def main():
global available
global target,port # Needed to modify global copy of globvar
global user,passw
global mas
global file_name
mas=False
available=['mongo','couch','redis']
parser = argparse.ArgumentParser(description='Python Nosql Exploitation Framework')
parser.add_argument('-ip','--ip', help='Host to Scan', required=True)
parser.add_argument('-port','--port', help='Port', required=False)
parser.add_argument('-scan', '--scan',help='Scan', required=False, action='store_true')
parser.add_argument('-enum','--enum', help='Enumerate DBs,Specify mongo,couch,redis', required=False)
parser.add_argument('-dict','--dict', help='Dictionary Attack ==> mongo', required=False)
parser.add_argument('-file','--file', help='Dictionary file name', required=False)
parser.add_argument('-clone','--clone', help="Clone's DB", required=False)
parser.add_argument('-sniff','--sniff', help="Sniff on Couch DB", required=False)
parser.add_argument('-shodan','--shodan', help="Shodan Search Specify port number", required=False)
parser.add_argument('-auth','--auth', help="Authenticate -> username:password", required=False)
parser.add_argument('-webapp','--webapp', help="Scan Web App", required=False)
parser.add_argument('-url','--url', help="URL Name", required=False)
parser.add_argument('-mass','--mass', help="Mass Scanner", required=False)
parser.add_argument('-filecheck','--filecheck', help="System File Enumerator", required=False)
args = vars(parser.parse_args())
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
target = args['ip']
port = args['port']
url=args['webapp']
file_name=args['file']
host_up(target)
if args['mass'] in available :
if args['file']:
mas=True
mass_scan(args['mass'],args['file'])
else:
print colored("[-] Plse specify File name \n",'red')
if args['webapp']:
web_app_attack(url)
if args['filecheck']=='redis':
redis_file_enum()
if args['scan']:
scan_db(target)
if args['shodan']:
shodan_frame(args['shodan'])
if args['sniff']=='mongo':
sniffmongo.sniff_mongo()
if args['sniff']=='redis':
sniffredis.sniff_redis()
if args['sniff']=='couch':
sniffcouch.sniff_couch()
if args['clone'] == 'couch':
clone_couch(target)
if args['clone'] == 'redis':
clone_redis(target)
if args['dict'] == "mongo":
if port:
pass
else:
port = 27017
file_name = args['file']
brute_mongo(file_name,target,port)
elif args['dict'] == "couch":
if port:
pass
else:
port = 5984
file_name = args['file']
brute_couch(file_name,target,port)
elif args['dict'] == "redis":
if port:
pass
else:
port = 6379
file_name = args['file']
brute_redis(file_name,target,port)
if args['enum'] == 'mongo':
if port:
pass
else:
port = 27017
mongo_web_scan(target)
try:
conn = pymongo.MongoClient(target,27017)
mongo_enum(conn)
except:
print colored("[-] MongoDB port closed. \n",'red')
if args['enum'] == 'couch':
couch=couch_conn(target)
couch_enum(couch)
if args['enum'] == 'redis':
if port:
pass
else:
port = 6379
r_server=redis_conn(target,port)
redis_enum(r_server)
if args['enum'] == 'cassandra':
if port:
pass
else:
port = 9160
cassa_enum()
if args['enum'] == 'hbase':
if port:
pass
else:
port = 8080
hbase_enum(port)
def Config(args):
global available
global target,port # Needed to modify global copy of globvar
global user,passw
global mas
global file_name
global db_select
global column_select
global post_status
global creds
global dump
global specify_params
global paramcheck
global select
global db
global limit
global conn
mas=False
paramcheck=[]
specify_params=[]
available=['mongo','couch','redis']
post_status=False
target = args['ip']
port = args['port']
url=args['webapp']
