.. / CVE-2018-3167

Exploit for Oracle E-Business Suite - Blind SSRF (CVE-2018-3167)

Description:

Oracle E-Business Suite, Application Management Pack component (User Monitoring subcomponent), is susceptible to blind server-side request forgery. An attacker with network access via HTTP can gain read access to a subset of data, connect to internal services like HTTP-enabled databases, or perform post requests towards internal services which are not intended to be exposed. Affected supported versions are 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, and 12.2.7.

Nuclei Template

View the template here CVE-2018-3167.yaml

Validate with Nuclei

echo "$URL" | nuclei -t ~/nuclei-templates/http/cves/2018/CVE-2018-3167.yaml

References:

https://nvd.nist.gov/vuln/detail/CVE-2018-3167
https://medium.com/@x41x41x41/unauthenticated-ssrf-in-oracle-ebs-765bd789a145
http://www.securitytracker.com/id/1041897
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
http://web.archive.org/web/20211206102649/https://securitytracker.com/id/1041897

.. / CVE-2018-3167 if(localStorage["style"]=="true"){ document.getElementById('pagestyle').setAttribute('href','/assets/styleDark.css'); document.querySelector('input[type="checkbox"]').checked = true }

Exploit for Oracle E-Business Suite - Blind SSRF (CVE-2018-3167)

Description:

Nuclei Template

Validate with Nuclei

.. / CVE-2018-3167