Ginger is an open source security assessment tool that helps in assessing the security of a given Pentaho BA application instance.
Please keep in mind that this project is still a work in progress, and not all features might be present or work as intended.
Ginger has only one mandatory parameter, the URL of the target Pentaho installation:
user@host:~$ python gynger.py http://localhost:8080/pentahoNote: do not include a trailing slash (/)
Doing that will start Ginger in Anonymous mode, with limited funcionality. If valid credentials are known, those should be provided:
user@host:~$ python gynger.py http://localhost:8080/pentaho -u admin -p passwordWhen Ginger establishes a connection with Pentaho BA, it will prompt and wait for commands.
The complete list of available commands can be seen by typing help.
| Command | Reference |
|---|---|
| api | try to list available API calls, even as Anonymous user |
| dbs | list all connected db credentials |
| files | list all available files in repository |
| usernames | list all valid usernames |
| userroles | list all valid usernames and valid roles |
| shell | upload a reverse shell |
| version | show Pentaho Version |
Ginger comes with absolutely NO WARRANTY, and shall not be used at any system where prior approval has not been granted. Use at your own risk.