SAP系统渗透
- 1.SAP系统介绍
- 2.SAP系统指纹
- 3.SAP系统测试方法
1.SAP系统介绍
SAP为“System Applications and Products”的简称,是SAP公司的产品——企业管理解决方案的软件名称。SAP系统对于黑客们而言是一个诱人的目标,因为它往往存储和管理着一个组织的关键信息和业务流程的命脉
每个SAP实例被划分为多个客户端。每个客户端都有一个用户SAP*,相当于系统的root用户
在初始创建时,这个用户SAP*会获得一个默认密码:060719992
在对SAP系统进行渗透时,可以先尝试使用默认密码看是否可以登陆成功
2.SAP系统指纹
1、Google Hacker语法
inurl:50000/irj/portal
inurl:IciEventService/IciEventConf
inurl:/wsnavigator/jsps/test.jsp
inurl:/irj/go/km/docs/
2、shodan
https://www.shodan.io/search?query=sap+portal
https://www.shodan.io/search?query=SAP+Netweaver
https://www.shodan.io/search?query=SAP+J2EE+Engine
3、Burp Intruder路径爆破字典
rep/build_info.html
rep/build_info.jsp
run/build_info.html
run/build_info.jsp
rwb/version.html
sap/bc/bsp/esh_os_service/favicon.gif
sap/bc/bsp/sap
sap/bc/bsp/sap/alertinbox
sap/bc/bsp/sap/bsp_dlc_frcmp
sap/bc/bsp/sap/bsp_veri
sap/bc/bsp/sap/bsp_verificatio
sap/bc/bsp/sap/bsp_wd_base
sap/bc/bsp/sap/bspwd_basics
sap/bc/bsp/sap/certmap
sap/bc/bsp/sap/certreq
sap/bc/bsp/sap/crm_bsp_frame
sap/bc/bsp/sap/crmcmp_bpident/
sap/bc/bsp/sap/crmcmp_brfcase
sap/bc/bsp/sap/crmcmp_hdr
sap/bc/bsp/sap/crmcmp_hdr_std
sap/bc/bsp/sap/crmcmp_ic_frame
sap/bc/bsp/sap/crm_thtmlb_util
sap/bc/bsp/sap/crm_ui_frame
sap/bc/bsp/sap/crm_ui_start
sap/bc/bsp/sap/esh_sap_link
sap/bc/bsp/sap/esh_sapgui_exe
sap/bc/bsp/sap/graph_bsp_test
sap/bc/bsp/sap/graph_bsp_test/Mimes
sap/bc/bsp/sap/gsbirp
sap/bc/bsp/sap/htmlb_samples
sap/bc/bsp/sap/iccmp_bp_cnfirm
sap/bc/bsp/sap/iccmp_hdr_cntnr
sap/bc/bsp/sap/iccmp_hdr_cntnt
sap/bc/bsp/sap/iccmp_header
sap/bc/bsp/sap/iccmp_ssc_ll/
sap/bc/bsp/sap/ic_frw_notify
sap/bc/bsp/sap/it00
sap/bc/bsp/sap/public/bc
sap/bc/bsp/sap/public/graphics
sap/bc/bsp/sap/sam_demo
sap/bc/bsp/sap/sam_notifying
sap/bc/bsp/sap/sam_sess_queue
sap/bc/bsp/sap/sbspext_htmlb
sap/bc/bsp/sap/sbspext_xhtmlb
sap/bc/bsp/sap/spi_admin
sap/bc/bsp/sap/spi_monitor
sap/bc/bsp/sap/sxms_alertrules
sap/bc/bsp/sap/system
sap/bc/bsp/sap/thtmlb_scripts
sap/bc/bsp/sap/thtmlb_styles
sap/bc/bsp/sap/uicmp_ltx
sap/bc/bsp/sap/xmb_bsp_log
sap/bc/contentserver
sap/bc/echo
sap/bc/error
sap/bc/FormToRfc
sap/bc/graphics/net
sap/bc/gui/sap/its/CERTREQ
sap/bc/gui/sap/its/designs
sap/bc/gui/sap/its/webgui
sap/bc/IDoc_XML
sap/bc/ping
sap/bc/report
sap/bc/soap/ici
sap/bc/soap/rfc
sap/bc/srt/IDoc
sap/bc/wdvd
sap/bc/webdynpro/sap/apb_launchpad
sap/bc/webdynpro/sap/apb_launchpad_nwbc
sap/bc/webdynpro/sap/apb_lpd_light_start
sap/bc/webdynpro/sap/apb_lpd_start_url
sap/bc/webdynpro/sap/application_exit
sap/bc/webdynpro/sap/appl_log_trc_viewer
sap/bc/webdynpro/sap/appl_soap_management
sap/bc/webdynpro/sap/ccmsbi_wast_extr_testenv
sap/bc/webdynpro/sap/cnp_light_test
sap/bc/webdynpro/sap/configure_application
sap/bc/webdynpro/sap/configure_component
sap/bc/webdynpro/sap/esh_search_results.ui
sap/bc/webdynpro/sap/esh_adm_smoketest_ui
sap/bc/webdynpro/sap/sh_adm_smoketest_files
sap/bc/webdynpro/sap/esh_eng_modelling
