Today I want to show you is, how do I find the Oracle Responsys cloud service system in a local file inclusion vulnerabilities LFI Airport. Due to the current commercial sales, network storage and social relationships companies are using the Oracle Responsys cloud solution, so that the vulnerability of several well-known companies service impact, these companies including Facebook, Linkedin, Dropbox, etc. ! Responsys: the original is a leading enterprise B2C cloud marketing software provider, the company mainly to the business offering online advertising marketing software that helps enterprises through e-mail, website, mobile devices, social networking and display advertising to marketing and communication. 2013 12 on 21 December, Oracle announced to spend 15 billion $ acquisitions, later becoming Oracle Responsys is. Responsys further integration extends the Oracle Commerce cloud, sales cloud, service cloud, social cloud and marketing cloud, and many other customer relationship cloud services. Responsys provides enterprise-level B2C business service model, when the company use the Responsys cloud service solutions for system erection after Responsys for each client company with other companies of different“private IP”to access and use its own cloud service system. Vulnerability discovery This somewhat unmotivated to move, I often in the mailbox received a Facebook to some of my developer mail, these messages some are sent from the domain of em. facebookmail. com mailbox, 就好比我邮箱中经常有一些来自fbdev@em.facebookmail.com的邮件 this caught my attention. Vulnerability discovery thinking makes me think the domain name em. facebookmail. com might be a little mean, so after some DIG, I found the name and Facebook of the”Responsys”cloud-related services, while in before other penetration testing scenario I had to”Responsys”. ! From the above figure shows, the Responsys for Facebook provides based on the domain name em. facebookmail. com mail service. 而我在fbdev@em.facebookmail.com发给我的邮件中也发现了Responsys邮件服务的原始链接 to: http://em.facebookmail.com/pub/cc?ri=X0Gzc2X%3DWQpglLjHJlYQGkSIGbc52zaRY0i6zgzdzc6jpzcASTGzdzeRfAzbzgJyH0zfzbLVXtpKX%3DSRTRYRSY&ei=EolaGGF4SNMvxFF7KucKuWNhjeSKbKRshlvv55xsq7eoplyqtaispeszfmjxpax8ommhftpoyuvvmgn-WhyT6yBDeImov65NsCKxmYwyOL0. The parameter “ri=”is the role of the link generate a valid request. After some testing I found that the Facebook system here does not properly handle secondary URL encoding, you can in the”ri=”before the link is added using any of the correct query parameter values, for example, I can join on the password query“%252fetc%252fpasswd”command, and can successfully perform: http://em.facebookmail.com/pub/sf/%252fetc%252fpasswd?ri=X0Gzc2X%3DYQpglLjHJlYQGrzdLoyD13pHoGgHNjCWGRBIk4d6Uw74cgmmfaDIiK4za7bf4aUdgSVXMtX%3DYQpglLjHJlYQGnnlO8Rp71zfzabzewzgLczg7Ulwbazahw8uszbNYzeazdMjhDzcmJizdNFCXgn&ei=Ep0e16vSBKEscHnsTNRZT2jxEz5WyG1Wpm_ovau-aJZRZ_wzYDw97ETX_iSmseE Generally speaking, this via directory traversal characters to inject and get to the target server-related information of the practice, are due to code and System Architecture review and filter caused by improper. Extrapolate Soon, I also realized that the vulnerability should be not only on Facebook, probably also on those that use Responsys to provide private cloud services the company formed security threats. Google search a bit, you can find a lot of company websites are the presence of the vulnerability: ! Exploit the vulnerability by constructing a effective ri request parameters, you can directly get to the target companies of some internal server information, such as Linkedin: ! This local file contains（LFI）vulnerabilities caused by the impact of small to the information leaked to the server is the attack control, are likely to occur. And from that Responsys architecture of the LFI vulnerability point of view, with respect to the more serious, because it will be a lot of use Responsys service company cause data security risks. In the end, I chose a timely manner to the Oracle Corporation reported this vulnerability, a week after the vulnerability you get the Oracle aspect of effective repair solution. !