('--decrypt-sessions',dest='decrypt-sessions',nargs=2,metavar=('sessionList.txt','passwordList.txt'),default=None,required=False,help='decrypt sessions stored in a file')
PPstealRemotePass.add_argument('--user-list',dest='user-list',required=False,metavar="FILE",default=DEFAULT_ACCOUNT_FILE,help='file containing Oracle credentials (default: %(default)s)')
PPstealRemotePass.add_argument('--test-module',dest='test-module',action='store_true',help='test the module before use it')
#1.16- Parent parser: Oradbg
PPoradbg = argparse.ArgumentParser(add_help=False,formatter_class=lambda prog: argparse.HelpFormatter(prog, max_help_position=MAX_HELP_POSITION))
PPoradbg._optionals.title = "oradbg commands"
PPoradbg.add_argument('--exec',dest='exec',default=None,required=False,help='execute a system command on the remote system (no args allowed)')
PPoradbg.add_argument('--test-module',dest='test-module',action='store_true',help='test the module before use it')
#1.12- Parent parser: DBMS_LOB
PPdbmsLob = argparse.ArgumentParser(add_help=False,formatter_class=lambda prog: argparse.HelpFormatter(prog, max_help_position=MAX_HELP_POSITION))
PPdbmsLob._optionals.title = "DBMS_LOB commands (new)"
PPdbmsLob.add_argument('--getFile',dest='getFile',default=None,required=False,nargs=3,metavar=('remotePath','remoteNamefile','localFile'),help='get a file from the remote database server')
PPdbmsLob.add_argument('--test-module',dest='test-module',action='store_true',help='test the module before use it')
#1.17- Parent parser: usernamelikepassword
PPusernamelikepassword = argparse.ArgumentParser(add_help=False,formatter_class=lambda prog: argparse.HelpFormatter(prog, max_help_position=MAX_HELP_POSITION))
PPusernamelikepassword._optionals.title = "usernamelikepassword commands"
PPusernamelikepassword.add_argument('--run',dest='run',action='store_true',required=True,help='try to connect using each Oracle username like the password')
PPusernamelikepassword.add_argument('--force-retry',dest='force-retry',action='store_true',help='allow to test multiple passwords for a user without ask you')
#1.18- Parent parser: smb
PPsmb = argparse.ArgumentParser(add_help=False,formatter_class=lambda prog: argparse.HelpFormatter(prog, max_help_position=MAX_HELP_POSITION))
PPsmb._optionals.title = "smb commands"
PPsmb.add_argument('--capture',dest='captureSMBAuthentication',default=None,required=False,nargs=2,metavar=('local_ip','share_name'),help='capture the smb authentication')
PPsmb.add_argument('--test-module',dest='test-module',action='store_true',help='test the module before use it')
#1.19- Parent parser: clean
PPclean = argparse.ArgumentParser(add_help=False,formatter_class=lambda prog: argparse.HelpFormatter(prog, max_help_position=MAX_HELP_POSITION))
PPclean._optionals.title = "clean commands"
PPclean.add_argument('--all',dest='all',action='store_true',required=True,help='clean all traces and logs stored locally')
#2- main commands
subparsers = parser.add_subparsers(help='\nChoose a main command')
#2.a- Run all modules
parser_all = subparsers.add_parser('all',parents=[PPoptional,PPconnection,PPallModule,PPoutput,PPsidguesser,PPpassguesser],help='to run all modules in order to know what it is possible to do')
parser_all.set_defaults(func=runAllModules,auditType='all')
#2.b- tnscmd
parser_tnscmd = subparsers.add_parser('tnscmd',parents=[PPoptional,PPconnection,PPTnsCmd,PPoutput],help='to communicate with the TNS listener')
parser_tnscmd.set_defaults(func=runTnsCmdModule,auditType='tnscmd')
#2.b- SIDGuesser
parser_sidGuesser = subparsers.add_parser('sidguesser',parents=[PPoptional,PPconnection,PPsidguesser,PPoutput],help='to know valid SIDs')
parser_sidGuesser.set_defaults(func=runSIDGuesserModule,auditType='sidGuesser')
#2.c- PasswordGuesser
parser_passwordGuesser = subparsers.add_parser('passwordguesser',parents=[PPoptional,PPconnection,PPpassguesser,PPoutput],help='to know valid credentials')
parser_passwordGuesser.set_defaults(func=runPasswordGuesserModule,auditType='passwordGuesser')
#2.d- UTL_HTTP
parser_utlhttp = subparsers.add_parser('utlhttp',parents=[PPoptional,PPconnection,PPutlhttp,PPoutput],help='to send HTTP requests or to scan ports')
parser_utlhttp.set_defaults(func=runUtlHttpModule,auditType='utl_http')
#2.e- HTTPURITYPE
parser_httpuritype = subparsers.add_parser('httpuritype',parents=[PPoptional,PPconnection,PPhttpuritype,PPoutput],help='to send HTTP requests or to scan ports')
parser_httpuritype.set_defaults(func=runHttpUriTypeModule,auditType='httpuritype')
#2.e- UTL_TCP
parser_utltcp = subparsers.add_parser('utltcp',parents=[PPoptional,PPconnection,PPutltcp,PPoutput],help='to scan ports')
parser_utltcp.set_defaults(func=runUtlTcpModule,auditType='utltcp')
#2.f- CTXSYS
parser_ctxsys = subparsers.add_parser('ctxsys',parents=[PPoptional,PPconnection,PPctxsys,PPoutput],help='to read files')
parser_ctxsys.set_defaults(func=runCtxsysModule,auditType='ctxsys')
#2.g- EXTERNAL TABLE
parser_externaltable = subparsers.add_parser('externaltable',parents=[PPoptional,PPconnection,PPexternaltable,PPoutput],help='to read files or to execute system commands/scripts')
parser_externaltable.set_defaults(func=runExternalTableModule,auditType='externaltable')
#2.h- DBMS_XSLPROCESSOR
parser_dbmsxslprocessor = subparsers.add_parser('dbmsxslprocessor',parents=[PPoptional,PPconnection,PPdbmsxslprocessor,PPoutput],help='to upload files')
parser_dbmsxslprocessor.set_defaults(func=runDbmsXslprocessorModule,auditType='dbmsxslprocessor')
#2.i- DBMSADVISOR
parser_dbmsadvisor = subparsers.add_parser('dbmsadvisor',parents=[PPoptional,PPconnection,PPdbmsadvisor,PPoutput],help='to upload files')
parser_dbmsadvisor.set_defaults(func=runDbmsadvisorModule,auditType='dbmsadvisor')
#2.j- UTL_FILE
parser_utlfile = subparsers.add_parser('utlfile',parents=[PPoptional,PPconnection,PPutlfile,PPoutput],help='to download/upload/delete files')
parser_utlfile.set_defaults(func=runUtlFileModule,auditType='utlfile')
#2.k- DBMSSCHEDULER
parser_dbmsscheduler = subparsers.add_parser('dbmsscheduler',parents=[PPoptional,PPconnection,PPdbmsscheduler,PPoutput],help='to execute system commands without a standard output')
parser_dbmsscheduler.set_defaults(func=runDbmsSchedulerModule,auditType='dbmsscheduler')
#2.l- JAVA
parser_java = subparsers.add_parser('java',parents=[PPoptional,PPconnection,PPjava,PPoutput],help='to execute system commands')
parser_java.set_defaults(func=runjavaModule,auditType='java')
#2.m- Passwords
parser_passwords = subparsers.add_parser('passwordstealer',parents=[PPoptional,PPconnection,PPpasswords,PPoutput],help='to get hashed Oracle passwords')
parser_passwords.set_defaults(func=runPasswordsModule,auditType='passwords')
#2.n- Oradbg
parser_oradbg = subparsers.add_parser('oradbg',parents=[PPoptional,PPconnection,PPoradbg,PPoutput],help='to execute a bin or script')
parser_oradbg.set_defaults(func=runOradbgModule,auditType='oradbg')
#2.o- DBMS_LOB
parser_dbmslob = subparsers.add_parser('dbmslob',parents=[PPoptional,PPconnection,PPdbmsLob,PPoutput],help='to download files')
parser_dbmslob.set_defaults(func=runDbmsLob,auditType='dbmslob')
#2.o- steal Passwords (CVE-2012-313)
parser_passwords = subparsers.add_parser('stealremotepwds',parents=[PPoptional,PPstealRemotePass,PPoutput],help='to steal hashed passwords thanks an authentication sniffing (CVE-2012-3137)')
parser_passwords.set_defaults(func=runCVE20123137Module,auditType='passwords')
#2.p- username like password
parser_usernamelikepassword = subparsers.add_parser('userlikepwd',parents=[PPoptional,PPconnection,PPusernamelikepassword,PPoutput],help='to try each Oracle username stored in the DB like the corresponding pwd')
parser_usernamelikepassword.set_defaults(func=runUsernameLikePassword,auditType='usernamelikepassword')
#2.q- smb
parser_smb = subparsers.add_parser('smb',parents=[PPoptional,PPconnection,PPsmb,PPoutput],help='to capture the SMB authentication')
parser_smb.set_defaults(func=runSMBModule,auditType='smb')
#2.q- clean
parser_clean = subparsers.add_parser('clean',parents=[PPoptional,PPclean,PPoutput],help='clean traces and logs')
parser_clean.set_defaults(func=runClean,auditType='clean')
#3- parse the args
if ARGCOMPLETE_AVAILABLE == True : argcomplete.autocomplete(parser)
args = dict(parser.parse_args()._get_kwargs())
arguments = parser.parse_args()
#4- Configure logging and output
configureLogging(args)
args['print'] = Output(args)
#Start the good function
if args['auditType']!='clean' and ipOrNameServerHasBeenGiven(args) == False : return EXIT_MISS_ARGUMENT
arguments.func(args)
exit(ALL_IS_OK)
def main():
#Parse Args
myFormatterClass = lambda prog: MyFormatter(prog, max_help_position=MAX_HELP_POSITION, width=MAX_HELP_WIDTH)
mySubFormatterClass = lambda prog: MyFormatter(prog, max_help_position=MAX_SUB_HELP_POSITION, width=MAX_HELP_WIDTH)
mySpecialSubFormatterClass = lambda prog: MyFormatter(prog, max_help_position=MAX_SPECIAL_SUB_HELP_POSITION, width=MAX_HELP_WIDTH)
parser = argparse.ArgumentParser(description=DESCRIPTION, formatter_class=myFormatterClass)
#1- Parent parsers
parser.add_argument('--version', action='version', version=CURRENT_VERSION)
#1.0- Parent parser: optional
PPoptional = argparse.ArgumentParser(add_help=False,formatter_class=myFormatterClass)
PPoptional._optionals.title = "optional arguments"
PPoptional.add_argument('-v', dest='verbose', action='count', default=0, help='enable verbosity (-vv for more)')
PPoptional.add_argument('--sleep', dest='timeSleep', required=False, type=float, default=DEFAULT_TIME_SLEEP, help='time sleep between each test or request (default: %(default)s)')
PPoptional.add_argument('--encoding', dest='encoding', required=False, default=DEFAULT_ENCODING, help='output encoding (default: %(default)s)')
#1.1- Parent parser: connection options
PPconnection = argparse.ArgumentParser(add_help=False,formatter_class=myFormatterClass)
PPconnection._optionals.title = "connection options"
PPconnection.add_argument('-s', dest='server', required=False, help='server')
PPconnection.add_argument('-p', dest='port', default=1521, type=int, required=False, help='port (Default 1521)')
PPconnection.add_argument('-U', dest='user', required=False, help='Oracle username')
PPconnection.add_argument('-P', dest='password', required=False, default=None, help='Oracle password')
PPconnection.add_argument('-d', dest='sid', required=False, help='Oracle System ID (SID)')
PPconnection.add_argument('-t', dest='tnsConnectionStringMode', action='store_true', default=False, help='connection with a TNS connection sting')
PPconnection.add_argument('--sysdba', dest='SYSDBA', action='store_true', default=False, help='connection as SYSDBA')
PPconnection.add_argument('--sysoper', dest='SYSOPER', action='store_true', default=False, help='connection as SYSOPER')
#1.2- Parent parser: output options
PPoutput = argparse.ArgumentParser(add_help=False,formatter_class=myFormatterClass)
PPoutput._optionals.title = "output configurations"
PPoutput.add_argument('--no-color', dest='no-color', required=False, action='store_true', help='no color for output')
PPoutput.add_argument('--output-file',dest='outputFile',default=None,required=False,help='save results in this file')
#1.3- Parent parser: all option
PPallModule = argparse.ArgumentParser(add_help=False,formatter_class=myFormatterClass)
PPallModule._optionals.title = "all module options"
PPallModule.add_argument('-C', dest='credentialsFile', action='store_true', required=False, default=False, help='use credentials stored in the --accounts-file file (disable -P and -U)')
PPallModule.add_argument('--no-tns-poisoning-check', dest='no-tns-poisoning-check', action='store_true', required=False, default=False, help="don't check if target is vulnreable to TNS poisoning")
#1.3bis- Parent parser: TNS cmd
PPTnsCmd = argparse.ArgumentParser(add_help=False,formatter_class=myFormatterClass)
PPTnsCmd._optionals.title = "TNS cmd options"
PPTnsCmd.add_argument('--ping', dest='ping', action='store_true', required=False, default=False, help='send a TNS ping command to get alias')
