search
View on GitHub
githubEdit

SAP Netweaver

hashtag
Introduction

SAP system consists of a number of fully integrated modules, which covers virtually every aspect of business management.

The product is marketed as a service-oriented architecture for enterprise application integration.

It can be used for custom development and integration with other applications and systems, and is built primarily using the ABAP programming language, but also uses C, C++, and Java.

It can also be extended with, and interoperate with, technologies such as Microsoft .NET, Java EE, and IBM WebSphere.

hashtag
Discovery

You can use Shodan and Google Dorks to check for files, subdomains, and juicy information if the application is Internet-facing or public:

inurl:50000/irj/portal
inurl:IciEventService/IciEventConf
inurl:/wsnavigator/jsps/test.jsp
inurl:/irj/go/km/docs/
https://www.shodan.io/search?query=sap+portal
https://www.shodan.io/search?query=SAP+Netweaver
https://www.shodan.io/search?query=SAP+J2EE+Engine

You can also use gobuster, ffuf and BurpSuiteIntuder to scan for files and directory using the following wordlists:

A typical SAP logon screen (http://SAP:50000/irj/portalarrow-up-right) looks like the following:

SAP Login Page

hashtag
Potential information goldmine paths

hashtag
Default Credentials

Each SAP instance is divided into clients. Each one has a user SAP*, the application’s equivalent of “root”. Upon initial creation, this user SAP* gets a default password: “060719992”

hashtag
Known RCE Exploit

Try to use some known exploits (check out Exploit-DB) or attacks like the SAP ConfigServlet Remote Code Executionarrow-up-right: