Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

Oracle EBS - SQL Log Disclosure

By kannthu

Medium
Vidoc logoVidoc Module
#oracle#ebs#logs#exposure
Description

What is "Oracle EBS - SQL Log Disclosure?"

The "Oracle EBS - SQL Log Disclosure" module is designed to detect a vulnerability in Oracle E-Business Suite (EBS) that exposes sensitive SQL logs. This module targets Oracle EBS, a popular enterprise resource planning (ERP) software used by organizations.

This module has a severity level of medium.

Impact

If this vulnerability is exploited, an attacker can gain access to sensitive SQL logs, which may contain valuable information such as database credentials, user details, or other sensitive data. This can lead to unauthorized access, data breaches, or further exploitation of the system.

How the module works?

The "Oracle EBS - SQL Log Disclosure" module works by sending an HTTP GET request to the "/OA_HTML/bin/sqlnet.log" path. It then applies several matching conditions to determine if the vulnerability is present:

- The response body must contain the words "DESCRIPTION=" and "USER=". - The response header must have the content type "text/plain". - The HTTP status code must be 200.

If all the matching conditions are met, the module reports the vulnerability.

It is important to note that this module is designed to detect the vulnerability, not fix it. Once the vulnerability is detected, appropriate actions should be taken to secure the Oracle EBS system and prevent any potential exploitation.

Module preview

Concurrent Requests (1)
1. HTTP Request template
GET/OA_HTML/bin/sqlnet....
Matching conditions
word: DESCRIPTION=, USER=and
word: text/plainand
status: 200
Passive global matcher
No matching conditions.
On match action
Report vulnerability