PPTnsCmd.add_argument('--version', dest='version', action='store_true', required=False, default=False, help='send a TNS version command to try to get verion')
PPTnsCmd.add_argument('--status', dest='status', action='store_true', required=False, default=False, help='send a TNS status command to get the status')
#1.3tier- Parent parser: Tns poisoning
PPTnsPoison = argparse.ArgumentParser(add_help=False,formatter_class=myFormatterClass)
PPTnsPoison._optionals.title = "TNS poisoning options"
PPTnsPoison.add_argument('--test-module',dest='test-module',action='store_true',help='test if the target is vulnerable (CVE-2012-1675)')
PPTnsPoison.add_argument('--poison', dest='poison', action='store_true', required=False, default=False, help='exploit the TNS poisonint attack')
PPTnsPoisonSub = argparse.ArgumentParser(add_help=False,formatter_class=myFormatterClass)
PPTnsPoisonSub._optionals.title = "TNS poisoning sub options"
PPTnsPoisonSub.add_argument('--listening-port', dest='listening-port', default=DEFAULT_LOCAL_LISTENING_PORT_TNS_POISON, required=False, help='listening port for proxy (min: 1000, max: 9999, default: %(default)s)')
PPTnsPoisonSub.add_argument('--cstring', dest='cstring', default=None, required=False, help='connection string used by Oracle clients when SID>=9')
PPTnsPoisonSub.add_argument('--replace', dest='replace', nargs=2, metavar=('value','newvalue'), default=[None, None], help='replace a string in the communication established')
PPTnsPoisonSub.add_argument('--sleep-time', dest='sleeptime', default=10, required=False, help='sleep time between each TNS registration sent %(default)s)')
#1.3- Parent parser: SID Guesser
PPsidguesser = argparse.ArgumentParser(add_help=False,formatter_class=myFormatterClass)
PPsidguesser._optionals.title = "SID guesser options"
PPsidguesser.add_argument('--sids-min-size',dest='sids-min-size',required=False, type=int, default=DEFAULT_SID_MIN_SIZE, help='minimum size of SIDs for the bruteforce (default: %(default)s)')
PPsidguesser.add_argument('--sids-max-size',dest='sids-max-size',required=False, type=int, default=DEFAULT_SID_MAX_SIZE, help='maximum size of SIDs for the bruteforce (default: %(default)s)')
PPsidguesser.add_argument('--sid-charset',dest='sid-charset',required=False, default=DEFAULT_SID_CHARSET, help='charset for the sid bruteforce (default: %(default)s)')
PPsidguesser.add_argument('--sids-file',dest='sids-file',required=False,metavar="FILE",default=DEFAULT_SID_FILE, help='file containing SIDs (default: %(default)s)')
PPsidguesser.add_argument('--no-alias-like-sid',dest='no-alias-like-sid',action='store_true',required=False, help='no try listener ALIAS like SIDs (default: %(default)s)')
#1.4- Parent parser: Password Guesser
PPpassguesser = argparse.ArgumentParser(add_help=False,formatter_class=myFormatterClass)
PPpassguesser._optionals.title = "password guesser options"
PPpassguesser.add_argument('--accounts-file',dest='accounts-file',required=False,metavar="FILE",default=DEFAULT_ACCOUNT_FILE,help='file containing Oracle credentials (default: %(default)s)')
PPpassguesser.add_argument('--accounts-files',dest='accounts-files',required=False,nargs=2,metavar=('loginFile','pwdFile'),default=[None, None],help='files containing logins and passwords (default: %(default)s)')
PPpassguesser.add_argument('--login-as-pwd',dest='login-as-pwd',action='store_true',help='each login will be tested as password (lowercase & uppercase)')
PPpassguesser.add_argument('--force-retry',dest='force-retry',action='store_true',help='allow to test multiple passwords for a user without ask you')
#1.5- Parent parser: URL_HTTP
PPutlhttp = argparse.ArgumentParser(add_help=False,formatter_class=myFormatterClass)
PPutlhttp._optionals.title = "http commands"
PPutlhttp.add_argument('--send',dest='send',default=None,required=False,nargs=3,metavar=('ip','port','namefile'),help='send the GET or POST request stored in namefile to ip:port')
PPutlhttp.add_argument('--scan-ports',dest='scan-ports',default=None,required=False,nargs=2,metavar=('ip','ports'),help='scan tcp ports of a remote engine')
PPutlhttp.add_argument('--save-reponse',dest='save-reponse',default=None,required=False,metavar='FILE',help='store the response server in this file')
PPutlhttp.add_argument('--test-module',dest='test-module',action='store_true',help='test the module before use it')
#1.5- Parent parser: HTTPURITYPE
PPhttpuritype = argparse.ArgumentParser(add_help=False,formatter_class=myFormatterClass)
PPhttpuritype._optionals.title = "http commands"
PPhttpuritype.add_argument('--url',dest='httpUrl',default=None,required=False,help='send a http GET request')
PPhttpuritype.add_argument('--scan-ports',dest='scan-ports',default=None,required=False,nargs=2,metavar=('ip','ports'),help='scan tcp ports of a remote engine')
PPhttpuritype.add_argument('--save-reponse',dest='save-reponse',default=None,required=False,metavar='FILE',help='store the response server in this file')
PPhttpuritype.add_argument('--test-module',dest='test-module',action='store_true',help='test the module before use it')
#1.6- Parent parser: DBSMAdvisor
PPdbmsadvisor = argparse.ArgumentParser(add_help=False,formatter_class=myFormatterClass)
PPdbmsadvisor._optionals.title = "DBMSAdvisor commands"
PPdbmsadvisor.add_argument('--putFile',dest='putFile',default=None,required=False,nargs=3,metavar=('remotePath','remoteFile','localFile'),help='put a file on the remote database server')
PPdbmsadvisor.add_argument('--test-module',dest='test-module',action='store_true',help='test the module before use it')
#1.7- Parent parser: DBSMScheduler
PPdbmsscheduler = argparse.ArgumentParser(add_help=False,formatter_class=myFormatterClass)
PPdbmsscheduler._optionals.title = "DBMSScheduler commands"
PPdbmsscheduler.add_argument('--exec',dest='exec',default=None,required=False,help='execute a system command on the remote system')
PPdbmsscheduler.add_argument('--reverse-shell',dest='reverse-shell',required=False,nargs=2,metavar=('ip','port'),help='get a reverse shell')
PPdbmsscheduler.add_argument('--test-module',dest='test-module',action='store_true',help='test the module before use it')
#1.8- Parent parser: Java
PPjava = argparse.ArgumentParser(add_help=False,formatter_class=myFormatterClass)
PPjava._optionals.title = "java commands"
PPjava.add_argument('--exec',dest='exec',default=None,required=False,help='execute a system command on the remote system')
PPjava.add_argument('--shell',dest='shell',action='store_true',required=False,help='get a shell on the remote system')
PPjava.add_argument('--path-shell',dest='path-shell',default="/bin/sh",required=False,help='specify path to shell (default: %(default)s)')
PPjava.add_argument('--reverse-shell',dest='reverse-shell',required=False,nargs=2,metavar=('ip','port'),help='get a reverse shell')
PPjava.add_argument('--create-file-CVE-2018-3004',dest='create-file-CVE-2018-3004',required=False,nargs=2,metavar=('data','filename'),help='create (or append to) a file with CVE-2018-3004 (Bypass built in Oracle JVM security)')
PPjava.add_argument('--test-module',dest='test-module',action='store_true',help='test the module before use it')
#1.9- Parent parser: Ctxsys
PPctxsys = argparse.ArgumentParser(add_help=False,formatter_class=myFormatterClass)
PPctxsys._optionals.title = "ctxsys commands"
PPctxsys.add_argument('--getFile',dest='getFile',default=None,required=False,help='read a file on the remote server')
PPctxsys.add_argument('--test-module',dest='test-module',action='store_true',help='test the module before use it')
#1.10- Parent parser: Passwords
PPpasswords = argparse.ArgumentParser(add_help=False,formatter_class=myFormatterClass)
PPpasswords._optionals.title = "passwords commands"
PPpasswords.add_argument('--get-passwords',dest='get-passwords',action='store_true',required=False,help='get Oracle hashed passwords (accounts can be locked or not)')
PPpasswords.add_argument('--get-passwords-not-locked',dest='get-passwords-not-locked',action='store_true',required=False,help='get Oracle hashed passwords when account is not locked')
PPpasswords.add_argument('--get-passwords-from-history',dest='get-passwords-from-history',action='store_true',required=False,help='get Oracle hashed passwords from history')
PPpasswords.add_argument('--test-module',dest='test-module',action='store_true',help='test the module before use it')
#1.11- Parent parser: dbmsxslprocessor
PPdbmsxslprocessor = argparse.ArgumentParser(add_help=False,formatter_class=myFormatterClass)
PPdbmsxslprocessor._optionals.title = "DBMSXslprocessor commands"
PPdbmsxslprocessor.add_argument('--putFile',dest='putFile',default=None,required=False,nargs=3,metavar=('remotePath','remoteFile','localFile'),help='put a file on the remote database server')
PPdbmsxslprocessor.add_argument('--test-module',dest='test-module',action='store_true',help='test the module before use it')
#1.12- Parent parser: externalTable
PPexternaltable = argparse.ArgumentParser(add_help=False,formatter_class=myFormatterClass)
PPexternaltable._optionals.title = "ExternalTable commands"
PPexternaltable.add_argument('--exec',dest='exec',default=None,required=False,nargs=2,metavar=('remotePath','file'),help='execute a system command on the remote system (options no allowed)')
PPexternaltable.add_argument('--getFile',dest='getFile',default=None,required=False,nargs=3,metavar=('remotePath','remoteFile','localFile'),help='get a file from the remote database server')
PPexternaltable.add_argument('--test-module',dest='test-module',action='store_true',help='test the module before use it')
#1.13- Parent parser: utlfile
PPutlfile = argparse.ArgumentParser(add_help=False,formatter_class=myFormatterClass)
PPutlfile._optionals.title = "utlfile commands"
PPutlfile.add_argument('--getFile',dest='getFile',default=None,required=False,nargs=3,metavar=('remotePath','remoteFile','localFile'),help='get a file from the remote database server')
PPutlfile.add_argument('--putFile',dest='putFile',default=None,required=False,nargs=3,metavar=('remotePath','remoteFile','localFile'),help='put a file to the remote database server')
PPutlfile.add_argument('--removeFile',dest='removeFile',default=None,required=False,nargs=2,metavar=('remotePath','remoteFile'),help='remove a file on the remote database server')
PPutlfile.add_argument('--test-module',dest='test-module',action='store_true',help='test the module before use it')
#1.14- Parent parser: UTL_TCP
PPutltcp = argparse.ArgumentParser(add_help=False,formatter_class=myFormatterClass)
PPutltcp._optionals.title = "utltcp commands"
PPutltcp.add_argument('--send-packet',dest='send-packet',default=None,required=False,nargs=3,metavar=('ip','port','filename'),help='send a packet')
PPutltcp.add_argument('--scan-ports',dest='scan-ports',default=None,required=False,nargs=2,metavar=('ip','ports'),help='scan tcp ports of a remote engine')
PPutltcp.add_argument('--test-module',dest='test-module',action='store_true',help='test the module before use it')
#1.15- Parent parser: STEAL_REMOTE_PASSWORDS
PPstealRemotePass = argparse.ArgumentParser(add_help=False,formatter_class=myFormatterClass)
PPstealRemotePass._optionals.title = "stealRemotePasswords commands"
PPstealRemotePass.add_argument('-s', dest='server', required=True, help='server')
PPstealRemotePass.add_argument('-p', dest='port', default=1521, required=False, help='port (Default 1521)')
PPstealRemotePass.add_argument('-d', dest='sid', required=False, help='Oracle System ID (SID)')
PPstealRemotePass.add_argument('-U', dest='user', required=False, help='Valid Oracle username')
PPstealRemotePass.add_argument('-P', dest='password', required=False, default=None, help='Valid Oracle password')
PPstealRemotePass.add_argument('--get-all-passwords',dest='get-all-passwords',action='store_true',default=None,required=False,help='get all hashed passwords thanks to the user/password list')
PPstealRemotePass.add_argument('--decrypt-sessions',dest='decrypt-sessions',nargs=2,metavar=('sessionFile','pwdFile'),default=None,required=False,help='decrypt sessions stored in a file')
PPstealRemotePass.add_argument('--user-list',dest='user-list',required=False,metavar="FILE",default=DEFAULT_ACCOUNT_FILE,help='file containing Oracle credentials (default: %(default)s)')
PPstealRemotePass.add_argument('--test-module',dest='test-module',action='store_true',help='test the module before use it')
#1.16- Parent parser: Oradbg
PPoradbg = argparse.ArgumentParser(add_help=False,formatter_class=myFormatterClass)
PPoradbg._optionals.title = "oradbg commands"
PPoradbg.add_argument('--exec',dest='exec',default=None,required=False,help='execute a system command on the remote system (no args allowed)')
PPoradbg.add_argument('--test-module',dest='test-module',action='store_true',help='test the module before use it')
#1.12- Parent parser: DBMS_LOB
PPdbmsLob = argparse.ArgumentParser(add_help=False,formatter_class=myFormatterClass)
PPdbmsLob._optionals.title = "DBMS_LOB commands (new)"
PPdbmsLob.add_argument('--getFile',dest='getFile',default=None,required=False,nargs=3,metavar=('remotePath','remoteFile','localFile'),help='get a file from the remote database server')
PPdbmsLob.add_argument('--test-module',dest='test-module',action='store_true',help='test the module before use it')
#1.17- Parent parser: usernamelikepassword
PPusernamelikepassword = argparse.ArgumentParser(add_help=False,formatter_class=myFormatterClass)
PPusernamelikepassword._optionals.title = "usernamelikepassword commands"
PPusernamelikepassword.add_argument('--run',dest='run',action='store_true',required=True,help='try to connect using each Oracle username like the password')
PPusernamelikepassword.add_argument('--force-retry',dest='force-retry',action='store_true',help='allow to test multiple passwords for a user without ask you')
PPusernamelikepassword.add_argument('--additional-pwd',dest='additional-pwd',nargs='+',help='try these passwords for each user also (default: %(default)s)')
#1.18- Parent parser: smb
PPsmb = argparse.ArgumentParser(add_help=False,formatter_class=myFormatterClass)
PPsmb._optionals.title = "smb commands"
PPsmb.add_argument('--capture',dest='captureSMBAuthentication',default=None,required=False,nargs=2,metavar=('local_ip','share_name'),help='capture the smb authentication')
PPsmb.add_argument('--test-module',dest='test-module',action='store_true',help='test the module before use it')
#1.19- Parent parser: PrivilegeEscalation
PPprivilegeEscalation0 = argparse.ArgumentParser(add_help=False,formatter_class=myFormatterClass)
PPprivilegeEscalation0._optionals.title = "helpful privesc commands"
PPprivilegeEscalation0.add_argument('--test-module',dest='test-module',action='store_true',help='test the module before use it')
PPprivilegeEscalation0.add_argument('--get-privs',dest='get-privs',action='store_true',help='get current privileges and roles')
PPprivilegeEscalation0.add_argument('--get-detailed-privs',dest='get-detailed-privs',action='store_true',help='get current privileges and roles + roles and privileges of roles granted')
PPprivilegeEscalation = argparse.ArgumentParser(add_help=False,formatter_class=myFormatterClass)
PPprivilegeEscalation._optionals.title = "privesc commands for automatic exploitation"
PPprivilegeEscalation.add_argument('--dba-with-execute-any-procedure',dest='dba-with-execute-any-procedure',action='store_true',help='grant DBA role to current user with CREATE/EXECUTE ANY PROCEDURE method')
PPprivilegeEscalation.add_argument('--alter-pwd-with-create-any-procedure',dest='alter-pwd-with-create-any-procedure',nargs=2,metavar=('user','new-password'),default=None,required=False,help='alter password of any Oracle user with CREATE ANY PROCEDURE method')
PPprivilegeEscalation.add_argument('--dba-with-create-any-trigger',dest='dba-with-create-any-trigger',action='store_true',help='grant DBA role to current user with CREATE ANY TRIGGER method')
PPprivilegeEscalation.add_argument('--dba-with-analyze-any',dest='dba-with-analyze-any',action='store_true',help='grant DBA role to current user with ANALYZE ANY method')
PPprivilegeEscalation.add_argument('--dba-with-create-any-index',dest='dba-with-create-any-index',action='store_true',help='grant DBA role to current user with CREATE ANY INDEX method')
PPprivilegeEscalation.add_argument('--revoke-dba-role',dest='revoke-dba-role',action='store_true',help='revoke dba role from current user')
PPprivilegeEscalation2 = argparse.ArgumentParser(add_help=False,formatter_class=myFormatterClass)
PPprivilegeEscalation2._optionals.title = "privesc commands for semi-manual exploitation"
PPprivilegeEscalation2.add_argument('--exec-with-execute-any-procedure',dest='exec-with-execute-any-procedure',nargs=1,metavar=('request'),help='execute this request as SYS with CREATE/EXECUTE ANY PROCEDURE method')
PPprivilegeEscalation2.add_argument('--exec-with-create-any-procedure',dest='exec-with-create-any-procedure',nargs=1,metavar=('request'),help='execute this request as APEX_040200 with CREATE ANY PROCEDURE method')
PPprivilegeEscalation2.add_argument('--exec-with-create-any-trigger',dest='exec-with-create-any-trigger',nargs=1,metavar=('request'),help='execute this request as SYS with CREATE ANY TRIGGER method')
PPprivilegeEscalation2.add_argument('--exec-with-analyze-any',dest='exec-with-analyze-any',nargs=1,metavar=('request'),help='execute this request as SYS with ANALYZE ANY method')
PPprivilegeEscalation2.add_argument('--exec-with-create-any-index',dest='exec-with-create-any-index',nargs=1,metavar=('request'),help='execute this request as SYS with CREATE ANY INDEX method')
#1.20- Parent parser: CVE_XXXX_YYYY
PPcve = argparse.ArgumentParser(add_help=False,formatter_class=myFormatterClass)
PPcve._optionals.title = "cve commands"
PPcve.add_argument('--test-module',dest='test-module',action='store_true',help='test the module before use it')
PPcve.add_argument('--set-pwd-2014-4237',dest='set-pwd-2014-4237',nargs=2,metavar=('username','password'),help="modify a Oracle user's password using CVE-2014-4237")
PPcve.add_argument('--cve-2018-3004',dest='cve-2018-3004',nargs=2,metavar=('path','dataInFile'),help="create/modify a text file on the target using CVE-2018-3004")
#1.21- Parent parser: search
PPsearch = argparse.ArgumentParser(add_help=False,formatter_class=myFormatterClass)
PPsearch._optionals.title = "search commands"
PPsearch.add_argument('--column-names',dest='column-names',default=None,required=False,metavar='sqlPattern',help='search pattern in all collumns')
PPsearch.add_argument('--pwd-column-names',dest='pwd-column-names',action='store_true',help='search password patterns in all collumns')
PPsearch.add_argument('--desc-tables',dest='desc-tables',action='store_true',help='describe each table which is accessible')
PPsearch.add_argument('--show-empty-columns',dest='show-empty-columns',action='store_true',help='show columns even if columns are empty')
PPsearch.add_argument('--without-example',dest='without-example',action='store_true',help="don't get an example value when column matches")
PPsearch.add_argument('--test-module',dest='test-module',action='store_true',help='test the module before use it')
#1.22- Parent parser: unwrapper
PPunwrapper = argparse.ArgumentParser(add_help=False,formatter_class=myFormatterClass)
PPunwrapper._optionals.title = "unwrapper commands"
PPunwrapper.add_argument('--object-name',dest='object-name',default=None,required=False,help='unwrap this object stored in the database')
PPunwrapper.add_argument('--object-type',dest='object-type',default=None,required=False, choices=["FUNCTION","JAVA SOURCE","PACKAGE","PACKAGE BODY","PROCEDURE","TRIGGER","TYPE","TYPE BODY"], help='define the object type')
PPunwrapper.add_argument('--file',dest='file',default=None,required=False,help='unwrap the source code stored in a file')
PPunwrapper.add_argument('--test-module',dest='test-module',action='store_true',help='test the module before use it')
#1.23- Parent parser: clean
PPclean = argparse.ArgumentParser(add_help=False,formatter_class=myFormatterClass)
PPclean._optionals.title = "clean commands"
PPclean.add_argument('--all',dest='all',action='store_true',required=True,help='clean all traces and logs stored locally')
#2- main commands
subparsers = parser.add_subparsers(help='\nChoose a main command')
#2.a- Run all modules
parser_all = subparsers.add_parser('all',parents=[PPoptional,PPconnection,PPallModule,PPoutput,PPsidguesser,PPpassguesser], formatter_class=mySubFormatterClass, help='to run all modules in order to know what it is possible to do')
parser_all.set_defaults(func=runAllModules,auditType='all')
#2.b- tnscmd
parser_tnscmd = subparsers.add_parser('tnscmd',parents=[PPoptional,PPconnection,PPTnsCmd,PPoutput], formatter_class=mySubFormatterClass, help='to communicate with the TNS listener')
parser_tnscmd.set_defaults(func=runTnsCmdModule,auditType='tnscmd')
#2.b- tnspoison
parser_tnspoison = subparsers.add_parser('tnspoison',parents=[PPoptional,PPconnection,PPTnsPoison,PPTnsPoisonSub, PPoutput], formatter_class=mySubFormatterClass, help='to exploit TNS poisoning attack')
parser_tnspoison.set_defaults(func=runTnsPoisonModule,auditType='tnspoison')
#2.b- SIDGuesser
parser_sidGuesser = subparsers.add_parser('sidguesser',parents=[PPoptional,PPconnection,PPsidguesser,PPoutput], formatter_class=mySubFormatterClass, help='to know valid SIDs')
parser_sidGuesser.set_defaults(func=runSIDGuesserModule,auditType='sidGuesser')
#2.c- PasswordGuesser
parser_passwordGuesser = subparsers.add_parser('passwordguesser',parents=[PPoptional,PPconnection,PPpassguesser,PPoutput], formatter_class=mySubFormatterClass, help='to know valid credentials')
parser_passwordGuesser.set_defaults(func=runPasswordGuesserModule,auditType='passwordGuesser')
#2.d- UTL_HTTP
parser_utlhttp = subparsers.add_parser('utlhttp',parents=[PPoptional,PPconnection,PPutlhttp,PPoutput], formatter_class=mySubFormatterClass, help='to send HTTP requests or to scan ports')
parser_utlhttp.set_defaults(func=runUtlHttpModule,auditType='utl_http')
#2.e- HTTPURITYPE
parser_httpuritype = subparsers.add_parser('httpuritype',parents=[PPoptional,PPconnection,PPhttpuritype,PPoutput], formatter_class=mySubFormatterClass, help='to send HTTP requests or to scan ports')
parser_httpuritype.set_defaults(func=runHttpUriTypeModule,auditType='httpuritype')
#2.e- UTL_TCP
parser_utltcp = subparsers.add_parser('utltcp',parents=[PPoptional,PPconnection,PPutltcp,PPoutput], formatter_class=mySubFormatterClass, help='to scan ports')
parser_utltcp.set_defaults(func=runUtlTcpModule,auditType='utltcp')
#2.f- CTXSYS
parser_ctxsys = subparsers.add_parser('ctxsys',parents=[PPoptional,PPconnection,PPctxsys,PPoutput], formatter_class=mySubFormatterClass, help='to read files')
parser_ctxsys.set_defaults(func=runCtxsysModule,auditType='ctxsys')
#2.g- EXTERNAL TABLE
parser_externaltable = subparsers.add_parser('externaltable',parents=[PPoptional,PPconnection,PPexternaltable,PPoutput], formatter_class=mySubFormatterClass, help='to read files or to execute system commands/scripts')
parser_externaltable.set_defaults(func=runExternalTableModule,auditType='externaltable')
#2.h- DBMS_XSLPROCESSOR
parser_dbmsxslprocessor = subparsers.add_parser('dbmsxslprocessor',parents=[PPoptional,PPconnection,PPdbmsxslprocessor,PPoutput], formatter_class=mySubFormatterClass, help='to upload files')
parser_dbmsxslprocessor.set_defaults(func=runDbmsXslprocessorModule,auditType='dbmsxslprocessor')
#2.i- DBMSADVISOR
parser_dbmsadvisor = subparsers.add_parser('dbmsadvisor',parents=[PPoptional,PPconnection,PPdbmsadvisor,PPoutput], formatter_class=mySubFormatterClass, help='to upload files')
parser_dbmsadvisor.set_defaults(func=runDbmsadvisorModule,auditType='dbmsadvisor')
#2.j- UTL_FILE
parser_utlfile = subparsers.add_parser('utlfile',parents=[PPoptional,PPconnection,PPutlfile,PPoutput], formatter_class=mySubFormatterClass, help='to download/upload/delete files')
parser_utlfile.set_defaults(func=runUtlFileModule,auditType='utlfile')
#2.k- DBMSSCHEDULER
parser_dbmsscheduler = subparsers.add_parser('dbmsscheduler',parents=[PPoptional,PPconnection,PPdbmsscheduler,PPoutput], formatter_class=mySubFormatterClass, help='to execute system commands without a standard output')
