diff --git a/lib/core/common.py b/lib/core/common.py index 3836c49c1..05b53119f 100644 --- a/lib/core/common.py +++ b/lib/core/common.py @@ -663,7 +663,8 @@ def setPaths(): paths.COMMON_TABLES = os.path.join(paths.SQLMAP_TXT_PATH, "common-tables.txt") paths.COMMON_OUTPUTS = os.path.join(paths.SQLMAP_TXT_PATH, 'common-outputs.txt') paths.SQL_KEYWORDS = os.path.join(paths.SQLMAP_TXT_PATH, "keywords.txt") - paths.WORDLIST_TXT = os.path.join(paths.SQLMAP_TXT_PATH, "wordlist.txt") + paths.ORACLE_DEFAULT_PASSWD = os.path.join(paths.SQLMAP_TXT_PATH, "oracle-default-passwords.txt") + paths.WORDLIST = os.path.join(paths.SQLMAP_TXT_PATH, "wordlist.txt") paths.PHPIDS_RULES_XML = os.path.join(paths.SQLMAP_XML_PATH, "phpids_rules.xml") paths.ERRORS_XML = os.path.join(paths.SQLMAP_XML_PATH, "errors.xml") paths.INJECTIONS_XML = os.path.join(paths.SQLMAP_XML_PATH, "injections.xml") @@ -1607,10 +1608,13 @@ def logHTTPTraffic(requestLogMsg, responseLogMsg): kb.locks.reqLock.release() def getPublicTypeMembers(type_): + """ + Useful for getting members from types (e.g. in enums) + """ retVal = [] for name, value in getmembers(type_): if not name.startswith('__'): retVal.append((name, value)) - return retVal \ No newline at end of file + return retVal diff --git a/lib/core/enums.py b/lib/core/enums.py index 215be6f36..5bd79f7e5 100644 --- a/lib/core/enums.py +++ b/lib/core/enums.py @@ -50,6 +50,6 @@ class HASH: MSSQL = r'(?i)\A0x0100[0-9a-f]{8}[0-9a-f]{40}\Z' MSSQL_OLD = r'(?i)\A0x0100[0-9a-f]{8}[0-9a-f]{80}\Z' ORACLE = r'(?i)\As:[0-9a-f]{60}\Z' - ORACLE_OLD = r'(?i)\A[0-9a-f]{16}\Z' + ORACLE_OLD = r'(?i)\A[01-9a-f]{16}\Z' MD5_GENERIC = r'(?i)\A[0-9a-f]{32}\Z' SHA1_GENERIC = r'(?i)\A[0-9a-f]{40}\Z' diff --git a/lib/utils/hash.py b/lib/utils/hash.py index 68c5735a9..b15d81b0c 100644 --- a/lib/utils/hash.py +++ b/lib/utils/hash.py @@ -16,6 +16,7 @@ from zipfile import ZipFile from extra.pydes.pyDes import des from extra.pydes.pyDes import CBC +from lib.core.common import checkFile from lib.core.common import conf from lib.core.common import dataToStdout from lib.core.common import getFileItems @@ -191,11 +192,23 @@ def dictionaryAttack(): hash_ = hash_.split()[0] - for _, regex in getPublicTypeMembers(HASH): - if re.match(regex, hash_): + for name, regex in getPublicTypeMembers(HASH): + if kb.dbms == DBMS.ORACLE and regex == HASH.MYSQL_OLD: + continue + elif kb.dbms == DBMS.MYSQL and regex == HASH.ORACLE_OLD: + continue + elif re.match(regex, hash_): rehash = regex + infoMsg = "using hash method: '%s'" % name + logger.info(infoMsg) break + if rehash: + break + + if rehash: + break + if rehash: for (user, hashes) in kb.data.cachedUsersPasswords.items(): for hash_ in hashes: @@ -207,7 +220,7 @@ def dictionaryAttack(): if re.match(rehash, hash_): hash_ = hash_.lower() - if rehash in (HASH.MYSQL, HASH.MYSQL_OLD, HASH.MD5_GENERIC, HASH.SHA1_GENERIC) and kb.dbms != DBMS.ORACLE: + if rehash in (HASH.MYSQL, HASH.MYSQL_OLD, HASH.MD5_GENERIC, HASH.SHA1_GENERIC): attack_info.append([(user, hash_), {}]) elif rehash in (HASH.ORACLE_OLD, HASH.POSTGRES): attack_info.append([(user, hash_), {'username': user}]) @@ -216,16 +229,26 @@ def dictionaryAttack(): elif rehash in (HASH.MSSQL, HASH.MSSQL_OLD): attack_info.append([(user, hash_), {'salt': hash_[6:14]}]) - infoMsg = "loading