## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit4 < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient include Msf::Auxiliary::Report include Msf::Auxiliary::Scanner def initialize super( 'Name' => 'SAP Management Console Instance Properties', 'Description' => %q{ This module simply attempts to identify the instance properties through the SAP Management Console SOAP Interface. }, 'References' => [ # General [ 'URL', 'http://blog.c22.cc' ] ], 'Author' => [ 'Chris John Riley' ], 'License' => MSF_LICENSE ) register_options( [ Opt::RPORT(50013), OptString.new('URI', [false, 'Path to the SAP Management Console ', '/']), ], self.class) register_autofilter_ports([ 50013 ]) deregister_options('RHOST') end def run_host(ip) res = send_request_cgi({ 'uri' => normalize_uri(datastore['URI']), 'method' => 'GET' }, 25) if not res print_error("#{rhost}:#{rport} [SAP] Unable to connect") return end enum_instance(ip) end def enum_instance(rhost) print_status("#{rhost}:#{rport} [SAP] Connecting to SAP Management Console SOAP Interface") success = false soapenv='http://schemas.xmlsoap.org/soap/envelope/' xsi='http://www.w3.org/2001/XMLSchema-instance' xs='http://www.w3.org/2001/XMLSchema' sapsess='http://www.sap.com/webas/630/soap/features/session/' ns1='ns1:GetInstanceProperties' data = '' + "\r\n" data << '' + "\r\n" data << '' + "\r\n" data << '' + "\r\n" data << 'true' + "\r\n" data << '' + "\r\n" data << '' + "\r\n" data << '' + "\r\n" data << '<' + ns1 + ' xmlns:ns1="urn:SAPControl">' + "\r\n" data << '' + "\r\n" data << '' + "\r\n\r\n" begin res = send_request_raw({ 'uri' => normalize_uri(datastore['URI']), 'method' => 'POST', 'data' => data, 'headers' => { 'Content-Length' => data.length, 'SOAPAction' => '""', 'Content-Type' => 'text/xml; charset=UTF-8', } }, 15) if res.nil? print_error("#{rhost}:#{rport} [SAP] Unable to connect") return end if res.code == 200 body = res.body if body.match(/CentralServices<\/property>Attribute<\/propertytype>([^<]+)<\/value>/) centralservices = $1.strip success = true end if body.match(/SAPSYSTEM<\/property>Attribute<\/propertytype>([^<]+)<\/value>/) sapsystem = $1.strip success = true end if body.match(/SAPSYSTEMNAME<\/property>Attribute<\/propertytype>([^<]+)<\/value>/) sapsystemname = $1.strip success = true end if body.match(/SAPLOCALHOST<\/property>Attribute<\/propertytype>([^<]+)<\/value>/) saplocalhost = $1.strip success = true end if body.match(/INSTANCE_NAME<\/property>Attribute<\/propertytype>([^<]+)<\/value>/) instancename = $1.strip success = true end if body.match(/ICM<\/property>NodeURL<\/propertytype>([^<]+)<\/value>/) icmurl = $1.strip success = true end if body.match(/IGS<\/property>NodeURL<\/propertytype>([^<]+)<\/value>/) igsurl = $1.strip success = true end if body.match(/ABAP DB Connection<\/property>Attribute<\/propertytype>([^<]+)<\/value>/) dbstring = $1.strip success = true end if body.match(/J2EE DB Connection<\/property>Attribute<\/propertytype>([^<]+)<\/value>/) j2eedbstring = $1.strip success = true end if body.match(/Webmethods<\/property>Attribute<\/propertytype>([^<]+)<\/value>/) webmethods = $1.strip success = true end if body.match(/Protected Webmethods<\/property>Attribute<\/propertytype>([^<]+)<\/value>/) protectedweb = $1.strip success = true end elsif res.code == 500 case res.body when /(.*)<\/faultstring>/i faultcode = $1.strip fault = true end end rescue ::Rex::ConnectionError print_error("#{rhost}:#{rport} [SAP] Unable to connect") return end if success print_good("#{rhost}:#{rport} [SAP] Instance Properties Extracted") if centralservices print_good("#{rhost}:#{rport} [SAP] Central Services: #{centralservices}") end if sapsystem print_good("#{rhost}:#{rport} [SAP] SAP System Number: #{sapsystem}") report_note(:host => rhost, :proto => 'tcp', :port => rport, :type => 'sap.sapsystem', :data => {:proto => "soap", :sapsystem => sapsystem}) end if sapsystemname print_good("#{rhost}:#{rport} [SAP] SAP System Name: #{sapsystemname}") report_note(:host => rhost, :proto => 'tcp', :port => rport, :type => 'sap.systemname', :data => {:proto => "soap", :sapsystemname => sapsystemname}) end if saplocalhost print_good("#{rhost}:#{rport} [SAP] SAP Localhost: #{saplocalhost}") report_note(:host => rhost, :proto => 'tcp', :port => rport, :type => 'sap.localhost', :data => {:proto => "soap", :saplocalhost => saplocalhost}) end if instancename print_good("#{rhost}:#{rport} [SAP] Instance Name: #{instancename}") report_note(:host => rhost, :proto => 'tcp', :port => rport, :type => 'sap.instancename', :data => {:proto => "soap", :instancename => instancename}) end if icmurl print_good("#{rhost}:#{rport} [SAP] ICM URL: #{icmurl}") report_note(:host => rhost, :proto => 'tcp', :port => rport, :type => 'sap.icm.url', :data => {:proto => "soap", :icmurl => icmurl}) end if igsurl print_good("#{rhost}:#{rport} [SAP] IGS URL: #{igsurl}") report_note(:host => rhost, :proto => 'tcp', :port => rport, :type => 'sap.igs.url', :data => {:proto => "soap", :igsurl => igsurl}) end if dbstring print_good("#{rhost}:#{rport} [SAP] ABAP DATABASE: #{dbstring}") report_note(:host => rhost, :proto => 'tcp', :port => rport, :type => 'sap.dbstring', :data => {:proto => "soap", :dbstring => dbstring}, :update => :unique_data ) end if j2eedbstring print_good("#{rhost}:#{rport} [SAP] J2EE DATABASE: #{j2eedbstring}") report_note(:host => rhost, :proto => 'tcp', :port => rport, :type => 'sap.j2eedbstring', :data => {:proto => "soap", :j2eedbstring => j2eedbstring}, :update => :unique_data ) end if protectedweb protectedweb_arr = protectedweb.split(",") print_good("#{rhost}:#{rport} [SAP] Protected Webmethods (auth required) :::") print_status("#{protectedweb}") report_note(:host => rhost, :proto => 'tcp', :port => rport, :type => 'sap.protected.web.methods', :data => {:proto => "soap", :protectedweb => protectedweb}, :update => :unique_data ) end if webmethods webmethods_output = [] # create empty webmethods array webmethods_arr = webmethods.split(",") webmethods_arr.each do | webm | # Only add webmethods not found in protectedweb_arr webmethods_output << webm unless protectedweb_arr && protectedweb_arr.include?(webm) end if webmethods_output print_good("#{rhost}:#{rport} [SAP] Unprotected Webmethods :::") print_status("#{webmethods_output.join(',')}") end report_note(:host => rhost, :proto => 'tcp', :port => rport, :type => 'sap.web.methods', :data => {:proto => "soap", :webmethods => webmethods}, :update => :unique_data ) end return elsif fault print_error("#{rhost}:#{rport} [SAP] Error code: #{faultcode}") return else print_error("#{rhost}:#{rport} [SAP] Failed to identify instance properties") return end end end