New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SAP ConfigServlet OS command execution module #1751

Merged
merged 9 commits into from Apr 23, 2013

Conversation

Projects
None yet
2 participants
@andrewkabai
Contributor

andrewkabai commented Apr 22, 2013

Corrected pull request (branch change) for the previously submitted module:
#1740

This module allows execution of operating system commands throug the
SAP ConfigServlet without any authentication.

The vulnerability was discovered by ERPScan's team, it was presented on Hacker Halted 2012 conference:
http://erpscan.com/wp-content/uploads/2012/11/Breaking-SAP-Portal-HackerHalted-2012.pdf

andrewkabai added some commits Apr 18, 2013

SAP ConfigServlet OS Command Execution module
This module allows execution of operating system commands throug the
SAP ConfigServlet without any authentication.
remove Scanner mixin
remove Scanner mixin because this module is not a scanner modul
improve URI path and parameter handling
switch from PATH to TARGETURI datastore;
use normalize_uri to build uri;
use query in send_request_cgi to to prepare query string (instead of
vars_get that escapes the necessary semicolons)
sap_configservlet_exec_noauth auxiliary module
the final module was moved from my master branch to here because of the
pull request needs
@jvazquez-r7

This comment has been minimized.

Contributor

jvazquez-r7 commented Apr 22, 2013

Thank you very much @andrewkabai , looks good! I just asked for an OSVDB number so hopefully we get one soon and we can add it before merging. And merging asap :)

@andrewkabai

This comment has been minimized.

Contributor

andrewkabai commented Apr 22, 2013

thank you, I made an update on references to include edb id as well.

@jvazquez-r7

This comment has been minimized.

Contributor

jvazquez-r7 commented Apr 22, 2013

that's awesome! thanks @andrewkabai , awaiting just for the OSVDB and hopefully will be merging along the day :)

@jvazquez-r7 jvazquez-r7 merged commit 79eb2ff into rapid7:master Apr 23, 2013

1 check passed

default The Travis build passed
Details
@jvazquez-r7

This comment has been minimized.

Contributor

jvazquez-r7 commented Apr 23, 2013

Since there isn't OSVDB number still and I wouldn't like to see it hold up for more time, merged it. Will be updating by myself once there is OSVDB available :)

Thanks @andrewkabai for your contribution, hope you're still thinking in working in the exploit module :) would be awesome, let me know if you need feedback or help while development !

@andrewkabai andrewkabai deleted the andrewkabai:module/auxiliary_sap_configservlet_exec_noauth branch Apr 23, 2013

@andrewkabai andrewkabai restored the andrewkabai:module/auxiliary_sap_configservlet_exec_noauth branch Apr 24, 2013

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment