id: sap-netweaver-info-leak

info:
  name: SAP NetWeaver ICM Info page leak
  author: randomstr1ng
  severity: medium
  description: Detection of SAP NetWeaver ABAP Webserver /public/info page
  reference:
    - https://www.acunetix.com/vulnerabilities/web/sap-icf-sap-public-info-sensitive-information-disclosure/
    - https://github.com/Jean-Francois-C/SAP-Security-Audit
  metadata:
    max-request: 1
    shodan-query: http.favicon.hash:-266008933
    product: content_server
    vendor: sap
    fofa-query: icon_hash=-266008933
  tags: sap,misconfig

http:
  - method: GET
    path:
      - "{{BaseURL}}/sap/public/info"

    matchers:
      - type: regex
        part: body
        regex:
          - "RFC_SYSTEM_INFO.Response"

    extractors:
      - type: regex
        part: body
        regex:
          - "<RFCDEST>.*</RFCDEST>"
# digest: 4a0a00473045022100db8882e18c02a5cffed9736a19204a82df1d180c5a7c4c066ce16ab73f11de5802202cf2878825fdd94f30dc13652ddea95e4e7726e133dd9b92fe4c3fb6f4a37f96:922c64590222798bb761d5b6d8e72950