This module exploits a Server-Side Request Forgery via the getUiType parameter in the /OA_HTML/configurator/UiServlet endpoint of Oracle E-Business Suite to deploy an agent. First, the module will register an endpoint in the local webserver that will be used in the attack to send a xsl file to the target that will execute system commands to deploy the agent. Then, it will retrieve a required CSRF token via the /OA_HTML/runforms.jsp and /OA_HTML/JavaScriptServlet endpoints. Finally, it will use the Server-Side Request Forgery vulnerability combined with a Carriage Return/Line Feed (CRLF) injection to smuggle a request to the /OA_HTML/help/../ieshostedsurvey.jsp endpoint that will trigger a GET HTTP request to the local webserver, which will, in turn, deliver the xsl file that will deploy the agent. The deployed agent will run with the oracle user account privileges.
CVE Link
Exploit Platform
Exploit Type
Product Name