This Metasploit module exploits the CVE-2020-6207 vulnerability within the SAP EEM servlet (tc~smd~agent~application~eem) of SAP Solution Manager (SolMan) running version 7.2. The vulnerability occurs due to missing authentication checks when submitting SOAP requests to the /EemAdminService/EemAdmin page to get information about connected SMDAgents, send HTTP request (SSRF), and execute OS commands on connected SMDAgent. Works stable in connected SMDAgent with Java version 1.8. Successful exploitation of the vulnerability enables unauthenticated remote attackers to achieve SSRF and execute OS commands from the agent connected to SolMan as a user from which the SMDAgent service starts, usually the daaadm.
d3cd670695bc394e4f3ed861de2d7c717dac789ada16fbb0c7c9e1612d66ab86
This Metasploit module leverages an unauthenticated web service to submit a job which will create a user with a specified role. The job involves running a wizard. After the necessary action is taken, the job is canceled to avoid unnecessary system changes.
9d4da8f09f54ec6089b8460657fec4b370a7fd9f0d3af4a870972933d253c5aa
The Communication Profiles functionality provided within SAP JAVA NetWeaver suffers from an XML external entity injection vulnerability.
148727acfbb4a8a75ea11ebaf68ed2fcc427fa652ac0cb1a7e2f15ae72c6fc66
Due to a missing authorization check in the SAP Solution Manager version 7.20 LM-SERVICE component, a remote authenticated attacker could be able to execute privileged actions in the affected system, including the execution of operating system commands.
ad2a546198819c5e3808faa124d00d50475caa98031463ff99dd70806f19a4fd
Any authenticated user of the SAP Solution Manager version 7.2 is able to craft, upload, and execute EEM scripts on the SMDAgents affecting its integrity, confidentiality and availability.
bdc7e6c1e337b3a9375a591f67ba31840609fc29cc4d04938ddbb01ed4b453aa
The End-User Experience Monitoring (EEM) application, part of the SAP Solution Manager version 7.2, is vulnerable to path traversal. As a consequence, an unauthorized attacker would be able to read sensitive OS files and affect the availability of the EEM robots connected to the SolMan.
e7df5522b5218db217d73908552d4067a8c0fedc1d3ce58d9455d1d4c14f7d01
This Metasploit module exploits the CVE-2020-6207 vulnerability within the SAP EEM servlet of SAP Solution Manager (SolMan) running version 7.2. The vulnerability occurs due to missing authentication checks when submitting a SOAP request to the /EemAdminService/EemAdmin page to get information about connected SMDAgents allowing an attacker to send HTTP requests (SSRF) and execute OS commands on the connected SMDAgent. Works stable in connected SMDAgent with Java version 1.8. Successful exploitation will allow unauthenticated remote attackers to get a reverse shell from connected to the SolMan agent as the user under which it runs SMDAgent service, which is usually daaadm.
0d5122d6fb0ba7f681b7229fc5c197780b51710c6395404115ad8686072b2b08
SAP Netweaver version 7.40 SP 12 suffers from an OS command injection vulnerability in SCTC_REFRESH_CONFIG_CTC.
687b1abdf061c25448d8078207267121d66fc61153b0c01ebfb48546e7fe3ab3
SAP Netweaver version 7.40 SP 12 suffers from an OS command injection vulnerability in SCTC_REORG_SPOOL.
1517d473275190d714f68c8e5b64ce52162f23de86d95e76ba101651b720bb43
SAP Netweaver version 7.40 SP 12 suffers from an OS command injection vulnerability in SCTC_TMS_MAINTAIN_ALOG.
5b5b36310db340722cc3361ec4f659c8cd7c00bbaa4b49e34fec23b994713be0
SAP Netweaver version 7.40 SP 12 suffers from an OS command injection vulnerability in SCTC_REFRESH_IMPORT_USR_CLNT.
a4de11bcf1661481197db31f9b2b638350c10d8d54f02b10699db0167d5fa303
SAPCRYPTOLIB version 5.555.38 suffers from a missing signature check in its DSA algorithm.
c57e938e01fd374e72b21d0aa73cc8d0c2ca106f33d2addda4e763f24c2e5a95
SAP Netweaver version 7.40 SP 12 suffers from an OS command injection vulnerability in SCTC_REFRESH_IMPORT_USR_CLNT.
a8c367bdf4221ca8854b79fe4ceb7e4596e9d9cda855b6f8a1e5f94bbcae970e
SAP Netweaver version 7.40 SP 12 suffers from an OS command injection vulnerability in PREPARE_CHECK_CAPACITY.
f3adb601ddc92854728dd2ee8a7942701a0cd93b9ae01ead9009fb048194fcad
The SAP Netweaver version 7.40 SP 12 SCTC_TMS_MAINTAIN_ALOG function does not correctly sanitize variables used when executing CALL 'SYSTEM' statement, allowing an attacker, with particular privileges, to execute any arbitrary OS command.
cdea10037f25f37e68dadc3dd2a5c0d0f27caaca32899c47a4e16ddc8f3b72eb
The SAP Netweaver version 7.40 SP 12 SCTC_REFRESH_CHECK_ENV function does not correctly sanitize variables used when executing CALL 'SYSTEM' statement, allowing an attacker, with particular privileges, to execute any arbitrary OS command.
b35e9f6613d4f1f23468ca6d75fc9ed768d97653f4622f0c9116590ea888b4f4
The SAP Netweaver version 7.40 SP 12 SCTC_REFRESH_EXPORT_TAB_COMP function does not correctly sanitize variables used when executing CALL 'SYSTEM' statement, allowing an attacker, with particular privileges, to execute any arbitrary OS command.
48c0424ccdff8795c1c8e34571da47df3e36d4472a09787da490e76fa363125c
SAP HANA DB version 1.00.091.00.1418659308 suffers from a user information disclosure vulnerability.
bdc9caa13cd84ad00e89d70d09818e47227a940de378774fee051e8ed6f20745
SAP HANA DB version 1.00.73.00.389160 fails to institute any brute force protections for gaining access to the SYSTEM user.
e54c00ad538a9ab4bb746b89bec5d3d9f413b27ed333de41b4692b06ad183cd9
SAP HANA version 1.00.091.00.1418659308 suffers from a get topology information disclosure vulnerability.
e75c9fed09b354564d28969a1389e8b9410fd2173c6b155ffb2381ac96e43e93
Onapsis Security Advisory - SAP HANA suffers from a remote SQL injection vulnerability in the setTraceLevelsForXsApps function. By exploiting this vulnerability an attacker could change configuration settings in the HANA system, affecting the integrity of the data stored and possibly turning the platform unavailable to other users, who won't be able to perform their assigned business operations.
7869861a8cf7d5ac351d96a4bde8a820fc9cf69a49a6804cb69e0ab966bc97ce
Onapsis Security Advisory - SAP HANA suffers from an XSJS code injection vulnerability in test-net.xsjs. By exploiting this vulnerability a remote authenticated attacker would be able to partially compromise the SAP system as well as all the information processed and stored in the HANA system.
536c2f5bd066d0dd00d1598734d6f710d8be3e982bbd78bef9d75361bc5754eb
Onapsis Security Advisory - The SAP HANA _newUser function suffers from a remote SQL injection vulnerability. By exploiting this vulnerability an attacker could modify information related to users of the HANA system, affecting the integrity of the data stored.
f3b215fc645ed5adb73a39c5c8db51b7f63d88844aaeb6ee126baf1e0fc6ffda
Onapsis Security Advisory - The SAP HANA _modifyUser function suffers from a remote SQL injection vulnerability. By exploiting this vulnerability an attacker could modify information related to users of the HANA system, affecting the integrity of the data stored.
2bf8dc1f0018c72dd7928ea2e39a57b4c7a243e7a5cde3f12425bfe6876cac15