Goby/json/SAP-NetWeaver-Authentication-Bypass-(CVE-2020-6287)-RECON.json

{
  "Name": "SAP NetWeaver Authentication Bypass (CVE-2020-6287) RECON",
  "Description": "SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system, leading to Missing Authentication Check.",
  "Product": "SAP-Web-Application-Server",
  "Homepage": "",
  "DisclosureDate": "2020-07-14",
  "Author": "gobysec@gmail.com",
  "FofaQuery": "",
  "GobyQuery": "header=\"AS Java 7.30\" || header=\"AS Java 7.31\" || header=\"AS Java 7.40\" || header=\"AS Java 7.50\"",
  "Level": "3",
  "Impact": "If successfully exploited, a remote, unauthenticated attacker can obtain unrestricted access to SAP systems through the creation of high-privileged users and the execution of arbitrary operating system commands with the privileges of the SAP service user account (<sid>adm), which has unrestricted access to the SAP database and is able to perform application maintenance activities, such as shutting down federated SAP applications. The confidentiality, integrity, and availability of the data and processes hosted by the SAP application are at risk by this vulnerability.",
  "Recommendation": "strongly recommends organizations review SAP Security Note #2934135 for more information and apply critical patches as soon as possible: https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675",
  "References": [
    "https://launchpad.support.sap.com/#/notes/2934135",
    "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675",
    "https://www.onapsis.com/recon-sap-cyber-security-vulnerability",
    "https://nvd.nist.gov/vuln/detail/CVE-2020-6287",
    "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6287",
	"https://github.com/duc-nt/CVE-2020-6287-exploit",
	"https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/sap/cve_2020_6287_ws_add_user.rb"
  ],
  "HasExp": false,
  "ExpParams": null,
  "ExpTips": {
    "Type": "",
    "Content": ""
  },
  "ScanSteps": [
    "AND",
    {
      "Request": {
        "data": "",
        "data_type": "text",
        "follow_redirect": false,
        "method": "GET",
        "uri": "/CTCWebService/CTCWebServiceBean?wsdl"
      },
      "ResponseTest": {
        "checks": [
          {
            "bz": "",
            "operation": "==",
            "type": "item",
            "value": "200",
            "variable": "$code"
          },
          {
            "bz": "",
            "operation": "contains",
            "type": "item",
            "value": "urn:CTCWebServiceSi",
            "variable": "$body"
          }
        ],
        "operation": "AND",
        "type": "group"
      }
    }
  ],
  "ExploitSteps": null,
  "Tags": null,
  "CVEIDs": [
    "CVE-2020-6287"
  ],
  "CVSSScore": "10.0",
  "AttackSurfaces": {
    "Application": null,
    "Support": null,
    "Service": ["SAP-Web-Application-Server"],
    "System": null,
    "Hardware": null
  },
  "Disable": false
}