Sunday, November 27, 2011

Oracle Report Server - 2-cent hack trick

I am now working on pentest in a government unit in Hong Kong, they simply expose numerous sexy confidential reports in their Oracle Report Server:

I would like to highlight two interesting points:
1. Execute servlet commands
http://reports.somethingoracle.com/reports/rwservlet

2. Get some confidential reports from Google or target
inurl:reports/rwservlet

For example, you could know other project fund from government
https://app.somethingoracle.com/reports/rwservlet?epm+report=epm345_stip_report.rdf+p_stip_year=2009+p_incld_transit=YES+p_break_type=R+p_draft_rept=NO

Enjoy :)

- Darkfloyd

1 comment:

  1. Nice! Found some interesting parts... Have you informed Johny?

    ReplyDelete