Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-22047 PoC — Oracle PeopleSoft Enterprise PeopleTools 安全漏洞

Source
https://github.com/tuo4n8/CVE-2023-22047
Associated Vulnerability
Title:Oracle PeopleSoft Enterprise PeopleTools 安全漏洞 (CVE-2023-22047)
Description:Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Portal). Supported versions that are affected are 8.59 and 8.60. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all PeopleSoft Enterprise PeopleTools accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
Description
Leveraging arbitrary file read to RCE on Oracle PeopleSoft
Readme
## Description:
- CVE-2023-22047 is unauthentication read file on oracle-peoplesoft. However, advance exploit attacker can use this vulnerability to execute remote code execution.

- In the peoplesoft application "Portal.war"," Serlet "WSRP Consumer ResourceProxy" enables the ability to read files and make request (SSRF) to any host.

- With this vulnerability, attackers can easily achieve Remote Code Execution (RCE) on the affected server, indicating that the actual severity exceeds the assigned CVSS score.

## Step to Exploit

```
https://peoplesoft.local:8443/RP?wsrp-url=file:///etc/passwd
https://peoplesoft.local:8443/RP?wsrp-url=file:///c:\\windows\\win.ini
```

```bash
echo target | nuclei -t CVE-2023-22047.yaml
```

![read-file](asset/read-file.png)

## Step to RCE:
- By default, Oracle PeopleSoft enables the RESTful Management Services on WebLogic. Therefore, leveraging the SSRF vulnerability, attackers can easily retrieve full HTTP responses, ultimately allowing them to achieve Remote Code Execution (RCE).

- Step 1:  Read `SerializedSystemIni.dat` and `credentials` of weblogic server. Decypt it  to get raw secret.

- Step 2: Use `RESTAPI Management` to deploy webshell to weblogic


![unauthen-rce](asset/rce.png)


## Old story:
- Initially, I submitted this vulnerability to ZDI, but unfortunately, they weren't interested in this product 🥲. After a long time, I reported it directly to Oracle, but it was marked as a duplicate of CVE-2023-22047.

- Despite its CVSS score of only 7.5, this vulnerability is extremely critical, as attackers can exploit it to achieve unauthenticated Remote Code Execution (RCE).
File Snapshot

 [4.0K]  /data/pocs/ea23c1453011debaee8dd6a42bb106bb33f829ec
├── [4.0K]  asset
│   ├── [103K]  rce.png
│   └── [ 79K]  read-file.png
├── [1.5K]  CVE-2023-22047.yaml
└── [1.6K]  README.md

1 directory, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →