OdooMap is a reconnaissance, enumeration, and security testing tool for Odoo applications.
- Detect Odoo version and metadata
- Enumerate databases and accessible models
- Authenticate and check CRUD permissions
- Extract data from specific models
- Brute-force login credentials & Master password
- Brute-force internal model names
ℹ️ It is advisable to use
pipxoverpipfor system-wide installations.
git clone https://github.com/MohamedKarrab/odoomap.git && cd odoomap
pipx ensurepath && pipx install .
# Now restart your terminal and run
odoomap -hOr
git clone https://github.com/MohamedKarrab/odoomap.git
cd odoomap
pip install -r requirements.txt
python odoomap.py -hodoomap -u https://example.comodoomap -u https://example.com -D database_name -U admin -P pass -e -l 200 -o models.txtodoomap -u https://example.com -D database_name -U test@example.com -P pass -e -p -l 10odoomap -u https://example.com -D database_name -U admin -P pass -d res.users,res.partner -o ./output.txtodoomap -u https://example.com -D database_name -U admin -P pass -d models.txt -o ./dumpodoomap -u https://example.com -D database_name -bodoomap -u https://example.com -D database_name -b --usernames users.txt --passwords passes.txtodoomap -u https://example.com -D database_name -b -w wordlist.txtodoomap -u https://example.com -M -p pass_list.txtodoomap -u https://example.com -D database_name -U admin -P pass -e -B --model-file models.txtodoomap -u https://example.com -D database_name -U admin -P pass -r -e -p -d res.users -o ./outputusage: odoomap [-h] -u URL [-D DATABASE] [-U USERNAME] [-P PASSWORD] [-r] [-e] [-pe] [-l LIMIT] [-o OUTPUT] [-d DUMP] [-B]
[--model-file MODEL_FILE] [-b] [-w WORDLIST] [--usernames USERNAMES] [--passwords PASSWORDS] [-M] [-p MASTER_PASS]
Odoo Security Assessment Tool
options:
-h, --help show this help message and exit
-u, --url URL Target Odoo server URL
-D, --database DATABASE
Target database name
-U, --username USERNAME
Username for authentication
-P, --password PASSWORD
Password for authentication
-r, --recon Perform initial reconnaissance
-e, --enumerate Enumerate model names
-pe, --permissions Enumerate model permissions (requires -e)
-l, --limit LIMIT Limit for enumeration or dump operations
-o, --output OUTPUT Output file/directory for results
-d, --dump DUMP Dump data from specified model(s). Can be comma-separated list or a file path containing model names (one per
line)
-B, --bruteforce-models
Bruteforce models instead of listing them (Happens by default if listing fails)
--model-file MODEL_FILE
File containing model names for bruteforcing (one per line)
-b, --bruteforce Bruteforce login (requires -D)
-w, --wordlist WORDLIST
Wordlist file for bruteforce in user:pass format (optional)
--usernames USERNAMES
File containing usernames for bruteforce (one per line)
--passwords PASSWORDS
File containing passwords for bruteforce (one per line)
-M, --bruteforce-master
Bruteforce the database's master password
-p, --master-pass MASTER_PASS
Wordlist file for master password bruteforce (one password per line)
Apache License 2.0, see LICENSE
OdooMap is an independent project and is not affiliated with, endorsed by, or sponsored by Odoo S.A. or the official Odoo project in any way.
This tool is for lawful security and penetration testing with proper authorization. Unauthorized use is strictly prohibited. The author assumes no liability for any misuse or damage resulting from the use of this tool.
Feel free to open issues or submit pull requests for enhancements or bug fixes!