parser_dbmsscheduler.set_defaults(func=runDbmsSchedulerModule,auditType='dbmsscheduler')
#2.l- JAVA
parser_java = subparsers.add_parser('java',parents=[PPoptional,PPconnection,PPjava,PPoutput], formatter_class=mySubFormatterClass, help='to execute system commands')
parser_java.set_defaults(func=runjavaModule,auditType='java')
#2.m- Passwords
parser_passwords = subparsers.add_parser('passwordstealer',parents=[PPoptional,PPconnection,PPpasswords,PPoutput], formatter_class=mySubFormatterClass, help='to get hashed Oracle passwords')
parser_passwords.set_defaults(func=runPasswordsModule,auditType='passwords')
#2.n- Oradbg
parser_oradbg = subparsers.add_parser('oradbg',parents=[PPoptional,PPconnection,PPoradbg,PPoutput], formatter_class=mySubFormatterClass, help='to execute a bin or script')
parser_oradbg.set_defaults(func=runOradbgModule,auditType='oradbg')
#2.o- DBMS_LOB
parser_dbmslob = subparsers.add_parser('dbmslob',parents=[PPoptional,PPconnection,PPdbmsLob,PPoutput], formatter_class=mySubFormatterClass, help='to download files')
parser_dbmslob.set_defaults(func=runDbmsLob,auditType='dbmslob')
#2.o- steal Passwords (CVE-2012-313)
parser_passwords = subparsers.add_parser('stealremotepwds',parents=[PPoptional,PPstealRemotePass,PPoutput], formatter_class=mySubFormatterClass, help='to steal hashed passwords thanks an authentication sniffing (CVE-2012-3137)')
parser_passwords.set_defaults(func=runCVE20123137Module,auditType='passwords')
#2.p- username like password
parser_usernamelikepassword = subparsers.add_parser('userlikepwd',parents=[PPoptional,PPconnection,PPusernamelikepassword,PPoutput], formatter_class=mySubFormatterClass, help='to try each Oracle username stored in the DB like the corresponding pwd')
parser_usernamelikepassword.set_defaults(func=runUsernameLikePassword,auditType='usernamelikepassword')
#2.q- smb
parser_smb = subparsers.add_parser('smb',parents=[PPoptional,PPconnection,PPsmb,PPoutput], formatter_class=mySubFormatterClass, help='to capture the SMB authentication')
parser_smb.set_defaults(func=runSMBModule,auditType='smb')
#2.q- privilegeEscalation
parser_privilegeEscalation = subparsers.add_parser('privesc',parents=[PPoptional,PPconnection,PPprivilegeEscalation0, PPprivilegeEscalation,PPprivilegeEscalation2,PPoutput], formatter_class=mySpecialSubFormatterClass, help='to gain elevated access')
parser_privilegeEscalation.set_defaults(func=runPrivilegeEscalationModule,auditType='privesc')
#2.r- cve
parser_cve = subparsers.add_parser('cve',parents=[PPoptional,PPconnection,PPcve,PPoutput], formatter_class=mySubFormatterClass, help='to exploit a CVE')
parser_cve.set_defaults(func=runCVEXXXYYYModule,auditType='cve')
#2.s- search
parser_search = subparsers.add_parser('search',parents=[PPoptional,PPconnection,PPsearch,PPoutput], formatter_class=mySubFormatterClass, help='to search in databases, tables and columns')
parser_search.set_defaults(func=runSearchModule,auditType='search')
#2.t- PPunwrapper
parser_unwrapper = subparsers.add_parser('unwrapper',parents=[PPoptional,PPconnection,PPunwrapper,PPoutput], formatter_class=mySubFormatterClass, help='to unwrap PL/SQL source code (no for 9i version)')
parser_unwrapper.set_defaults(func=runUnwrapperModule,auditType='unwrapper')
#2.u- clean
parser_clean = subparsers.add_parser('clean',parents=[PPoptional,PPclean,PPoutput], formatter_class=mySubFormatterClass, help='clean traces and logs')
parser_clean.set_defaults(func=runClean,auditType='clean')
#3- parse the args
if ARGCOMPLETE_AVAILABLE == True : argcomplete.autocomplete(parser)
args = dict(parser.parse_args()._get_kwargs())
arguments = parser.parse_args()
#4- Configure logging and output
configureLogging(args)
args['print'] = Output(args)
#5- define encoding
reload(sys)
sys.setdefaultencoding(args['encoding'])
#Start the good function
if args['auditType']=='unwrapper' or args['auditType']=='clean': pass
else:
if ipOrNameServerHasBeenGiven(args) == False : return EXIT_MISS_ARGUMENT
arguments.func(args)
exit(ALL_IS_OK)
def main():
#Parse Args
myFormatterClass = lambda prog: MyFormatter(prog, max_help_position=MAX_HELP_POSITION, width=MAX_HELP_WIDTH)
mySubFormatterClass = lambda prog: MyFormatter(prog, max_help_position=MAX_SUB_HELP_POSITION, width=MAX_HELP_WIDTH)
mySpecialSubFormatterClass = lambda prog: MyFormatter(prog, max_help_position=MAX_SPECIAL_SUB_HELP_POSITION, width=MAX_HELP_WIDTH)
parser = argparse.ArgumentParser(description=DESCRIPTION, formatter_class=myFormatterClass)
#1- Parent parsers
parser.add_argument('--version', action='version', version=CURRENT_VERSION)
#1.0- Parent parser: optional
PPoptional = argparse.ArgumentParser(add_help=False,formatter_class=myFormatterClass)
PPoptional._optionals.title = "optional arguments"
PPoptional.add_argument('-v', dest='verbose', action='count', default=0, help='enable verbosity (-vv for more)')
PPoptional.add_argument('--sleep', dest='timeSleep', required=False, type=float, default=DEFAULT_TIME_SLEEP, help='time sleep between each test or request (default: %(default)s)')
PPoptional.add_argument('--encoding', dest='encoding', required=False, default=DEFAULT_ENCODING, help='output encoding (default: %(default)s)')
#1.1- Parent parser: connection options
PPconnection = argparse.ArgumentParser(add_help=False,formatter_class=myFormatterClass)
PPconnection._optionals.title = "connection options"
PPconnection.add_argument('-s', dest='server', required=False, help='server')
PPconnection.add_argument('-p', dest='port', default=1521, type=int, required=False, help='port (Default 1521)')
PPconnection.add_argument('-U', dest='user', required=False, help='Oracle username')
PPconnection.add_argument('-P', dest='password', required=False, default=None, help='Oracle password')
PPconnection.add_argument('-d', dest='sid', required=False, help='Oracle System ID (SID)')
PPconnection.add_argument('-t', dest='tnsConnectionStringMode', action='store_true', default=False, help='connection with a TNS connection sting')
PPconnection.add_argument('--sysdba', dest='SYSDBA', action='store_true', default=False, help='connection as SYSDBA')
PPconnection.add_argument('--sysoper', dest='SYSOPER', action='store_true', default=False, help='connection as SYSOPER')
#1.2- Parent parser: output options
PPoutput = argparse.ArgumentParser(add_help=False,formatter_class=myFormatterClass)
PPoutput._optionals.title = "output configurations"
PPoutput.add_argument('--no-color', dest='no-color', required=False, action='store_true', help='no color for output')
PPoutput.add_argument('--output-file',dest='outputFile',default=None,required=False,help='save results in this file')
#1.3- Parent parser: all option
PPallModule = argparse.ArgumentParser(add_help=False,formatter_class=myFormatterClass)
PPallModule._optionals.title = "all module options"
PPallModule.add_argument('-C', dest='credentialsFile', action='store_true', required=False, default=False, help='use credentials stored in the --accounts-file file (disable -P and -U)')
PPallModule.add_argument('--no-tns-poisoning-check', dest='no-tns-poisoning-check', action='store_true', required=False, default=False, help="don't check if target is vulnreable to TNS poisoning")
#1.3bis- Parent parser: TNS cmd
PPTnsCmd = argparse.ArgumentParser(add_help=False,formatter_class=myFormatterClass)
PPTnsCmd._optionals.title = "TNS cmd options"
PPTnsCmd.add_argument('--ping', dest='ping', action='store_true', required=False, default=False, help='send a TNS ping command to get alias')
PPTnsCmd.add_argument('--version', dest='version', action='store_true', required=False, default=False, help='send a TNS version command to try to get verion')
PPTnsCmd.add_argument('--status', dest='status', action='store_true', required=False, default=False, help='send a TNS status command to get the status')
#1.3tier- Parent parser: Tns poisoning
PPTnsPoison = argparse.ArgumentParser(add_help=False,formatter_class=myFormatterClass)
PPTnsPoison._optionals.title = "TNS poisoning options"
PPTnsPoison.add_argument('--test-module',dest='test-module',action='store_true',help='test if the target is vulnerable (CVE-2012-1675)')
PPTnsPoison.add_argument('--poison', dest='poison', action='store_true', required=False, default=False, help='exploit the TNS poisonint attack')
PPTnsPoisonSub = argparse.ArgumentParser(add_help=False,formatter_class=myFormatterClass)
PPTnsPoisonSub._optionals.title = "TNS poisoning sub options"
PPTnsPoisonSub.add_argument('--listening-port', dest='listening-port', default=DEFAULT_LOCAL_LISTENING_PORT_TNS_POISON, required=False, help='listening port for proxy (min: 1000, max: 9999, default: %(default)s)')
PPTnsPoisonSub.add_argument('--cstring', dest='cstring', default=None, required=False, help='connection string used by Oracle clients when SID>=9')
PPTnsPoisonSub.add_argument('--replace', dest='replace', nargs=2, metavar=('value','newvalue'), default=[None, None], help='replace a string in the communication established')
PPTnsPoisonSub.add_argument('--sleep-time', dest='sleeptime', default=10, required=False, help='sleep time between each TNS registration sent %(default)s)')
#1.3- Parent parser: SID Guesser
PPsidguesser = argparse.ArgumentParser(add_help=False,formatter_class=myFormatterClass)
PPsidguesser._optionals.title = "SID guesser options"
PPsidguesser.add_argument('--sids-min-size',dest='sids-min-size',required=False, type=int, default=DEFAULT_SID_MIN_SIZE, help='minimum size of SIDs for the bruteforce (default: %(default)s)')
PPsidguesser.add_argument('--sids-max-size',dest='sids-max-size',required=False, type=int, default=DEFAULT_SID_MAX_SIZE, help='maximum size of SIDs for the bruteforce (default: %(default)s)')
PPsidguesser.add_argument('--sid-charset',dest='sid-charset',required=False, default=DEFAULT_SID_CHARSET, help='charset for the sid bruteforce (default: %(default)s)')
PPsidguesser.add_argument('--sids-file',dest='sids-file',required=False,metavar="FILE",default=DEFAULT_SID_FILE, help='file containing SIDs (default: %(default)s)')
PPsidguesser.add_argument('--no-alias-like-sid',dest='no-alias-like-sid',action='store_true',required=False, help='no try listener ALIAS like SIDs (default: %(default)s)')
#1.4- Parent parser: Password Guesser
PPpassguesser = argparse.ArgumentParser(add_help=False,formatter_class=myFormatterClass)
PPpassguesser._optionals.title = "password guesser options"
PPpassguesser.add_argument('--accounts-file',dest='accounts-file',required=False,metavar="FILE",default=DEFAULT_ACCOUNT_FILE,help='file containing Oracle credentials (default: %(default)s)')
PPpassguesser.add_argument('--accounts-files',dest='accounts-files',required=False,nargs=2,metavar=('loginFile','pwdFile'),default=[None, None],help='files containing logins and passwords (default: %(default)s)')
PPpassguesser.add_argument('--login-as-pwd',dest='login-as-pwd',action='store_true',help='each login will be tested as password (lowercase & uppercase)')
PPpassguesser.add_argument('--force-retry',dest='force-retry',action='store_true',help='allow to test multiple passwords for a user without ask you')
#1.5- Parent parser: URL_HTTP
PPutlhttp = argparse.ArgumentParser(add_help=False,formatter_class=myFormatterClass)
PPutlhttp._optionals.title = "http commands"
PPutlhttp.add_argument('--send',dest='send',default=None,required=False,nargs=3,metavar=('ip','port','namefile'),help='send the GET or POST request stored in namefile to ip:port')
PPutlhttp.add_argument('--scan-ports',dest='scan-ports',default=None,required=False,nargs=2,metavar=('ip','ports'),help='scan tcp ports of a remote engine')
PPutlhttp.add_argument('--save-reponse',dest='save-reponse',default=None,required=False,metavar='FILE',help='store the response server in this file')
PPutlhttp.add_argument('--test-module',dest='test-module',action='store_true',help='test the module before use it')
#1.5- Parent parser: HTTPURITYPE
PPhttpuritype = argparse.ArgumentParser(add_help=False,formatter_class=myFormatterClass)
PPhttpuritype._optionals.title = "http commands"
PPhttpuritype.add_argument('--url',dest='httpUrl',default=None,required=False,help='send a http GET request')