seldb=args['enum']
filename=args['file']
try:
# Checks whether Host is up
if args['ip']:
utils.host_up(target)
# Credentials
screen=args['screen'] if args['screen'] else False
creds=args['auth'] if args['auth'] else False
authall=args['authall'] if args['authall'] else False
mass=args['mass'] if args['mass'] else False
db=args['db'] if args['db'] else 'admin'
column_select=args['c'] if args['c'] else False
dump=True if args['dump'] else False
post_status=True if args['post'] else False
limit=int(args['limit']) if args['limit'] else 0
write=args['write'] if args['write'] else False
#Scan for General DB Targets
if args['scan']:
utils.scan_target(target)
#Web Attacks
## This is argument is not working correctly - Need to fix - th3r3p0
#if args['url']:
# seldb=args['webapp'] if args['webapp'] else False
# if seldb == 'mongo':
# filename=['payload/js_inject.txt','payload/js_time']
#Dictionary Attacks
if args['dict']:
seldb=args['dict']
if args['file']:
if seldb=='mongo':
if args['port'] or args['db']:
pass
else:
port=27017
db='admin'
#mongoattacks.mongo_web_interface(target,port,creds,screen)
mongoattacks.dict_mongo(filename,target,port,db)
elif seldb=='couch':
if args['port']:
pass
else:
port=5984
couchattacks.dict_couch(filename,target,port)
elif seldb=='redis':
if args['port']:
pass
else:
port=6379
redisattacks.dict_redis(filename,target,port)
else:
print colored("[-] Specify File Name",'red')
#Enumeration Check
if args['enum']:
seldb=args['enum']
if seldb=='mongo':
if port:
pass
else:
port = 27017
#mongo_web_scan(target)
try:
conn = mongoattacks.mongo_conn(target,port,mass)
mongoattacks.mongo_enum(conn,creds,authall,db,column_select,dump,limit,write)
except Exception as e:
print colored(e,'red')
elif seldb=='couch':
if port:
pass
else:
port = 5984
try:
#print post_status
if db=='admin':
db=False
couch=couchattacks.couch_conn(target,port)
couchattacks.couch_enum(couch,target,port,creds,db,column_select,post_status)
except Exception as e:
print str(e)
print colored("[-] Enumeration Failed \n",'red')
elif seldb=='redis':
if port:
pass
else:
port = 6379
try:
r_server=redisattacks.redis_conn(target,port)
redisattacks.redis_enum(r_server,creds)
except Exception as e:
print colored(e,'red')
elif seldb == 'cassandra':
if port:
pass
else:
port = 9160
creds=False
if db=='admin':
db=False
cassattacks.cassa_enum(target,port,db,dump)
elif seldb == 'hbase':
if port:
pass
else:
port = 8080
hbaseattacks.hbase_enum(port)
else:
print colored("[-] No Support for the Specified DB",'red')
# Mass Scan Settings
if args['mass'] in available :
select=args['mass']
if args['file']:
mas=True
mass_scan(args['mass'],args['file'])
else:
print colored("[-] Plse specify File name \n",'red')
#Database Select (Currently available for Mongo,Couch)
if args['db']:
db_select = args['db']
column_select = args['c']
else:
db_select=""
if args['post'] == 'enable':
post_status=True
if args['param']:
paramcheck=args['param']
specify_params=paramcheck.split(',')
else:
specify_params=""
specify_params=args['param']
# Scans for WebAPP Attacks
if args['webapp']:
webattacks.nosqlweb.attack(url)
#Redis DOS (2.6+)
if args['exhaust']:
if port:
pass
else:
port=6379
redisattacks.redis_exhaust(target,port)
#Redis RCE Check
if args['remotecheck']:
if port:
pass
else:
port=6379
redisattacks.redis_rce(target,port)
#Redis File Enumeration Check
if args['filecheck']:
filename=args['filecheck']
if port:
pass
else:
port=6379
redisattacks.redis_file_enum(filename,target,port,creds)
#Shodan IP Grabber
if args['shodan']:
utils.shodan_frame(args['shodan'])
#Sniffing Module