sap/bc/webdynpro/sap/esh_admin_ui_component
sap/bc/webdynpro/sap/wdhc_application
sap/bc/webdynpro/sap/wd_analyze_config_appl
sap/bc/webdynpro/sap/wd_analyze_config_comp
sap/bc/webdynpro/sap/wd_analyze_config_user
sap/bc/webdynpro/sap/WDR_TEST_ADOBE
sap/bc/webdynpro/sap/WDR_TEST_EVENTS
sap/bc/webdynpro/sap/wdr_test_popups_rt
sap/bc/webdynpro/sap/WDR_TEST_TABLE
sap/bc/webdynpro/sap/wdr_test_ui_elements
sap/bc/webdynpro/sap/WDR_TEST_WINDOW_ERROR
sap/bc/webrfc
sap/bc/xrfc
sap/bc/xrfc_test
sap/es/cockpit
sap/es/getdocument
sap/es/opensearch
sap/es/opensearch/description
sap/es/opensearch/list
sap/es/opensearch/search
sap/es/saplink
sap/es/search
sap/es/redirect
sap/crm
sap/public/bc
sap/public/bc/icons
sap/public/bc/icons_rtl
sap/public/bc/its/mimes
sap/public/bc/its/mimes/system/SL/page/hourglass.html
sap/public/bc/its/mobile/itsmobile00
sap/public/bc/its/mobile/itsmobile01
sap/public/bc/its/mobile/rfid
sap/public/bc/its/mobile/start
sap/public/bc/its/mobile/test
sap/public/bc/NWDEMO_MODEL
sap/public/bc/NW_ESH_TST_AUTO
sap/public/bc/pictograms
sap/public/bc/sicf_login_run
sap/public/bc/trex
sap/public/bc/ur
sap/public/bc/wdtracetool
sap/public/bc/webdynpro/adobechallenge
sap/public/bc/webdynpro/mimes
sap/public/bc/webdynpro/ssr
sap/public/bc/webdynpro/viewdesigner
sap/public/bc/webicons
sap/public/bc/workflow
sap/public/bc/workflow/shortcut
sap/public/bsp/sap
sap/public/bsp/sap/htmlb
sap/public/bsp/sap/public
sap/public/bsp/sap/public/bc
sap/public/bsp/sap/public/faa
sap/public/bsp/sap/public/graphics
sap/public/bsp/sap/public/graphics/jnet_handler
sap/public/bsp/sap/public/graphics/mimes
sap/public/bsp/sap/system
sap/public/bsp/sap/system_public
sap/public/icf_check
sap/public/icf_info
sap/public/icf_info/icr_groups
sap/public/icf_info/icr_urlprefix
sap/public/icf_info/logon_groups
sap/public/icf_info/urlprefix
sap/public/icman
sap/public/info
sap/public/myssocntl
sap/public/ping
sap/webcuif
4、Metasploit 模块枚举 SAP
msf > use auxiliary/scanner/sap/sap_service_discovery
msf auxiliary(sap_service_discovery) > show options
Module options (auxiliary/scanner/sap/sap_service_discovery):Name Current Setting Required Description---- --------------- -------- -----------CONCURRENCY 10 yes The number of concurrent ports to check per hostINSTANCES 00-01 yes Instance numbers to scan (e.g. 00-05,00-99)RHOSTS yes The target address range or CIDR identifierTHREADS 1 yes The number of concurrent threadsTIMEOUT 1000 yes The socket connect timeout in milliseconds
msf auxiliary(sap_service_discovery) > set rhosts 192.168.96.101
rhosts => 192.168.96.101
msf auxiliary(sap_service_discovery) > run
[*] 192.168.96.101: - [SAP] Beginning service Discovery '192.168.96.101'
3.SAP系统测试方法
1、用AWVS扫一遍
2、访问:/irj/go/km/navigation/可能有列目录漏洞或身份验证绕过
3、http://SAP/sap/public/info可能有一些信息泄露
4、使用 Metasploit 模块
msf > search sap
5、尝试一些已知的漏洞(查看 Exploit-DB)
6、自动化工具:
https://github.com/airbus-seclab/powersap