PPhttpuritype.add_argument('--scan-ports',dest='scan-ports',default=None,required=False,nargs=2,metavar=('ip','ports'),help='scan tcp ports of a remote engine')
PPhttpuritype.add_argument('--save-reponse',dest='save-reponse',default=None,required=False,metavar='FILE',help='store the response server in this file')
PPhttpuritype.add_argument('--test-module',dest='test-module',action='store_true',help='test the module before use it')
#1.6- Parent parser: DBSMAdvisor
PPdbmsadvisor = argparse.ArgumentParser(add_help=False,formatter_class=myFormatterClass)
PPdbmsadvisor._optionals.title = "DBMSAdvisor commands"
PPdbmsadvisor.add_argument('--putFile',dest='putFile',default=None,required=False,nargs=3,metavar=('remotePath','remoteFile','localFile'),help='put a file on the remote database server')
PPdbmsadvisor.add_argument('--test-module',dest='test-module',action='store_true',help='test the module before use it')
#1.7- Parent parser: DBSMScheduler
PPdbmsscheduler = argparse.ArgumentParser(add_help=False,formatter_class=myFormatterClass)
PPdbmsscheduler._optionals.title = "DBMSScheduler commands"
PPdbmsscheduler.add_argument('--exec',dest='exec',default=None,required=False,help='execute a system command on the remote system')
PPdbmsscheduler.add_argument('--reverse-shell',dest='reverse-shell',required=False,nargs=2,metavar=('ip','port'),help='get a reverse shell')
PPdbmsscheduler.add_argument('--test-module',dest='test-module',action='store_true',help='test the module before use it')
#1.8- Parent parser: Java
PPjava = argparse.ArgumentParser(add_help=False,formatter_class=myFormatterClass)
PPjava._optionals.title = "java commands"
PPjava.add_argument('--exec',dest='exec',default=None,required=False,help='execute a system command on the remote system')
PPjava.add_argument('--shell',dest='shell',action='store_true',required=False,help='get a shell on the remote system')
PPjava.add_argument('--reverse-shell',dest='reverse-shell',required=False,nargs=2,metavar=('ip','port'),help='get a reverse shell')
PPjava.add_argument('--create-file-CVE-2018-3004',dest='create-file-CVE-2018-3004',required=False,nargs=2,metavar=('data','filename'),help='create (or append to) a file with CVE-2018-3004 (Bypass built in Oracle JVM security)')
PPjava.add_argument('--test-module',dest='test-module',action='store_true',help='test the module before use it')
#1.9- Parent parser: Ctxsys
PPctxsys = argparse.ArgumentParser(add_help=False,formatter_class=myFormatterClass)
PPctxsys._optionals.title = "ctxsys commands"
PPctxsys.add_argument('--getFile',dest='getFile',default=None,required=False,help='read a file on the remote server')
PPctxsys.add_argument('--test-module',dest='test-module',action='store_true',help='test the module before use it')
#1.10- Parent parser: Passwords
PPpasswords = argparse.ArgumentParser(add_help=False,formatter_class=myFormatterClass)
PPpasswords._optionals.title = "passwords commands"
PPpasswords.add_argument('--get-passwords',dest='get-passwords',action='store_true',required=False,help='get Oracle hashed passwords (accounts can be locked or not)')
PPpasswords.add_argument('--get-passwords-not-locked',dest='get-passwords-not-locked',action='store_true',required=False,help='get Oracle hashed passwords when account is not locked')
PPpasswords.add_argument('--get-passwords-from-history',dest='get-passwords-from-history',action='store_true',required=False,help='get Oracle hashed passwords from history')
PPpasswords.add_argument('--test-module',dest='test-module',action='store_true',help='test the module before use it')
#1.11- Parent parser: dbmsxslprocessor
PPdbmsxslprocessor = argparse.ArgumentParser(add_help=False,formatter_class=myFormatterClass)
PPdbmsxslprocessor._optionals.title = "DBMSXslprocessor commands"
PPdbmsxslprocessor.add_argument('--putFile',dest='putFile',default=None,required=False,nargs=3,metavar=('remotePath','remoteFile','localFile'),help='put a file on the remote database server')
PPdbmsxslprocessor.add_argument('--test-module',dest='test-module',action='store_true',help='test the module before use it')
#1.12- Parent parser: externalTable
PPexternaltable = argparse.ArgumentParser(add_help=False,formatter_class=myFormatterClass)
PPexternaltable._optionals.title = "ExternalTable commands"
PPexternaltable.add_argument('--exec',dest='exec',default=None,required=False,nargs=2,metavar=('remotePath','file'),help='execute a system command on the remote system (options no allowed)')
PPexternaltable.add_argument('--getFile',dest='getFile',default=None,required=False,nargs=3,metavar=('remotePath','remoteFile','localFile'),help='get a file from the remote database server')
PPexternaltable.add_argument('--test-module',dest='test-module',action='store_true',help='test the module before use it')
#1.13- Parent parser: utlfile
PPutlfile = argparse.ArgumentParser(add_help=False,formatter_class=myFormatterClass)
PPutlfile._optionals.title = "utlfile commands"
PPutlfile.add_argument('--getFile',dest='getFile',default=None,required=False,nargs=3,metavar=('remotePath','remoteFile','localFile'),help='get a file from the remote database server')
PPutlfile.add_argument('--putFile',dest='putFile',default=None,required=False,nargs=3,metavar=('remotePath','remoteFile','localFile'),help='put a file to the remote database server')
PPutlfile.add_argument('--removeFile',dest='removeFile',default=None,required=False,nargs=2,metavar=('remotePath','remoteFile'),help='remove a file on the remote database server')
PPutlfile.add_argument('--test-module',dest='test-module',action='store_true',help='test the module before use it')
#1.14- Parent parser: UTL_TCP
PPutltcp = argparse.ArgumentParser(add_help=False,formatter_class=myFormatterClass)
PPutltcp._optionals.title = "utltcp commands"
PPutltcp.add_argument('--send-packet',dest='send-packet',default=None,required=False,nargs=3,metavar=('ip','port','filename'),help='send a packet')
PPutltcp.add_argument('--scan-ports',dest='scan-ports',default=None,required=False,nargs=2,metavar=('ip','ports'),help='scan tcp ports of a remote engine')
PPutltcp.add_argument('--test-module',dest='test-module',action='store_true',help='test the module before use it')
#1.15- Parent parser: STEAL_REMOTE_PASSWORDS
PPstealRemotePass = argparse.ArgumentParser(add_help=False,formatter_class=myFormatterClass)
PPstealRemotePass._optionals.title = "stealRemotePasswords commands"
PPstealRemotePass.add_argument('-s', dest='server', required=True, help='server')
PPstealRemotePass.add_argument('-p', dest='port', default=1521, required=False, help='port (Default 1521)')
PPstealRemotePass.add_argument('-d', dest='sid', required=False, help='Oracle System ID (SID)')
PPstealRemotePass.add_argument('-U', dest='user', required=False, help='Valid Oracle username')
PPstealRemotePass.add_argument('-P', dest='password', required=False, default=None, help='Valid Oracle password')
PPstealRemotePass.add_argument('--get-all-passwords',dest='get-all-passwords',action='store_true',default=None,required=False,help='get all hashed passwords thanks to the user/password list')
PPstealRemotePass.add_argument('--decrypt-sessions',dest='decrypt-sessions',nargs=2,metavar=('sessionFile','pwdFile'),default=None,required=False,help='decrypt sessions stored in a file')
PPstealRemotePass.add_argument('--user-list',dest='user-list',required=False,metavar="FILE",default=DEFAULT_ACCOUNT_FILE,help='file containing Oracle credentials (default: %(default)s)')
PPstealRemotePass.add_argument('--test-module',dest='test-module',action='store_true',help='test the module before use it')
#1.16- Parent parser: Oradbg
PPoradbg = argparse.ArgumentParser(add_help=False,formatter_class=myFormatterClass)
PPoradbg._optionals.title = "oradbg commands"
PPoradbg.add_argument('--exec',dest='exec',default=None,required=False,help='execute a system command on the remote system (no args allowed)')
PPoradbg.add_argument('--test-module',dest='test-module',action='store_true',help='test the module before use it')
#1.12- Parent parser: DBMS_LOB
PPdbmsLob = argparse.ArgumentParser(add_help=False,formatter_class=myFormatterClass)
PPdbmsLob._optionals.title = "DBMS_LOB commands (new)"
PPdbmsLob.add_argument('--getFile',dest='getFile',default=None,required=False,nargs=3,metavar=('remotePath','remoteFile','localFile'),help='get a file from the remote database server')
PPdbmsLob.add_argument('--test-module',dest='test-module',action='store_true',help='test the module before use it')
#1.17- Parent parser: usernamelikepassword
PPusernamelikepassword = argparse.ArgumentParser(add_help=False,formatter_class=myFormatterClass)
PPusernamelikepassword._optionals.title = "usernamelikepassword commands"
PPusernamelikepassword.add_argument('--run',dest='run',action='store_true',required=True,help='try to connect using each Oracle username like the password')
PPusernamelikepassword.add_argument('--force-retry',dest='force-retry',action='store_true',help='allow to test multiple passwords for a user without ask you')
PPusernamelikepassword.add_argument('--additional-pwd',dest='additional-pwd',nargs='+',help='try these passwords for each user also (default: %(default)s)')
#1.18- Parent parser: smb
PPsmb = argparse.ArgumentParser(add_help=False,formatter_class=myFormatterClass)
PPsmb._optionals.title = "smb commands"
PPsmb.add_argument('--capture',dest='captureSMBAuthentication',default=None,required=False,nargs=2,metavar=('local_ip','share_name'),help='capture the smb authentication')
PPsmb.add_argument('--test-module',dest='test-module',action='store_true',help='test the module before use it')
#1.19- Parent parser: PrivilegeEscalation
PPprivilegeEscalation0 = argparse.ArgumentParser(add_help=False,formatter_class=myFormatterClass)
PPprivilegeEscalation0._optionals.title = "helpful privesc commands"
PPprivilegeEscalation0.add_argument('--test-module',dest='test-module',action='store_true',help='test the module before use it')
PPprivilegeEscalation0.add_argument('--get-privs',dest='get-privs',action='store_true',help='get current privileges and roles')
PPprivilegeEscalation0.add_argument('--get-detailed-privs',dest='get-detailed-privs',action='store_true',help='get current privileges and roles + roles and privileges of roles granted')
PPprivilegeEscalation = argparse.ArgumentParser(add_help=False,formatter_class=myFormatterClass)
PPprivilegeEscalation._optionals.title = "privesc commands for automatic exploitation"
PPprivilegeEscalation.add_argument('--dba-with-execute-any-procedure',dest='dba-with-execute-any-procedure',action='store_true',help='grant DBA role to current user with CREATE/EXECUTE ANY PROCEDURE method')
PPprivilegeEscalation.add_argument('--alter-pwd-with-create-any-procedure',dest='alter-pwd-with-create-any-procedure',nargs=2,metavar=('user','new-password'),default=None,required=False,help='alter password of any Oracle user with CREATE ANY PROCEDURE method')
PPprivilegeEscalation.add_argument('--dba-with-create-any-trigger',dest='dba-with-create-any-trigger',action='store_true',help='grant DBA role to current user with CREATE ANY TRIGGER method')
PPprivilegeEscalation.add_argument('--dba-with-analyze-any',dest='dba-with-analyze-any',action='store_true',help='grant DBA role to current user with ANALYZE ANY method')
PPprivilegeEscalation.add_argument('--dba-with-create-any-index',dest='dba-with-create-any-index',action='store_true',help='grant DBA role to current user with CREATE ANY INDEX method')
PPprivilegeEscalation.add_argument('--revoke-dba-role',dest='revoke-dba-role',action='store_true',help='revoke dba role from current user')
PPprivilegeEscalation2 = argparse.ArgumentParser(add_help=False,formatter_class=myFormatterClass)
PPprivilegeEscalation2._optionals.title = "privesc commands for semi-manual exploitation"
PPprivilegeEscalation2.add_argument('--exec-with-execute-any-procedure',dest='exec-with-execute-any-procedure',nargs=1,metavar=('request'),help='execute this request as SYS with CREATE/EXECUTE ANY PROCEDURE method')
PPprivilegeEscalation2.add_argument('--exec-with-create-any-procedure',dest='exec-with-create-any-procedure',nargs=1,metavar=('request'),help='execute this request as APEX_040200 with CREATE ANY PROCEDURE method')
PPprivilegeEscalation2.add_argument('--exec-with-create-any-trigger',dest='exec-with-create-any-trigger',nargs=1,metavar=('request'),help='execute this request as SYS with CREATE ANY TRIGGER method')
PPprivilegeEscalation2.add_argument('--exec-with-analyze-any',dest='exec-with-analyze-any',nargs=1,metavar=('request'),help='execute this request as SYS with ANALYZE ANY method')
PPprivilegeEscalation2.add_argument('--exec-with-create-any-index',dest='exec-with-create-any-index',nargs=1,metavar=('request'),help='execute this request as SYS with CREATE ANY INDEX method')
#1.20- Parent parser: CVE_XXXX_YYYY
PPcve = argparse.ArgumentParser(add_help=False,formatter_class=myFormatterClass)
PPcve._optionals.title = "cve commands"
PPcve.add_argument('--test-module',dest='test-module',action='store_true',help='test the module before use it')
PPcve.add_argument('--set-pwd-2014-4237',dest='set-pwd-2014-4237',nargs=2,metavar=('username','password'),help="modify a Oracle user's password unsing CVE-2014-4237")
#1.21- Parent parser: search
PPsearch = argparse.ArgumentParser(add_help=False,formatter_class=myFormatterClass)
PPsearch._optionals.title = "search commands"
PPsearch.add_argument('--column-names',dest='column-names',default=None,required=False,metavar='sqlPattern',help='search pattern in all collumns')
PPsearch.add_argument('--pwd-column-names',dest='pwd-column-names',action='store_true',help='search password patterns in all collumns')
PPsearch.add_argument('--desc-tables',dest='desc-tables',action='store_true',help='describe each table which is accessible')
PPsearch.add_argument('--show-empty-columns',dest='show-empty-columns',action='store_true',help='show columns even if columns are empty')
PPsearch.add_argument('--without-example',dest='without-example',action='store_true',help="don't get an example value when column matches")
PPsearch.add_argument('--test-module',dest='test-module',action='store_true',help='test the module before use it')
#1.22- Parent parser: unwrapper
PPunwrapper = argparse.ArgumentParser(add_help=False,formatter_class=myFormatterClass)
PPunwrapper._optionals.title = "unwrapper commands"
PPunwrapper.add_argument('--object-name',dest='object-name',default=None,required=False,help='unwrap this object stored in the database')
PPunwrapper.add_argument('--object-type',dest='object-type',default=None,required=False, choices=["FUNCTION","JAVA SOURCE","PACKAGE","PACKAGE BODY","PROCEDURE","TRIGGER","TYPE","TYPE BODY"], help='define the object type')
PPunwrapper.add_argument('--file',dest='file',default=None,required=False,help='unwrap the source code stored in a file')
PPunwrapper.add_argument('--test-module',dest='test-module',action='store_true',help='test the module before use it')
#1.23- Parent parser: clean
PPclean = argparse.ArgumentParser(add_help=False,formatter_class=myFormatterClass)
PPclean._optionals.title = "clean commands"
PPclean.add_argument('--all',dest='all',action='store_true',required=True,help='clean all traces and logs stored locally')
#2- main commands
subparsers = parser.add_subparsers(help='\nChoose a main command')
#2.a- Run all modules
parser_all = subparsers.add_parser('all',parents=[PPoptional,PPconnection,PPallModule,PPoutput,PPsidguesser,PPpassguesser], formatter_class=mySubFormatterClass, help='to run all modules in order to know what it is possible to do')
parser_all.set_defaults(func=runAllModules,auditType='all')
#2.b- tnscmd
parser_tnscmd = subparsers.add_parser('tnscmd',parents=[PPoptional,PPconnection,PPTnsCmd,PPoutput], formatter_class=mySubFormatterClass, help='to communicate with the TNS listener')
parser_tnscmd.set_defaults(func=runTnsCmdModule,auditType='tnscmd')
#2.b- tnspoison
parser_tnspoison = subparsers.add_parser('tnspoison',parents=[PPoptional,PPconnection,PPTnsPoison,PPTnsPoisonSub, PPoutput], formatter_class=mySubFormatterClass, help='to exploit TNS poisoning attack')
parser_tnspoison.set_defaults(func=runTnsPoisonModule,auditType='tnspoison')
#2.b- SIDGuesser
parser_sidGuesser = subparsers.add_parser('sidguesser',parents=[PPoptional,PPconnection,PPsidguesser,PPoutput], formatter_class=mySubFormatterClass, help='to know valid SIDs')
parser_sidGuesser.set_defaults(func=runSIDGuesserModule,auditType='sidGuesser')
#2.c- PasswordGuesser
parser_passwordGuesser = subparsers.add_parser('passwordguesser',parents=[PPoptional,PPconnection,PPpassguesser,PPoutput], formatter_class=mySubFormatterClass, help='to know valid credentials')
parser_passwordGuesser.set_defaults(func=runPasswordGuesserModule,auditType='passwordGuesser')
#2.d- UTL_HTTP
parser_utlhttp = subparsers.add_parser('utlhttp',parents=[PPoptional,PPconnection,PPutlhttp,PPoutput], formatter_class=mySubFormatterClass, help='to send HTTP requests or to scan ports')
parser_utlhttp.set_defaults(func=runUtlHttpModule,auditType='utl_http')
#2.e- HTTPURITYPE
parser_httpuritype = subparsers.add_parser('httpuritype',parents=[PPoptional,PPconnection,PPhttpuritype,PPoutput], formatter_class=mySubFormatterClass, help='to send HTTP requests or to scan ports')
parser_httpuritype.set_defaults(func=runHttpUriTypeModule,auditType='httpuritype')
#2.e- UTL_TCP
parser_utltcp = subparsers.add_parser('utltcp',parents=[PPoptional,PPconnection,PPutltcp,PPoutput], formatter_class=mySubFormatterClass, help='to scan ports')
parser_utltcp.set_defaults(func=runUtlTcpModule,auditType='utltcp')
#2.f- CTXSYS
parser_ctxsys = subparsers.add_parser('ctxsys',parents=[PPoptional,PPconnection,PPctxsys,PPoutput], formatter_class=mySubFormatterClass, help='to read files')
parser_ctxsys.set_defaults(func=runCtxsysModule,auditType='ctxsys')
#2.g- EXTERNAL TABLE
parser_externaltable = subparsers.add_parser('externaltable',parents=[PPoptional,PPconnection,PPexternaltable,PPoutput], formatter_class=mySubFormatterClass, help='to read files or to execute system commands/scripts')
parser_externaltable.set_defaults(func=runExternalTableModule,auditType='externaltable')
#2.h- DBMS_XSLPROCESSOR
parser_dbmsxslprocessor = subparsers.add_parser('dbmsxslprocessor',parents=[PPoptional,PPconnection,PPdbmsxslprocessor,PPoutput], formatter_class=mySubFormatterClass, help='to upload files')
parser_dbmsxslprocessor.set_defaults(func=runDbmsXslprocessorModule,auditType='dbmsxslprocessor')
#2.i- DBMSADVISOR
parser_dbmsadvisor = subparsers.add_parser('dbmsadvisor',parents=[PPoptional,PPconnection,PPdbmsadvisor,PPoutput], formatter_class=mySubFormatterClass, help='to upload files')
parser_dbmsadvisor.set_defaults(func=runDbmsadvisorModule,auditType='dbmsadvisor')
#2.j- UTL_FILE
parser_utlfile = subparsers.add_parser('utlfile',parents=[PPoptional,PPconnection,PPutlfile,PPoutput], formatter_class=mySubFormatterClass, help='to download/upload/delete files')
parser_utlfile.set_defaults(func=runUtlFileModule,auditType='utlfile')
#2.k- DBMSSCHEDULER
parser_dbmsscheduler = subparsers.add_parser('dbmsscheduler',parents=[PPoptional,PPconnection,PPdbmsscheduler,PPoutput], formatter_class=mySubFormatterClass, help='to execute system commands without a standard output')
parser_dbmsscheduler.set_defaults(func=runDbmsSchedulerModule,auditType='dbmsscheduler')
#2.l- JAVA
parser_java = subparsers.add_parser('java',parents=[PPoptional,PPconnection,PPjava,PPoutput], formatter_class=mySubFormatterClass, help='to execute system commands')
parser_java.set_defaults(func=runjavaModule,auditType='java')
#2.m- Passwords
parser_passwords = subparsers.add_parser('passwordstealer',parents=[PPoptional,PPconnection,PPpasswords,PPoutput], formatter_class=mySubFormatterClass, help='to get hashed Oracle passwords')
parser_passwords.set_defaults(func=runPasswordsModule,auditType='passwords')
#2.n- Oradbg
parser_oradbg = subparsers.add_parser('oradbg',parents=[PPoptional,PPconnection,PPoradbg,PPoutput], formatter_class=mySubFormatterClass, help='to execute a bin or script')
parser_oradbg.set_defaults(func=runOradbgModule,auditType='oradbg')
#2.o- DBMS_LOB
parser_dbmslob = subparsers.add_parser('dbmslob',parents=[PPoptional,PPconnection,PPdbmsLob,PPoutput], formatter_class=mySubFormatterClass, help='to download files')
parser_dbmslob.set_defaults(func=runDbmsLob,auditType='dbmslob')
#2.o- steal Passwords (CVE-2012-313)
parser_passwords = subparsers.add_parser('stealremotepwds',parents=[PPoptional,PPstealRemotePass,PPoutput], formatter_class=mySubFormatterClass, help='to steal hashed passwords thanks an authentication sniffing (CVE-2012-3137)')
parser_passwords.set_defaults(func=runCVE20123137Module,auditType='passwords')
#2.p- username like password
parser_usernamelikepassword = subparsers.add_parser('userlikepwd',parents=[PPoptional,PPconnection,PPusernamelikepassword,PPoutput], formatter_class=mySubFormatterClass, help='to try each Oracle username stored in the DB like the corresponding pwd')
parser_usernamelikepassword.set_defaults(func=runUsernameLikePassword,auditType='usernamelikepassword')
#2.q- smb
parser_smb = subparsers.add_parser('smb',parents=[PPoptional,PPconnection,PPsmb,PPoutput], formatter_class=mySubFormatterClass, help='to capture the SMB authentication')
parser_smb.set_defaults(func=runSMBModule,auditType='smb')
#2.q- privilegeEscalation
parser_privilegeEscalation = subparsers.add_parser('privesc',parents=[PPoptional,PPconnection,PPprivilegeEscalation0, PPprivilegeEscalation,PPprivilegeEscalation2,PPoutput], formatter_class=mySpecialSubFormatterClass, help='to gain elevated access')
parser_privilegeEscalation.set_defaults(func=runPrivilegeEscalationModule,auditType='privesc')
#2.r- cve
parser_cve = subparsers.add_parser('cve',parents=[PPoptional,PPconnection,PPcve,PPoutput], formatter_class=mySubFormatterClass, help='to exploit a CVE')
parser_cve.set_defaults(func=runCVEXXXYYYModule,auditType='cve')
#2.s- search
parser_search = subparsers.add_parser('search',parents=[PPoptional,PPconnection,PPsearch,PPoutput], formatter_class=mySubFormatterClass, help='to search in databases, tables and columns')
parser_search.set_defaults(func=runSearchModule,auditType='search')
#2.t- PPunwrapper
parser_unwrapper = subparsers.add_parser('unwrapper',parents=[PPoptional,PPconnection,PPunwrapper,PPoutput], formatter_class=mySubFormatterClass, help='to unwrap PL/SQL source code (no for 9i version)')
parser_unwrapper.set_defaults(func=runUnwrapperModule,auditType='unwrapper')
#2.u- clean
parser_clean = subparsers.add_parser('clean',parents=[PPoptional,PPclean,PPoutput], formatter_class=mySubFormatterClass, help='clean traces and logs')
parser_clean.set_defaults(func=runClean,auditType='clean')
#3- parse the args
if ARGCOMPLETE_AVAILABLE == True : argcomplete.autocomplete(parser)
args = dict(parser.parse_args()._get_kwargs())
arguments = parser.parse_args()
#4- Configure logging and output
configureLogging(args)
args['print'] = Output(args)
#5- define encoding
reload(sys)
sys.setdefaultencoding(args['encoding'])
#Start the good function
if args['auditType']=='unwrapper' or args['auditType']=='clean': pass
else:
if ipOrNameServerHasBeenGiven(args) == False : return EXIT_MISS_ARGUMENT
arguments.func(args)
exit(ALL_IS_OK)
def runAllModules(args):
'''
Run all modules
'''
connectionInformation, validDatabaseList = {}, []
status = ipOrNameServerHasBeenGiven(args)
if status == False: return EXIT_MISS_ARGUMENT
#A)REMOTE VERSION
###########mssqlInfo = MssqlInfo(args)
###########mssqlInfo.testAll()
if databaseHasBeenGiven(args):
validDatabaseList = [args['database']]
#B)ACCOUNT MANAGEMENT
if args['user'] == None and args['password'] == None:
for database in validDatabaseList:
args['print'].title("Searching valid accounts on the {0} database".format(database))
args['database'] = database
passwordGuesser = PasswordGuesser(args, usernamesFile=args['usernames-file'], passwordsFile=args['passwords-file'], accountsFile=args['accounts-file'])
status = passwordGuesser.searchValideAccounts()
if status == False: #Connection error during scan (perhaps host is unavailable now)
logging.error("Host is probably unavailable. Stopping for this host!")