dictionary from: '%s'" % paths.WORDLIST_TXT + if rehash == HASH.ORACLE_OLD: #it's the slowest of all methods hence smaller default dict + message = "what's the dictionary's location? [%s]" % paths.ORACLE_DEFAULT_PASSWD + dictpath = readInput(message, default=paths.ORACLE_DEFAULT_PASSWD) + + else: + message = "what's the dictionary's location? [%s]" % paths.WORDLIST + dictpath = readInput(message, default=paths.WORDLIST) + + checkFile(dictpath) + + infoMsg = "loading dictionary from: '%s'" % dictpath logger.info(infoMsg) - wordlist = getFileItems(paths.WORDLIST_TXT, None, False) + wordlist = getFileItems(dictpath, None, False) infoMsg = "running dictionary attack" logger.info(infoMsg) length = len(wordlist) - if rehash in (HASH.MYSQL, HASH.MYSQL_OLD, HASH.MD5_GENERIC, HASH.SHA1_GENERIC) and kb.dbms != DBMS.ORACLE: + if rehash in (HASH.MYSQL, HASH.MYSQL_OLD, HASH.MD5_GENERIC, HASH.SHA1_GENERIC): count = 0 for word in wordlist: count += 1 @@ -233,7 +256,7 @@ def dictionaryAttack(): for item in attack_info: ((user, hash_), _) = item - if count % 1117 == 0 or count == length: + if count % 1117 == 0 or count == length or rehash in (HASH.ORACLE_OLD): status = '%d/%d words (%d%s)' % (count, length, round(100.0*count/length), '%') dataToStdout("\r[%s] [INFO] %s" % (time.strftime("%X"), status), True) @@ -242,6 +265,7 @@ def dictionaryAttack(): #dataToStdout("\r[%s] [INFO] found: %s:%s\n" % (time.strftime("%X"), user, word), True) attack_info.remove(item) + dataToStdout("\n", True) else: for ((user, hash_), kwargs) in attack_info: count = 0 @@ -249,8 +273,8 @@ def dictionaryAttack(): current = __functions__[rehash](password = word, uppercase = False, **kwargs) count += 1 - if count % 1117 == 0 or count == length: - status = '%d/%d words (%d%s)' % (count, length, round(100.0*count/length), '%') + if count % 1117 == 0 or count == length or rehash in (HASH.ORACLE_OLD): + status = '%d/%d words (%d%s) (user: %s)' % (count, length, round(100.0*count/length), '%', user) dataToStdout("\r[%s] [INFO] %s" % (time.strftime("%X"), status), True) if hash_ == current: @@ -258,9 +282,13 @@ def dictionaryAttack(): #dataToStdout("\r[%s] [INFO] found: %s:%s\n" % (time.strftime("%X"), user, word), True) break - dataToStdout("\n", True) + dataToStdout("\n", True) + blank = " " for (user, hash_, password) in results: for i in xrange(len(kb.data.cachedUsersPasswords[user])): if kb.data.cachedUsersPasswords[user][i] and hash_.lower() in kb.data.cachedUsersPasswords[user][i].lower(): kb.data.cachedUsersPasswords[user][i] += "%s%spassword: %s" % ('\n' if kb.data.cachedUsersPasswords[user][i][-1] != '\n' else '', blank, password) + else: + errMsg = "hash format unrecognized" + logger.error(errMsg) diff --git a/txt/oracle-default-passwords.txt b/txt/oracle-default-passwords.txt new file mode 100644 index 000000000..ea7449bc6 --- /dev/null +++ b/txt/oracle-default-passwords.txt @@ -0,0 +1,487 @@ +06071992 +0racl3 +0racl38 +0racl38i +0racl39 +0racl39i +0racle +0racle8 +0racle8i +0racle9 +0racle9i +199220706 +abm +adgangskode +adldemo +admin +administrator +ahl +ahm +airoplane +ak +akf7d98s2 +alr +ams +amv +anonymous +ap +applmgr +applsys +applsyspub +apppassword +apps +aq +aqdemo +aqjava +aquser +ar +asf +asg +asl +aso +asp +ast +audiouser +ax +az +bar +bc4j +ben +bic +bil +bim +bis +biv +bix +blewis +bom +brio_admin +bsc +bug_reports +catalog +cct +cdemo82 +cdemo83 +cdemocor +cdemorid +cdemoucb +cdouglas +ce +centra +central +change_on_install +cids +cis +cisinfo +clave +clerk +cloth +cn +company +compiere +crp +cs +csc +csd +cse +csf +csi +csl +csmig +csp +csr +css +ctxdemo +ctxsys +cua +cue +cuf +cug +cui +cun +cup +cus +cz +d_syspw +d_systpw +dbsnmp +dbvision +demo +demo8 +demo9 +des +des2k +dev2000_demos +dip +discoverer_admin +dmsys +dpfpass +dsgateway +dssys +dtsp +eaa +eam +east +ec +ecx +ejb +ejsadmin +ejsadmin_password +emp +eng +eni +estore +event +evm +example +exfsys +extdemo +extdemo2 +fa +fem +fii +finance +finprod +flm +fnd +fndpub +fpt +frm +fte +fv +gl +gma +gmd +gme +gmf +gmi +gml +gmp +gms +gpfd +gpld +gr +hades +hcpark +hlw +hobbes +hr +hri +hvst +hxc +hxt +iba +ibe +ibp +ibu +iby +icdbown +icx +idemo_user +ieb +iec +iem +ieo +ies +ieu +iex +ifssys +igc +igf +igi +igs +igw +imageuser +imc +imedia +imt +instance +inv +invalid +invalid password +ipa +ipd +iplanet +isc +itg +ja +je +jetspeed +jg +jl +jmuser +john +jtf +jtm +jts +kwalker +l2ldemo +laskjdf098ksdaf09 +lbacsys +manag3r +manager +manprod +mddata +mddemo +mddemo_mgr +mdsys +me +mfg +mgr +mgwuser +migrate +miller +mmo2 +mmo3 +moreau +mot_de_passe +mrp +msc +msd +mso +msr +mt6ch5 +mtrpw +mts_password +mtssys +mumblefratz +mwa +mxagent +names +neotix_sys +nneulpass +oas_public +ocitest +ocm_db_admin +odm +ods +ods_server +odscommon +oe +oem_temp +oemadm +oemrep +okb +okc +oke +oki +oko +okr +oks +okx +olapdba +olapsvr +olapsys +ont +oo +openspirit +opi +oracache +oracl3 +oracle +oracle8 +oracle8i +oracle9 +oracle9i +oradbapass +oraprobe +oraregsys +orasso +orasso_ds +orasso_pa +orasso_ps +orasso_public +orastat +ordcommon +ordplugins +ordsys +osm +osp22 +ota +outln +owa +owa_public +owf_mgr +owner +ozf +ozp +ozs +pa +panama +paper +parol +passwd +passwo1 +passwo2 +passwo3 +passwo4 +password +patrol +paul +perfstat +perstat +pjm +planning +plex +pm +pmi +pn +po +po7 +po8 +poa +pom +portal30 +portal30_admin +portal30_demo +portal30_ps +portal30_public +portal30_sso +portal30_sso_admin +portal30_sso_ps +portal30_sso_public +portal31 +portal_demo +portal_sso_ps +pos +powercartuser +primary +psa +psb +psp +pub +pubsub +pubsub1 +pv +qa +qdba +qp +qs +qs_adm +qs_cb +qs_cbadm +qs_cs +qs_es +qs_os +qs_ws +re +rep_owner +repadmin +reports +rg +rhx +rla +rlm +rmail +rman +rrs +sample +sampleatm +sap +sapr3 +sdos_icsap +secdemo +senha +serviceconsumer1 +sh +shelves +si_informtn_schema +siteminder +slidepw +snowman +spierson +ssp +starter +steel +strat_passwd +supersecret +support +swordfish +swpro +swuser +sympa +sys +sys_stnt +sysadm +sysadmin +sysman +syspass +system +systempass +tahiti +tdos_icsap +tectec +test +test_user +testpilot +thinsamplepw +tibco +tiger +tigger +tip37 +trace +travel +tsdev +tsuser +turbine +ultimate +um_admin +um_client +unknown +user +user0 +user1 +user2 +user3 +user4 +user5 +user6 +user7 +user8 +user9 +utility +utlestat +vea +veh +vertex_login +videouser +vif_dev_pwd +viruser +vrr1 +vrr2 +webcal01 +webdb +webread +welcome +west +wfadmin +wh +wip +wk_test +wkadmin +wkproxy +wksys +wkuser +wms +wmsys +wob +wood +wps +wsh +wsm +www +wwwuser +xademo +xdp +xla +xnc +xni +xnm +xnp +xns +xprt +xtr +xxx +yes +your_pass +zwerg