Improved SAP recon detection template

2021-06-05 10:48:17 +05:30 · 2021-06-05 10:48:17 +05:30 · 499ff32b1b
parent 55c0e1b103
commit 499ff32b1b
2 changed files with 33 additions and 36 deletions
--- a/exposed-panels/sap-recon-detect.yaml
+++ b/exposed-panels/sap-recon-detect.yaml
@ -1,36 +0,0 @@
-id: sap-recon-detect
-
-info:
-  name: SAP RECON Finder
-  author: samueladi_ & organiccrap
-  severity: medium
-  tags: panel
-
-  # Source:- https://github.com/chipik/SAP_RECON
-  # This is detection template, please use above poc to exploit this further.
-
-requests:
-  - method: GET
-    path:
-      - "{{BaseURL}}/CTCWebService/CTCWebServiceBean"
-      - "{{BaseURL}}/CTCWebService/CTCWebServiceBean?wsdl"
-      - "{{BaseURL}}/CTCWebService/Config1?wsdl"
-
-    matchers-condition: and
-    matchers:
-
-      - type: word
-        words:
-          - Method Not Allowed
-          - Expected request method POST. Found GET.
-          - Generated by WSDLDefinitionsParser
-          - bns0:Config1Binding
-          - wsdl:definitions
-          - tns:CTCWebServiceSiBinding
-        condition: or
-
-      - type: status
-        status:
-          - 405
-          - 200
-        condition: or
--- a/technologies/sap-recon-detect.yaml
+++ b/technologies/sap-recon-detect.yaml
@ -0,0 +1,33 @@
+id: sap-recon-detect
+
+info:
+  name: SAP RECON Finder
+  author: samueladi_ & organiccrap
+  severity: medium
+  tags: tech,sap
+  reference: https://github.com/chipik/SAP_RECON
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/CTCWebService/CTCWebServiceBean?wsdl"
+
+    matchers-condition: and
+    matchers:
+
+      - type: word
+        words:
+          - CTCManagementException
+          - RemoteException
+          - cancelExecution
+        condition: or
+
+      - type: word
+        words:
+          - "text/xml"
+          - "SAP NetWeaver Application Server"
+        part: header
+
+      - type: status
+        status:
+          - 200