return
validAccountsList = passwordGuesser.valideAccounts
if validAccountsList == {}:
args['print'].badNews("No found a valid account on {0}:{1}/{2}.".format(args['host'], args['port'], args['database']))
return
else :
args['print'].goodNews("Accounts found on {0}:{1}/{2}: {3}. All modules will be started with this (these) account(s)".format(args['host'], args['port'], args['database'],validAccountsList))
for aLogin, aPassword in validAccountsList.items():
if connectionInformation.has_key(database) == False: connectionInformation[database] = [[aLogin,aPassword]]
else : connectionInformation[database].append([aLogin,aPassword])
else :
validAccountsList = {args['user']:args['password']}
for database in validDatabaseList:
for aLogin, aPassword in validAccountsList.items():
if connectionInformation.has_key(database) == False: connectionInformation[database] = [[aLogin,aPassword]]
else : connectionInformation[database].append([aLogin,aPassword])
#C)ALL OTHERS MODULES
for aDatabase in connectionInformation.keys():
for loginAndPass in connectionInformation[aDatabase]:
args['database'] , args['user'], args['password'] = aDatabase, loginAndPass[0],loginAndPass[1]
args['print'].title("Testing the '{0}' database with the account {1}/{2}".format(database,args['user'], args['password']))
#C.0)Trustworthy module (Privilege escalation)
trustworthyPE = TrustworthyPE(args)
status = trustworthyPE.connect()
if isinstance(status,Exception):
args['print'].badNews("Impossible to connect to the remote database: {0}".format(str(status).replace('\n','')))
break
trustworthyPE.testAll()
#C.1)Passwordstealer
passwordstealer = Passwordstealer(args)
passwordstealer.testAll()
#C.2)xpcmdshell
xpcmdshell = Xpcmdshell(args)
xpcmdshell.testAll()
#C.3)Jobs
jobs = Jobs(args)
jobs.testAll()
#C.4) SMBAUthenticationCapture
smbAuthenticationCapture = SMBAuthenticationCapture(args,localIp="127.0.0.1", shareName=DEFAULT_SHARE_NAME)
smbAuthenticationCapture.testAll()
#C.5) OLEAutomation
oleAutomation = OleAutomation(args)
oleAutomation.testAll()
#C.6) BulkOpen
bulkOpen = BulkOpen(args)
bulkOpen.testAll()
#C.7) XpDirectory
PPxpdirectory = XpDirectory(args)
PPxpdirectory.testAll()
bulkOpen.closeConnection()
#usernamelikepassword
args['run'] = True
runUsernameLikePassword(args)
def main():
#Parse Args
parser = argparse.ArgumentParser(
description=DESCRIPTION, formatter_class=argparse.RawTextHelpFormatter)
#1- Parent parsers
parser.add_argument('--version', action='version', version=CURRENT_VERSION)
#1.0- Parent parser: optional
PPoptional = argparse.ArgumentParser(
add_help=False,
formatter_class=lambda prog: argparse.HelpFormatter(
prog, max_help_position=MAX_HELP_POSITION))
PPoptional._optionals.title = "optional arguments"
PPoptional.add_argument('-v',
dest='verbose',
action='count',
default=0,
help='enable verbosity (-vv for more)')
PPoptional.add_argument(
'--sleep',
dest='timeSleep',
required=False,
type=float,
default=DEFAULT_TIME_SLEEP,
help='time sleep between each test or request (default: %(default)s)')
PPoptional.add_argument('--encoding',
dest='encoding',
required=False,
default=DEFAULT_ENCODING,
help='output encoding (default: %(default)s)')
#1.1- Parent parser: connection options
PPconnection = argparse.ArgumentParser(
add_help=False,
formatter_class=lambda prog: argparse.HelpFormatter(
prog, max_help_position=MAX_HELP_POSITION))
PPconnection._optionals.title = "connection options"
PPconnection.add_argument('-s',
dest='server',
required=False,
help='server')
PPconnection.add_argument('-p',
dest='port',
default=1521,
required=False,
help='port (Default 1521)')
PPconnection.add_argument('-U',
dest='user',
required=False,
help='Oracle username')
PPconnection.add_argument('-P',
dest='password',
required=False,
default=None,
help='Oracle password')
PPconnection.add_argument('-d',
dest='sid',
required=False,
help='Oracle System ID (SID)')
PPconnection.add_argument('--sysdba',
dest='SYSDBA',
action='store_true',
default=False,
help='connection as SYSDBA')
PPconnection.add_argument('--sysoper',
dest='SYSOPER',
action='store_true',
default=False,
help='connection as SYSOPER')
#1.2- Parent parser: output options
PPoutput = argparse.ArgumentParser(
add_help=False,
formatter_class=lambda prog: argparse.HelpFormatter(
prog, max_help_position=MAX_HELP_POSITION))
PPoutput._optionals.title = "output configurations"
PPoutput.add_argument('--no-color',
dest='no-color',
required=False,
action='store_true',
help='no color for output')
PPoutput.add_argument('--output-file',
dest='outputFile',
default=None,
required=False,
help='save results in this file')
#1.3- Parent parser: all option
PPallModule = argparse.ArgumentParser(
add_help=False,
formatter_class=lambda prog: argparse.HelpFormatter(
prog, max_help_position=MAX_HELP_POSITION))
PPallModule._optionals.title = "all module options"
PPallModule.add_argument(
'-C',
dest='credentielsFile',
action='store_true',
required=False,
default=False,
help=
'use credentiels stored in the --accounts-file file (disable -P and -U)'
)
PPallModule.add_argument(
'--no-tns-poisoning-check',
dest='no-tns-poisoning-check',
action='store_true',
required=False,
default=False,
help="don't check if target is vulnreable to TNS poisoning")
#1.3- Parent parser: TNS cmd
PPTnsCmd = argparse.ArgumentParser(
add_help=False,
formatter_class=lambda prog: argparse.HelpFormatter(
prog, max_help_position=MAX_HELP_POSITION))
PPTnsCmd._optionals.title = "TNS cmd options"
PPTnsCmd.add_argument('--ping',
dest='ping',
action='store_true',
required=False,
default=False,
help='send a TNS ping command to get alias')
PPTnsCmd.add_argument(
'--version',
dest='version',
action='store_true',
required=False,
default=False,
help='send a TNS version command to try to get verion')
PPTnsCmd.add_argument('--status',
dest='status',
action='store_true',
required=False,
default=False,
help='send a TNS status command to get the status')
PPTnsCmd.add_argument(
'--tns-poisoning',
dest='checkTNSPoisoning',
action='store_true',
required=False,
default=False,
help='check if target is vulnerable to TNS Poisoning (CVE-2012-1675)')
#1.3- Parent parser: SID Guesser
PPsidguesser = argparse.ArgumentParser(
add_help=False,
formatter_class=lambda prog: argparse.HelpFormatter(
prog, max_help_position=MAX_HELP_POSITION))
PPsidguesser._optionals.title = "SID guesser options"
PPsidguesser.add_argument(
'--sids-max-size',
dest='sids-max-size',
required=False,
type=int,
default=DEFAULT_SID_MAX_SIZE,
help='maximum size of SIDs for the bruteforce (default: %(default)s)')
PPsidguesser.add_argument(
'--sid-charset',
dest='sid-charset',
required=False,
default=DEFAULT_SID_CHARSET,
help='charset for the sid bruteforce (default: %(default)s)')
PPsidguesser.add_argument(
'--sids-file',
dest='sids-file',
required=False,
metavar="FILE",
default=DEFAULT_SID_FILE,
help='file containing SIDs (default: %(default)s)')
PPsidguesser.add_argument(
'--no-alias-like-sid',
dest='no-alias-like-sid',
action='store_true',
required=False,
help='no try listener ALIAS like SIDs (default: %(default)s)')
#1.4- Parent parser: Password Guesser
PPpassguesser = argparse.ArgumentParser(
add_help=False,
formatter_class=lambda prog: argparse.HelpFormatter(
prog, max_help_position=MAX_HELP_POSITION))
PPpassguesser._optionals.title = "password guesser options"
PPpassguesser.add_argument(
'--accounts-file',
dest='accounts-file',
required=False,
metavar="FILE",
default=DEFAULT_ACCOUNT_FILE,
help='file containing Oracle credentials (default: %(default)s)')
PPpassguesser.add_argument(
'--force-retry',
dest='force-retry',
action='store_true',
help='allow to test multiple passwords for a user without ask you')
#1.5- Parent parser: URL_HTTP
PPutlhttp = argparse.ArgumentParser(
add_help=False,
formatter_class=lambda prog: argparse.HelpFormatter(
prog, max_help_position=MAX_HELP_POSITION))
PPutlhttp._optionals.title = "http commands"
PPutlhttp.add_argument(
'--send',
dest='send',
default=None,
required=False,
nargs=3,
metavar=('ip', 'port', 'namefile'),
help='send the GET or POST request stored in namefile to ip:port')
PPutlhttp.add_argument('--scan-ports',
dest='scan-ports',
default=None,
required=False,
nargs=2,
metavar=('ip', 'ports'),
help='scan tcp ports of a remote engine')
PPutlhttp.add_argument('--save-reponse',
dest='save-reponse',
default=None,
required=False,
metavar='FILE',
help='store the response server in this file')
PPutlhttp.add_argument('--test-module',
dest='test-module',
action='store_true',
help='test the module before use it')
#1.5- Parent parser: HTTPURITYPE
PPhttpuritype = argparse.ArgumentParser(
add_help=False,
formatter_class=lambda prog: argparse.HelpFormatter(
prog, max_help_position=MAX_HELP_POSITION))
PPhttpuritype._optionals.title = "http commands"
PPhttpuritype.add_argument('--url',
dest='httpUrl',
default=None,
required=False,
help='send a http GET request')
PPhttpuritype.add_argument('--scan-ports',
dest='scan-ports',
default=None,
required=False,
nargs=2,
metavar=('ip', 'ports'),
help='scan tcp ports of a remote engine')
PPhttpuritype.add_argument('--save-reponse',
dest='save-reponse',
default=None,
required=False,
metavar='FILE',
help='store the response server in this file')
PPhttpuritype.add_argument('--test-module',
dest='test-module',
action='store_true',
help='test the module before use it')
#1.6- Parent parser: DBSMAdvisor
PPdbmsadvisor = argparse.ArgumentParser(
add_help=False,
formatter_class=lambda prog: argparse.HelpFormatter(
prog, max_help_position=MAX_HELP_POSITION))
PPdbmsadvisor._optionals.title = "DBMSAdvisor commands"
PPdbmsadvisor.add_argument('--putFile',
dest='putFile',
default=None,
required=False,
nargs=3,
metavar=('remotePath', 'remoteNamefile',
'localFile'),
help='put a file on the remote database server')
PPdbmsadvisor.add_argument('--test-module',
dest='test-module',
action='store_true',
help='test the module before use it')
#1.7- Parent parser: DBSMScheduler
PPdbmsscheduler = argparse.ArgumentParser(
add_help=False,
formatter_class=lambda prog: argparse.HelpFormatter(
prog, max_help_position=MAX_HELP_POSITION))
PPdbmsscheduler._optionals.title = "DBMSScheduler commands"
PPdbmsscheduler.add_argument(
'--exec',
dest='exec',
default=None,
required=False,
help='execute a system command on the remote system')
PPdbmsscheduler.add_argument('--reverse-shell',
dest='reverse-shell',
required=False,
nargs=2,
metavar=('ip', 'port'),
help='get a reverse shell')
PPdbmsscheduler.add_argument('--test-module',
dest='test-module',
action='store_true',
help='test the module before use it')
#1.8- Parent parser: Java
PPjava = argparse.ArgumentParser(
add_help=False,
formatter_class=lambda prog: argparse.HelpFormatter(
prog, max_help_position=MAX_HELP_POSITION))
PPjava._optionals.title = "java commands"
PPjava.add_argument('--exec',
dest='exec',
default=None,
required=False,
help='execute a system command on the remote system')
PPjava.add_argument('--shell',
dest='shell',
action='store_true',
required=False,
help='get a shell on the remote system')
PPjava.add_argument('--reverse-shell',
dest='reverse-shell',
required=False,
nargs=2,
metavar=('ip', 'port'),
help='get a reverse shell')
PPjava.add_argument('--test-module',
dest='test-module',
action='store_true',
help='test the module before use it')
#1.9- Parent parser: Ctxsys
PPctxsys = argparse.ArgumentParser(
add_help=False,
formatter_class=lambda prog: argparse.HelpFormatter(
prog, max_help_position=MAX_HELP_POSITION))
PPctxsys._optionals.title = "ctxsys commands"
PPctxsys.add_argument('--getFile',
dest='getFile',
default=None,
required=False,
help='read a file on the remote server')
PPctxsys.add_argument('--test-module',
dest='test-module',
action='store_true',
help='test the module before use it')
#1.10- Parent parser: Passwords
PPpasswords = argparse.ArgumentParser(
add_help=False,
formatter_class=lambda prog: argparse.HelpFormatter(
prog, max_help_position=MAX_HELP_POSITION))
PPpasswords._optionals.title = "passwords commands"
PPpasswords.add_argument('--get-passwords',
dest='get-passwords',
action='store_true',
required=False,
help='get Oracle hashed passwords')
PPpasswords.add_argument('--get-passwords-from-history',
dest='get-passwords-from-history',
action='store_true',
required=False,
help='get Oracle hashed passwords from history')
PPpasswords.add_argument('--test-module',
dest='test-module',
action='store_true',
help='test the module before use it')
#1.11- Parent parser: dbmsxslprocessor
PPdbmsxslprocessor = argparse.ArgumentParser(
add_help=False,
formatter_class=lambda prog: argparse.HelpFormatter(
prog, max_help_position=MAX_HELP_POSITION))
PPdbmsxslprocessor._optionals.title = "DBMSXslprocessor commands"
PPdbmsxslprocessor.add_argument(
'--putFile',
dest='putFile',
default=None,
required=False,
nargs=3,
metavar=('remotePath', 'remoteNamefile', 'localFile'),
help='put a file on the remote database server')
PPdbmsxslprocessor.add_argument('--test-module',
dest='test-module',
action='store_true',
help='test the module before use it')
#1.12- Parent parser: externalTable
PPexternaltable = argparse.ArgumentParser(
add_help=False,
formatter_class=lambda prog: argparse.HelpFormatter(
prog, max_help_position=MAX_HELP_POSITION))
PPexternaltable._optionals.title = "ExternalTable commands"
PPexternaltable.add_argument(
'--exec',
dest='exec',
default=None,
required=False,
nargs=2,
metavar=('remotePath', 'file'),
help=
'execute a system command on the remote system (options no allowed)')
PPexternaltable.add_argument(
'--getFile',
dest='getFile',
default=None,
required=False,
nargs=3,
metavar=('remotePath', 'remoteNamefile', 'localFile'),
