Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SAP ConfigServlet OS command execution module #1751

Conversation

@andrewkabai
Copy link
Contributor

@andrewkabai andrewkabai commented Apr 22, 2013

Corrected pull request (branch change) for the previously submitted module:
#1740

This module allows execution of operating system commands throug the
SAP ConfigServlet without any authentication.

The vulnerability was discovered by ERPScan's team, it was presented on Hacker Halted 2012 conference:
http://erpscan.com/wp-content/uploads/2012/11/Breaking-SAP-Portal-HackerHalted-2012.pdf

andrewkabai added 8 commits Apr 18, 2013
This module allows execution of operating system commands throug the
SAP ConfigServlet without any authentication.
remove Scanner mixin because this module is not a scanner modul
switch from PATH to TARGETURI datastore;
use normalize_uri to build uri;
use query in send_request_cgi to to prepare query string (instead of
vars_get that escapes the necessary semicolons)
the final module was moved from my master branch to here because of the
pull request needs
@jvazquez-r7
Copy link
Contributor

@jvazquez-r7 jvazquez-r7 commented Apr 22, 2013

Thank you very much @andrewkabai , looks good! I just asked for an OSVDB number so hopefully we get one soon and we can add it before merging. And merging asap :)

@andrewkabai
Copy link
Contributor Author

@andrewkabai andrewkabai commented Apr 22, 2013

thank you, I made an update on references to include edb id as well.

@jvazquez-r7
Copy link
Contributor

@jvazquez-r7 jvazquez-r7 commented Apr 22, 2013

that's awesome! thanks @andrewkabai , awaiting just for the OSVDB and hopefully will be merging along the day :)

@jvazquez-r7 jvazquez-r7 merged commit 79eb2ff into rapid7:master Apr 23, 2013
1 check passed
1 check passed
@bturner-r7
default The Travis build passed
Details
@jvazquez-r7
Copy link
Contributor

@jvazquez-r7 jvazquez-r7 commented Apr 23, 2013

Since there isn't OSVDB number still and I wouldn't like to see it hold up for more time, merged it. Will be updating by myself once there is OSVDB available :)

Thanks @andrewkabai for your contribution, hope you're still thinking in working in the exploit module :) would be awesome, let me know if you need feedback or help while development !

@andrewkabai andrewkabai deleted the andrewkabai:module/auxiliary_sap_configservlet_exec_noauth branch Apr 23, 2013
@andrewkabai andrewkabai restored the andrewkabai:module/auxiliary_sap_configservlet_exec_noauth branch Apr 24, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

2 participants