exploit the possibilities

Register | Login

FilesNewsUsersAuthors

Home Files News &[SERVICES_TAB]About Contact Add New

Showing 1 - 3 of 3

Files from Vladimir Ivanov

SAP Internet Graphics Server (IGS) XMLCHART XXE

Posted Aug 31, 2024

Authored by Vladimir Ivanov, Yvan Genuer | Site metasploit.com

This Metasploit module exploits CVE-2018-2392 and CVE-2018-2393, two XXE vulnerabilities within the XMLCHART page of SAP Internet Graphics Servers (IGS) running versions 7.20, 7.20EXT, 7.45, 7.49, or 7.53. These vulnerabilities occur due to a lack of appropriate validation on the Extension HTML tag when submitting a POST request to the XMLCHART page to generate a new chart. Successful exploitation will allow unauthenticated remote attackers to read files from the server as the user from which the IGS service is started, which will typically be the SAP admin user. Alternatively attackers can also abuse the XXE vulnerability to conduct a denial of service attack against the vulnerable SAP IGS server.

tags | exploit, remote, denial of service, vulnerability

advisories | CVE-2018-2392, CVE-2018-2393

SHA-256 | 932e34005bd30cea82809ca431f5daa784d90fd6dfd7abe0f2359d6391625386

Download | Favorite | View

SAP Solution Manager Remote Unauthorized OS Commands Execution

Posted Aug 31, 2024

Authored by Dmitry Chastuhin, Pablo Artuso, Vladimir Ivanov, Yvan Genuer | Site metasploit.com

This Metasploit module exploits the CVE-2020-6207 vulnerability within the SAP EEM servlet (tc~smd~agent~application~eem) of SAP Solution Manager (SolMan) running version 7.2. The vulnerability occurs due to missing authentication checks when submitting SOAP requests to the /EemAdminService/EemAdmin page to get information about connected SMDAgents, send HTTP request (SSRF), and execute OS commands on connected SMDAgent. Works stable in connected SMDAgent with Java version 1.8. Successful exploitation of the vulnerability enables unauthenticated remote attackers to achieve SSRF and execute OS commands from the agent connected to SolMan as a user from which the SMDAgent service starts, usually the daaadm.

tags | exploit, java, remote, web

advisories | CVE-2020-6207

SHA-256 | d3cd670695bc394e4f3ed861de2d7c717dac789ada16fbb0c7c9e1612d66ab86

Download | Favorite | View

SAP Solution Manager 7.2 Remote Command Execution

Posted Mar 26, 2021

Authored by Dmitry Chastuhin, Pablo Artuso, Vladimir Ivanov, Yvan Genuer | Site metasploit.com

This Metasploit module exploits the CVE-2020-6207 vulnerability within the SAP EEM servlet of SAP Solution Manager (SolMan) running version 7.2. The vulnerability occurs due to missing authentication checks when submitting a SOAP request to the /EemAdminService/EemAdmin page to get information about connected SMDAgents allowing an attacker to send HTTP requests (SSRF) and execute OS commands on the connected SMDAgent. Works stable in connected SMDAgent with Java version 1.8. Successful exploitation will allow unauthenticated remote attackers to get a reverse shell from connected to the SolMan agent as the user under which it runs SMDAgent service, which is usually daaadm.

tags | exploit, java, remote, web, shell

advisories | CVE-2020-6207

SHA-256 | 0d5122d6fb0ba7f681b7229fc5c197780b51710c6395404115ad8686072b2b08

Download | Favorite | View