help='get a file from the remote database server')
PPexternaltable.add_argument('--test-module',
dest='test-module',
action='store_true',
help='test the module before use it')
#1.13- Parent parser: utlfile
PPutlfile = argparse.ArgumentParser(
add_help=False,
formatter_class=lambda prog: argparse.HelpFormatter(
prog, max_help_position=MAX_HELP_POSITION))
PPutlfile._optionals.title = "utlfile commands"
PPutlfile.add_argument('--getFile',
dest='getFile',
default=None,
required=False,
nargs=3,
metavar=('remotePath', 'remoteNamefile',
'localFile'),
help='get a file from the remote database server')
PPutlfile.add_argument('--putFile',
dest='putFile',
default=None,
required=False,
nargs=3,
metavar=('remotePath', 'remoteNamefile',
'localFile'),
help='put a file to the remote database server')
PPutlfile.add_argument('--removeFile',
dest='removeFile',
default=None,
required=False,
nargs=2,
metavar=('remotePath', 'remoteNamefile'),
help='remove a file on the remote database server')
PPutlfile.add_argument('--test-module',
dest='test-module',
action='store_true',
help='test the module before use it')
#1.14- Parent parser: UTL_TCP
PPutltcp = argparse.ArgumentParser(
add_help=False,
formatter_class=lambda prog: argparse.HelpFormatter(
prog, max_help_position=MAX_HELP_POSITION))
PPutltcp._optionals.title = "utltcp commands"
PPutltcp.add_argument('--send-packet',
dest='send-packet',
default=None,
required=False,
nargs=3,
metavar=('ip', 'port', 'filename'),
help='send a packet')
PPutltcp.add_argument('--scan-ports',
dest='scan-ports',
default=None,
required=False,
nargs=2,
metavar=('ip', 'ports'),
help='scan tcp ports of a remote engine')
PPutltcp.add_argument('--test-module',
dest='test-module',
action='store_true',
help='test the module before use it')
#1.15- Parent parser: STEAL_REMOTE_PASSWORDS
PPstealRemotePass = argparse.ArgumentParser(
add_help=False,
formatter_class=lambda prog: argparse.HelpFormatter(
prog, max_help_position=MAX_HELP_POSITION))
PPstealRemotePass._optionals.title = "stealRemotePasswords commands"
PPstealRemotePass.add_argument('-s',
dest='server',
required=True,
help='server')
PPstealRemotePass.add_argument('-p',
dest='port',
default=1521,
required=False,
help='port (Default 1521)')
PPstealRemotePass.add_argument('-d',
dest='sid',
required=False,
help='Oracle System ID (SID)')
PPstealRemotePass.add_argument('-U',
dest='user',
required=False,
help='Valid Oracle username')
PPstealRemotePass.add_argument('-P',
dest='password',
required=False,
default=None,
help='Valid Oracle password')
PPstealRemotePass.add_argument(
'--get-all-passwords',
dest='get-all-passwords',
action='store_true',
default=None,
required=False,
help='get all hashed passwords thanks to the user/password list')
PPstealRemotePass.add_argument('--decrypt-sessions',
dest='decrypt-sessions',
nargs=2,
metavar=('sessionList.txt',
'passwordList.txt'),
default=None,
required=False,
help='decrypt sessions stored in a file')
PPstealRemotePass.add_argument(
'--user-list',
dest='user-list',
required=False,
metavar="FILE",
default=DEFAULT_ACCOUNT_FILE,
help='file containing Oracle credentials (default: %(default)s)')
PPstealRemotePass.add_argument('--test-module',
dest='test-module',
action='store_true',
help='test the module before use it')
#1.16- Parent parser: Oradbg
PPoradbg = argparse.ArgumentParser(
add_help=False,
formatter_class=lambda prog: argparse.HelpFormatter(
prog, max_help_position=MAX_HELP_POSITION))
PPoradbg._optionals.title = "oradbg commands"
PPoradbg.add_argument(
'--exec',
dest='exec',
default=None,
required=False,
help='execute a system command on the remote system (no args allowed)')
PPoradbg.add_argument('--test-module',
dest='test-module',
action='store_true',
help='test the module before use it')
#1.12- Parent parser: DBMS_LOB
PPdbmsLob = argparse.ArgumentParser(
add_help=False,
formatter_class=lambda prog: argparse.HelpFormatter(
prog, max_help_position=MAX_HELP_POSITION))
PPdbmsLob._optionals.title = "DBMS_LOB commands (new)"
PPdbmsLob.add_argument('--getFile',
dest='getFile',
default=None,
required=False,
nargs=3,
metavar=('remotePath', 'remoteNamefile',
'localFile'),
help='get a file from the remote database server')
PPdbmsLob.add_argument('--test-module',
dest='test-module',
action='store_true',
help='test the module before use it')
#1.17- Parent parser: usernamelikepassword
PPusernamelikepassword = argparse.ArgumentParser(
add_help=False,
formatter_class=lambda prog: argparse.HelpFormatter(
prog, max_help_position=MAX_HELP_POSITION))
PPusernamelikepassword._optionals.title = "usernamelikepassword commands"
PPusernamelikepassword.add_argument(
'--run',
dest='run',
action='store_true',
required=True,
help='try to connect using each Oracle username like the password')
PPusernamelikepassword.add_argument(
'--force-retry',
dest='force-retry',
action='store_true',
help='allow to test multiple passwords for a user without ask you')
#1.18- Parent parser: smb
PPsmb = argparse.ArgumentParser(
add_help=False,
formatter_class=lambda prog: argparse.HelpFormatter(
prog, max_help_position=MAX_HELP_POSITION))
PPsmb._optionals.title = "smb commands"
PPsmb.add_argument('--capture',
dest='captureSMBAuthentication',
default=None,
required=False,
nargs=2,
metavar=('local_ip', 'share_name'),
help='capture the smb authentication')
PPsmb.add_argument('--test-module',
dest='test-module',
action='store_true',
help='test the module before use it')
#1.19- Parent parser: search
PPsearch = argparse.ArgumentParser(
add_help=False,
formatter_class=lambda prog: argparse.HelpFormatter(
prog, max_help_position=MAX_HELP_POSITION))
PPsearch._optionals.title = "search commands"
PPsearch.add_argument('--column-names',
dest='column-names',
default=None,
required=False,
metavar='sqlPattern',
help='search pattern in all collumns')
PPsearch.add_argument('--pwd-column-names',
dest='pwd-column-names',
action='store_true',
help='search password patterns in all collumns')
PPsearch.add_argument('--show-empty-columns',
dest='show-empty-columns',
action='store_true',
help='show columns even if columns are empty')
PPsearch.add_argument('--test-module',
dest='test-module',
action='store_true',
help='test the module before use it')
#1.20- Parent parser: unwrapper
PPunwrapper = argparse.ArgumentParser(
add_help=False,
formatter_class=lambda prog: argparse.HelpFormatter(
prog, max_help_position=MAX_HELP_POSITION))
PPunwrapper._optionals.title = "unwrapper commands"
PPunwrapper.add_argument('--object-name',
dest='object-name',
default=None,
required=False,
help='unwrap this object stored in the database')
PPunwrapper.add_argument('--file',
dest='file',
default=None,
required=False,
help='unwrap the source code stored in a file')
PPunwrapper.add_argument('--test-module',
dest='test-module',
action='store_true',
help='test the module before use it')
#1.21- Parent parser: clean
PPclean = argparse.ArgumentParser(
add_help=False,
formatter_class=lambda prog: argparse.HelpFormatter(
prog, max_help_position=MAX_HELP_POSITION))
PPclean._optionals.title = "clean commands"
PPclean.add_argument('--all',
dest='all',
action='store_true',
required=True,
help='clean all traces and logs stored locally')
#2- main commands
subparsers = parser.add_subparsers(help='\nChoose a main command')
#2.a- Run all modules
parser_all = subparsers.add_parser(
'all',
parents=[
PPoptional, PPconnection, PPallModule, PPoutput, PPsidguesser,
PPpassguesser
],
help='to run all modules in order to know what it is possible to do')
parser_all.set_defaults(func=runAllModules, auditType='all')
#2.b- tnscmd
parser_tnscmd = subparsers.add_parser(
'tnscmd',
parents=[PPoptional, PPconnection, PPTnsCmd, PPoutput],
help='to communicate with the TNS listener')
parser_tnscmd.set_defaults(func=runTnsCmdModule, auditType='tnscmd')
#2.b- SIDGuesser
parser_sidGuesser = subparsers.add_parser(
'sidguesser',
parents=[PPoptional, PPconnection, PPsidguesser, PPoutput],
help='to know valid SIDs')
parser_sidGuesser.set_defaults(func=runSIDGuesserModule,
auditType='sidGuesser')
#2.c- PasswordGuesser
parser_passwordGuesser = subparsers.add_parser(
'passwordguesser',
parents=[PPoptional, PPconnection, PPpassguesser, PPoutput],
help='to know valid credentials')
parser_passwordGuesser.set_defaults(func=runPasswordGuesserModule,
auditType='passwordGuesser')
#2.d- UTL_HTTP
parser_utlhttp = subparsers.add_parser(
'utlhttp',
parents=[PPoptional, PPconnection, PPutlhttp, PPoutput],
help='to send HTTP requests or to scan ports')
parser_utlhttp.set_defaults(func=runUtlHttpModule, auditType='utl_http')
#2.e- HTTPURITYPE
parser_httpuritype = subparsers.add_parser(
'httpuritype',
parents=[PPoptional, PPconnection, PPhttpuritype, PPoutput],
help='to send HTTP requests or to scan ports')
parser_httpuritype.set_defaults(func=runHttpUriTypeModule,
auditType='httpuritype')
#2.e- UTL_TCP
parser_utltcp = subparsers.add_parser(
'utltcp',
parents=[PPoptional, PPconnection, PPutltcp, PPoutput],
help='to scan ports')
parser_utltcp.set_defaults(func=runUtlTcpModule, auditType='utltcp')
#2.f- CTXSYS
parser_ctxsys = subparsers.add_parser(
'ctxsys',
parents=[PPoptional, PPconnection, PPctxsys, PPoutput],
help='to read files')
parser_ctxsys.set_defaults(func=runCtxsysModule, auditType='ctxsys')
#2.g- EXTERNAL TABLE
parser_externaltable = subparsers.add_parser(
'externaltable',
parents=[PPoptional, PPconnection, PPexternaltable, PPoutput],
help='to read files or to execute system commands/scripts')
parser_externaltable.set_defaults(func=runExternalTableModule,
auditType='externaltable')
#2.h- DBMS_XSLPROCESSOR
parser_dbmsxslprocessor = subparsers.add_parser(
'dbmsxslprocessor',
parents=[PPoptional, PPconnection, PPdbmsxslprocessor, PPoutput],
help='to upload files')
parser_dbmsxslprocessor.set_defaults(func=runDbmsXslprocessorModule,
auditType='dbmsxslprocessor')
#2.i- DBMSADVISOR
parser_dbmsadvisor = subparsers.add_parser(
'dbmsadvisor',
parents=[PPoptional, PPconnection, PPdbmsadvisor, PPoutput],
help='to upload files')
parser_dbmsadvisor.set_defaults(func=runDbmsadvisorModule,
auditType='dbmsadvisor')
#2.j- UTL_FILE
parser_utlfile = subparsers.add_parser(
'utlfile',
parents=[PPoptional, PPconnection, PPutlfile, PPoutput],
help='to download/upload/delete files')
parser_utlfile.set_defaults(func=runUtlFileModule, auditType='utlfile')
#2.k- DBMSSCHEDULER
parser_dbmsscheduler = subparsers.add_parser(
'dbmsscheduler',
parents=[PPoptional, PPconnection, PPdbmsscheduler, PPoutput],
help='to execute system commands without a standard output')
parser_dbmsscheduler.set_defaults(func=runDbmsSchedulerModule,
auditType='dbmsscheduler')
#2.l- JAVA
parser_java = subparsers.add_parser(
'java',
parents=[PPoptional, PPconnection, PPjava, PPoutput],
help='to execute system commands')
parser_java.set_defaults(func=runjavaModule, auditType='java')
#2.m- Passwords
parser_passwords = subparsers.add_parser(
'passwordstealer',
parents=[PPoptional, PPconnection, PPpasswords, PPoutput],
help='to get hashed Oracle passwords')
parser_passwords.set_defaults(func=runPasswordsModule,
auditType='passwords')
#2.n- Oradbg
parser_oradbg = subparsers.add_parser(
'oradbg',
parents=[PPoptional, PPconnection, PPoradbg, PPoutput],
help='to execute a bin or script')
parser_oradbg.set_defaults(func=runOradbgModule, auditType='oradbg')
#2.o- DBMS_LOB
parser_dbmslob = subparsers.add_parser(
'dbmslob',
parents=[PPoptional, PPconnection, PPdbmsLob, PPoutput],
help='to download files')
parser_dbmslob.set_defaults(func=runDbmsLob, auditType='dbmslob')
#2.o- steal Passwords (CVE-2012-313)
parser_passwords = subparsers.add_parser(
'stealremotepwds',
parents=[PPoptional, PPstealRemotePass, PPoutput],
help=
'to steal hashed passwords thanks an authentication sniffing (CVE-2012-3137)'
)
parser_passwords.set_defaults(func=runCVE20123137Module,
auditType='passwords')
#2.p- username like password
parser_usernamelikepassword = subparsers.add_parser(
'userlikepwd',
parents=[PPoptional, PPconnection, PPusernamelikepassword, PPoutput],
help=
'to try each Oracle username stored in the DB like the corresponding pwd'
)
parser_usernamelikepassword.set_defaults(func=runUsernameLikePassword,
auditType='usernamelikepassword')
#2.q- smb
parser_smb = subparsers.add_parser(
'smb',
parents=[PPoptional, PPconnection, PPsmb, PPoutput],
help='to capture the SMB authentication')
parser_smb.set_defaults(func=runSMBModule, auditType='smb')
#2.r- search
parser_search = subparsers.add_parser(
'search',
parents=[PPoptional, PPconnection, PPsearch, PPoutput],
help='to search in databases, tables and columns')
parser_search.set_defaults(func=runSearchModule, auditType='search')
#2.s- PPunwrapper
parser_unwrapper = subparsers.add_parser(
'unwrapper',
parents=[PPoptional, PPconnection, PPunwrapper, PPoutput],
help='to unwrap PL/SQL source code (no for 9i version)')
parser_unwrapper.set_defaults(func=runUnwrapperModule,
auditType='unwrapper')
#2.t- clean
parser_clean = subparsers.add_parser(
'clean',
parents=[PPoptional, PPclean, PPoutput],
help='clean traces and logs')
parser_clean.set_defaults(func=runClean, auditType='clean')
#3- parse the args
if ARGCOMPLETE_AVAILABLE == True: argcomplete.autocomplete(parser)
args = dict(parser.parse_args()._get_kwargs())
arguments = parser.parse_args()
#4- Configure logging and output
configureLogging(args)
args['print'] = Output(args)
#5- define encoding
reload(sys)
sys.setdefaultencoding(args['encoding'])
#Start the good function
if args['auditType'] == 'unwrapper' or args['auditType'] == 'clean': pass
else:
if ipOrNameServerHasBeenGiven(args) == False: return EXIT_MISS_ARGUMENT
arguments.func(args)
exit(ALL_IS_OK)
