CVE-2017-12637 PoC — SAP NetWeaver Application Server Java 路径遍历漏洞

Source

https://github.com/abrewer251/CVE-2017-12637_SAP-NetWeaver-URL-Traversal

Associated Vulnerability

Title:SAP NetWeaver Application Server Java 路径遍历漏洞 (CVE-2017-12637)
Description:SAP NetWeaver是德国思爱普（SAP）公司的一套面向服务的集成化应用平台，该平台可为SAP应用提供开发和运行环境。SAP NetWeaver Application Server（AS）Java是一款运行于NetWeaver中且基于Java编程语言的应用服务器。 SAP NetWeaver AS Java 7.5版本中的scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS目录存在目录遍历漏洞。远程攻击者可借助特制的查询字符串利用该漏洞读取任意文件

Description

Proof-of-concept LFI Scanner: Automated detection of /etc/passwd exposures via directory traversal and regex matching.

Readme

# CVE-2017-12637_SAP-NetWeaver-URL-Traversal
Proof-of-concept LFI Scanner: Automated detection of /etc/passwd exposures via directory traversal and regex matching.
---

````markdown
# LFI Scanner

A lightweight Python proof-of-concept to scan target hosts for Local File Inclusion (LFI) vulnerabilities by attempting to retrieve `/etc/passwd` and detecting its presence with a regex check. :contentReference[oaicite:0]{index=0}

## Features

- **Batch scanning** of hostnames or host:port targets from an input file  
- **Directory traversal payload** to reach `/etc/passwd`  
- **Regex detection** of the `root` entry to confirm LFI  
- **Progress bar** powered by `tqdm` for real-time feedback  
- **Structured reporting**: outputs findings and previews to a results file  

## Prerequisites

- Python 3.6 or newer  
- [`tqdm`](https://pypi.org/project/tqdm/) (`pip install tqdm`)  
- `curl` CLI available in your PATH  

## Installation

```bash
git clone https://github.com/yourusername/lfi-scanner.git
cd lfi-scanner
pip install tqdm
````

## Usage

```bash
python poc.py <input_file> [-o OUTPUT_FILE]
```

* `<input_file>`: Path to a file containing one target per line (`hostname` or `hostname:port`).
* `-o, --output`: (Optional) Path to write results (default: `results.txt`).

### Example

Given `targets.txt`:

```
example.com
192.168.0.1:8443
```

Run the scanner:

```bash
python poc.py targets.txt -o scan_results.txt
```

You’ll see output like:

```
[+] https://example.com:443/... → /etc/passwd FOUND
[-] https://192.168.0.1:8443/... → Response received, no match
```

And `scan_results.txt` will contain a summary and previews.

## Script Breakdown

* **`poc.py`**:

  * Uses `argparse` to parse `--input` and `--output`.
  * Iterates targets and constructs the URL with a deep traversal payload.
  * Calls `curl --insecure -s` for each target.
  * Searches for `root:.*?:0:0:` to confirm `/etc/passwd` exposure.
  * Prints status per host and writes detailed results to the output file.&#x20;

## Disclaimer

Use this tool **responsibly** and **only** on assets you own or have explicit permission to test. Unauthorized scanning may violate laws and terms of service.

## License

Released under the [MIT License](LICENSE).

```
```

File Snapshot


 [4.0K]  /data/pocs/ad00304f6f9a738e58d0617f45cabddfb23bc6be
├── [1.0K]  LICENSE
├── [2.4K]  poc_SAPNetWeaver.py
└── [2.2K]  README.md

0 directories, 3 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!