# N/A
## 漏洞概述
SAP BusinessObjects Business Intelligence Platform (Web Services)版本中的漏洞允许未认证的攻击者注入任意值作为CMS参数,从而在内部网络中进行查找,该内部网络原本无法从外部访问。成功利用这一漏洞后,攻击者可以扫描内部网络,确定内部基础设施并收集信息,发起进一步攻击,如远程文件包含、获取服务器文件以及绕过防火墙等,导致服务器端请求伪造(SSRF)漏洞。
## 影响版本
- 410
- 420
- 430
## 漏洞细节
未认证的攻击者可以通过注入任意值至CMS参数执行内部网络查寻操作,该内部网络通常对外部访问受限制。漏洞触发后,攻击者能够扫描内部网络,确定内部网络架构,收集用于进一步攻击的信息。具体来说,攻击者可以执行如下操作:
- 远程文件包含
- 获取服务器文件
- 绕过防火墙
- 使漏洞服务器执行恶意请求
## 影响
该漏洞可能导致以下安全问题:
- 服务器端请求伪造(SSRF)
- 收集内部网络信息
- 远程文件包含
- 获取服务器文件
- 绕过防火墙设置
| # | POC 描述 | 源链接 | 神龙链接 |
|---|---|---|---|
| 1 | PoC CVE-2020-6308 | https://github.com/InitRoot/CVE-2020-6308-PoC | POC详情 |
| 2 | CVE-2020-6308 mass exploiter/fuzzer. | https://github.com/freeFV/CVE-2020-6308-mass-exploiter | POC详情 |
| 3 | Exploit script for SAP Business Objects SSRF | https://github.com/TheMMMdev/CVE-2020-6308 | POC详情 |
| 4 | This script exploits and performs an SSRF (Server-Side Request Forgery) and Timing Attack against the SAP BusinessObjects Launchpad (CVE-2020-6308). It attempts to determine the status of various ports on a target IP address by measuring the response time of the application when attempting to authenticate against it. | https://github.com/MachadoOtto/sap_bo_launchpad-ssrf-timing_attack | POC详情 |
| 5 | SAP BusinessObjects Business Intelligence Platform (Web Services) 410, 420, and 430 is susceptible to blind server-side request forgery. An attacker can inject arbitrary values as CMS parameters to perform lookups on the internal network, which is otherwise not accessible externally. On successful exploitation, attacker can scan network to determine infrastructure and gather information for further attacks like remote file inclusion, retrieving server files, bypassing firewall, and forcing malicious requests. | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2020/CVE-2020-6308.yaml | POC详情 |
暂无评论