-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathorr-enum0.1a.py
181 lines (155 loc) · 5.15 KB
/
orr-enum0.1a.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
#!/usr/bin/python
#Main prototype
#Author: Liam Romanis
import cx_Oracle
import sys, getopt, os
from array import *
import re
import time
import enumsids, enumusers, getHashes
def help():
print ('orr_enum.py -i <target ip> -p <port> ')
print "Target IP: Target Host by IP"
print "Port: TCP Port Number of the TNS Listener"
sys.exit(2)
def opts(argv):
myip = ''
myport = ''
try:
opts, args = getopt.getopt(argv, 'i:p:h', ['ip=','port=','help'])
except getopt.GetoptError:
print ('orr_enum.py -i <target ip> -p <port> ')
os._exit(1)
for opt, arg in opts:
if opt == '-h':
help()
sys.exit()
elif opt in ('-i', '--ip'):
myip = arg
elif opt in ('-p', '--port'):
myport = arg
else:
print ('orr_enum.py -i <target ip> -p <port> ')
os._exit(1)
return myip, myport
def snmp_enum(myip):
print "Querying SNMP for SIDs"
from easysnmp import Session
retsids=[]
with open('dict.txt', "r") as ins:
communities = []
for line in ins:
line = line.replace("\n", "")
communities.append(line)
for comm in communities:
try:
# Create an SNMP session to be used for all our requests
session = Session(hostname=myip, community=comm, version=2)
# You may retrieve an individual OID using an SNMP GET
process_paths = session.walk('1.3.6.1.2.1.25.4.2.1.4')
# Each returned item can be used normally as its related type (str or int)
# but also has several extended attributes with SNMP-specific information
for item in process_paths:
process = '{value}'.format(value=item.value)
if 'q000' in process:
mysid, blah, blah2 = re.split('_', process)
print "SID:%s" % mysid.upper()
retsids.append(mysid.upper())
except:
pass
print len(retsids)
return retsids
def IsDBA(myip,myport,mysid,correct,DBA):
for account in correct:
#print account
uid, passwd = re.split(':', account)
try:
dsnStr = cx_Oracle.makedsn( myip, myport, mysid)
con = cx_Oracle.connect(user=uid.upper(), password=passwd.upper(), dsn=dsnStr)
print con.version
query = "set role dba"
mycur = con.cursor()
mycur.execute(query)
con.close()
except cx_Oracle.DatabaseError as e:
error, = e.args
if error.code == 1924:
print "role 'DBA' not granted or does not exist"
return
if error.code == 1017:
print "User: %s is NOT DBA" % uid
return
else:
print "User: %s is DBA - !GAME OVER!.... almost" % uid
DBA.append(account)
#getHashes
return DBA
def getprivs(myip,myport,mysid,right):
priv = "ANY"
uid, passwd = re.split(':', right)
print "Enumerating Privs for USER: %s.\n" % uid
try:
dsnStr = cx_Oracle.makedsn( myip, myport, mysid)
con = cx_Oracle.connect(user=uid.upper(), password=passwd.upper(), dsn=dsnStr)
print con.version
mycur = con.cursor()
print "SESSION_PRIVS:"
query4 = "select privilege from SESSION_PRIVS"
mycur.execute(query4)
for result in mycur:
if priv in str(result):
print "%s - Potential Priviliege Escalation Vector!" % result
else:
print "%s" % result
mycur2 = con.cursor()
print "SESSION_ROLES:"
query5 = "select privilege from SESSION_ROLES"
mycur2.execute(query5)
for result in mycur:
print result
con.close()
except cx_Oracle.DatabaseError as e:
error, = e.args
if error.code == 904:
print "No roles assigned to User: %s" % uid
#print "Error: %s" % error.code
pass
if __name__ == "__main__":
myip, myport= opts(sys.argv[1:])
mysids = []
snmpsids = []
success = []
correct = []
DBA = []
isdba = []
print "Enumerating Common SIDs"
retsid = []
mysids = enumsids.startenum(myip, myport)
if len(mysids) < 1:
snmpsids = snmp_enum(myip)
print "Number of SIDs identified from SNMP: %s\n" % len(mysids)
for sid in snmpsids:
if not sid in mysids:
mysids.append(sid)
if len(mysids) > 0:
for sid in mysids:
print "\nEnumerating Users in Database Instance %s\n" % sid
correct = enumusers.enumstart(myip,myport,sid)
if len(correct) > 0:
print "\nThe following valid username and password combinations were detected\n"
for right in correct:
print "%s." % right
else:
os._exit(1)
print "\Testing if accounts are DBA\n"
isdba = IsDBA(myip,myport,sid,correct,DBA)
# if len(DBA) > 0:
# right = DBA[0]
# print "\nEnumerating Identified Users' Privileges as DBA\n"
# getprivs(myip,myport,sid,right)
# else:
print "\nEnumerating Identified Users' Privileges using account privileges\n"
for right in correct:
getprivs(myip,myport,sid,right)
else:
print "No SIDs identified - BOO!\n"