Loading

News

Oracle EBS Penetration Testing Tool

Nobody will argue that IT security is vital in our modern world, particularly for businesses. Cybercrime is getting worse and systems become more vulnerable with time, making organizations more susceptible to cyberattacks and financial losses. That's why the topic of cybercrime demands more attention and cyber-awareness.

ERP security is a separate part of IT security. Nowadays ERP encompasses a huge range of various tools and services written on the base of different technologies. It's critical to possess proper knowledge in the security field and convenient tools for managing.

When we were exploring Oracle E-Business Suite security, we noticed an absence of present-day convenient and free security tools on the market that can help simplify security assessment. There were bunches of various modules or scripts to check one or two issues narrowly. We started developing our own solution, the  first free Oracle E-Business Suite security scanner—ERPSCAN EBS Pentesting tool.

What is it? It is a "wrapper" for multiple EBS exploits developed by our research team. All modules are represented in the Python language. Currently, there are four main modules (1 of them uses EBS Users' passwords decryptor):
  • EBS DB Users brute-force;
  • EBS Users brute-force;
  • EBS Java Serialization test;
  • EBS XML Serialization test.

Oracle EBS DB Users Brute-Force

Script brutes standard DB users with pre-defined passwords. Also, it can grab EBS users' passwords from APPS.fnd_user table and if password hashing is not on, it decrypts them with the ebsDecrypt.py module. All findings will be saved in dbCheckResults.txt file.

Help

You should install cx_Oracle for working.

usage: dbUsersBforce.py [-h] [-H HOST] [-P PORT] [-s SID] [-d DEC] [-v] EBS DB Users brute-force Python Script. It tests for default DB users with the predefined passwords. Also it can check whether any bruted DB user can decrypt EBS Users passwords (of course if Password Hashing is not implemented). optional arguments: -h, --help show this help message and exit -H HOST, --host HOST DB host (default: 127.0.0.1). Example: ebs.example.com -P PORT, --port PORT DB port (default: 1521) -s SID, --sid SID DB SID (default: EBSDB) -d DEC, --dec DEC Try to decrypt EBS Users Passwords? Y/N -v, --verbose verbose mode

Usage

$ dbUsersBrutforce.py -H ebs.example.com -s EBSDB -d Y


Oracle EBS Password Decryption

Script can decrypt EBS users passwords if apps user passwords is known. It handles new (SHA-1 + 3DES) and old (SHA-1-like + ARC4) encryptions.

Help

You should install pyjks for working.

usage: ebsDecrypt.py [-h] [-k KEY] [-d DATA] Script can decrypt EBS users' passwords in case `apps` user passwords is known. It handles `new` (SHA-1 + triple-DES) and `old` (SHA-1-like + RC4) encryption. optional arguments: -h, --help show this help message and exit -k KEY, --key KEY APPS user password (default: APPS -d DATA, --data DATA Decrypted data (test value: C4E9B591098EA0)

Usage

apps user password should be uppercase.

$ decrypt.py -k APPS -d ZH4715DC7E9C2213F7CD56D44CE1CB8625FB71D0F4935EFEAE5B8CA66117B9C2D6A1E733BA80005F4CD19706A03218E8C5E4


Pentesting Oracle EBS Application

Script brutes EBS default users with predefined passwords. It handles two types of authorization versions (don't mix with SSO!).
Help

usage: ebsUsersBforce.py [-h] [-H HOST] [-P PORT] [-s] [-t TIMEOUT] [-v] EBS Users brute-force python script brutes EBS default users with predefined passwords. optional arguments: -h, --help show this help message and exit -H HOST, --host HOST EBS host (default: 127.0.0.1). Example: ebs.example.com -P PORT, --port PORT EBS web port (default: 8000) -s, --ssl enable SSL -t TIMEOUT, --timeout TIMEOUT HTTP connection timeout in second (default: 10) -v, --verbose verbose mode

Usage

$ ebsUsersBforce.py -H ebs.example.com -P 8000



Oracle EBS Java Serialization Test

EBS Python script for Java Serialization sleep payloads testing based on Apache Commons Collections 3. It sends special sleep payloads and checks the response time value. If the response time value is more than 10 seconds, then the testing host is potentially vulnerable to Java Deserialization attacks.

Help

usage: javaSerDetect.py [-h] [-H HOST] [-P PORT] [-u URL] [-s] [-t TIMEOUT] [-v] EBS python script for Java Serialization sleep payloads testing based on Apache Commons Collections 3. optional arguments: -h, --help show this help message and exit -H HOST, --host HOST EBS host (default: 127.0.0.1). Example: ebs.example.com -P PORT, --port PORT EBS web port (default: 8000) -u URL, --url URL EBS target URL (default: OA_HTML/iesRuntimeServlet) -s, --ssl enable SSL -t TIMEOUT, --timeout TIMEOUT HTTP connection timeout in second (default: 15) -v, --verbose verbose mode

Usage

$ javaSerDetect.py -H ebs.example.com -P 8000

Oracle WebLogic Level Checks

Oracle EBS XML Serialization test

Python script for XML Serialization sleep payload testing based on CVE-2017-3506 & 10271. It sends special sleep payloads and checks the response time value. If the response time value is more than 10 seconds, then the testing host is potentially vulnerable to XML Deserialization attacks.

Help

usage: xmlSerDetect.py [-h] [-H HOST] [-P PORT] [-u URL] [-s] [-t TIMEOUT] [-v] EBS python script for XML Serialization sleep payload testing based on `CVE-2017-3506 & 10271`. optional arguments: -h, --help show this help message and exit -H HOST, --host HOST WebLogic host (default: 127.0.0.1). Example: ebs.example.com -P PORT, --port PORT WebLogic port (default: 7001) -u URL, --url URL WebLogic target URL (default: wls-wsat/CoordinatorPortType) -s, --ssl enable SSL -t TIMEOUT, --timeout TIMEOUT HTTP connection timeout in second (default: 15) -v, --verbose verbose mode

Usage

$ xmlSerDetect.py -H ebs.example.com -P 7001

You will be always aware of all business and financial news !