if args['sniff']=='mongo':
sniffmongo.sniff_mongo()
if args['sniff']=='redis':
sniffredis.sniff_redis()
if args['sniff']=='couch':
sniffcouch.sniff_couch()
#Clone Database Currently Available for Mongo,Couch and Redis
if args['clone'] == 'couch':
couchattacks.clone_couch(target)
if args['clone'] == 'redis':
redisattacks.clone_redis(target)
except KeyboardInterrupt:
print colored("[-] Cntrl+C Shutting Down",'red')
sys.exit(0)
def main():
global available
global target, port # Needed to modify global copy of globvar
global user, passw
global mas
global file_name
mas = False
available = ['mongo', 'couch', 'redis']
parser = argparse.ArgumentParser(
description='Python Nosql Exploitation Framework')
parser.add_argument('-ip', '--ip', help='Host to Scan', required=True)
parser.add_argument('-port', '--port', help='Port', required=False)
parser.add_argument('-scan',
'--scan',
help='Scan',
required=False,
action='store_true')
parser.add_argument('-enum',
'--enum',
help='Enumerate DBs,Specify mongo,couch,redis',
required=False)
parser.add_argument('-dict',
'--dict',
help='Dictionary Attack ==> mongo',
required=False)
parser.add_argument('-file',
'--file',
help='Dictionary file name',
required=False)
parser.add_argument('-clone', '--clone', help="Clone's DB", required=False)
parser.add_argument('-sniff',
'--sniff',
help="Sniff on Couch DB",
required=False)
parser.add_argument('-shodan',
'--shodan',
help="Shodan Search Specify port number",
required=False)
parser.add_argument('-auth',
'--auth',
help="Authenticate -> username:password",
required=False)
parser.add_argument('-webapp',
'--webapp',
help="Scan Web App",
required=False)
parser.add_argument('-url', '--url', help="URL Name", required=False)
parser.add_argument('-mass', '--mass', help="Mass Scanner", required=False)
parser.add_argument('-filecheck',
'--filecheck',
help="System File Enumerator",
required=False)
args = vars(parser.parse_args())
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
target = args['ip']
port = args['port']
url = args['webapp']
file_name = args['file']
host_up(target)
if args['mass'] in available:
if args['file']:
mas = True
mass_scan(args['mass'], args['file'])
else:
print colored("[-] Plse specify File name \n", 'red')
if args['webapp']:
web_app_attack(url)
if args['filecheck'] == 'redis':
redis_file_enum()
if args['scan']:
scan_db(target)
if args['shodan']:
shodan_frame(args['shodan'])
if args['sniff'] == 'mongo':
sniffmongo.sniff_mongo()
if args['sniff'] == 'redis':
sniffredis.sniff_redis()
if args['sniff'] == 'couch':
sniffcouch.sniff_couch()
if args['clone'] == 'couch':
clone_couch(target)
if args['clone'] == 'redis':
clone_redis(target)
if args['dict'] == "mongo":
if port:
pass
else:
port = 27017
file_name = args['file']
brute_mongo(file_name, target, port)
elif args['dict'] == "couch":
if port:
pass
else:
port = 5984
file_name = args['file']
brute_couch(file_name, target, port)
elif args['dict'] == "redis":
if port:
pass
else:
port = 6379
file_name = args['file']
brute_redis(file_name, target, port)
if args['enum'] == 'mongo':
if port:
pass
else:
port = 27017
mongo_web_scan(target)
try:
conn = pymongo.MongoClient(target, 27017)
mongo_enum(conn)
except:
print colored("[-] MongoDB port closed. \n", 'red')
if args['enum'] == 'couch':
couch = couch_conn(target)
couch_enum(couch)
if args['enum'] == 'redis':
if port:
pass
else:
port = 6379
r_server = redis_conn(target, port)
redis_enum(r_server)
if args['enum'] == 'cassandra':
if port:
pass
else:
port = 9160
cassa_enum()
if args['enum'] == 'hbase':
if port:
pass
else:
port = 8080
hbase_enum(port)