I am now working on pentest in a government unit in Hong Kong, they simply expose numerous sexy confidential reports in their Oracle Report Server:
I would like to highlight two interesting points:
1. Execute servlet commands
http://reports.somethingoracle.com/reports/rwservlet
2. Get some confidential reports from Google or target
inurl:reports/rwservlet
For example, you could know other project fund from government
https://app.somethingoracle.com/reports/rwservlet?epm+report=epm345_stip_report.rdf+p_stip_year=2009+p_incld_transit=YES+p_break_type=R+p_draft_rept=NO
Enjoy :)
- Darkfloyd
Nice! Found some interesting parts... Have you informed Johny?
ReplyDelete