id: sap-recon-detect

info:
  name: SAP RECON Finder
  author: samueladi_ & organiccrap
  severity: medium

  # Source:- https://github.com/chipik/SAP_RECON
  # This is detection template, please use above poc to exploit this further.

requests:
  - method: GET
    path:
      - "{{BaseURL}}/CTCWebService/CTCWebServiceBean"
      - "{{BaseURL}}/CTCWebService/CTCWebServiceBean?wsdl"
      - "{{BaseURL}}/CTCWebService/Config1?wsdl"

    matchers-condition: and
    matchers:

      - type: word
        words:
          - Method Not Allowed
          - Expected request method POST. Found GET.
          - Generated by WSDLDefinitionsParser
          - bns0:Config1Binding
          - wsdl:definitions
          - tns:CTCWebServiceSiBinding
        condition: or

      - type: status
        status:
          - 405
          - 200
        condition: or