You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
- Use nmap to check for open ports and known services \(sap routers, webdnypro, web services, web servers, etc.\)
43
+
- Map instance numbers from open ports before logging in. Useful patterns during enumeration: `32<NR>`\(dispatcher\), `33<NR>`\(gateway\), `5<NR>13` / `5<NR>14`\(sapstartsrv / sapcontrol\), and SAP Host Agent on `1128`/`1129`\(HTTP/HTTPS SOAP\). This quickly tells you which instance number \(`NR`\) to reuse in SAP GUI, RFC, or Metasploit modules.
44
+
- If you find a reachable SAProuter, keep the deep-dive in the dedicated page and use it for pivoting instead of duplicating tests here:
45
+
46
+
{{#ref}}
47
+
3299-pentesting-saprouter.md
48
+
{{#endref}}
43
49
- Crawl the URLs if there is a web server running.
44
50
- Fuzz the directories \(you can use Burp Intruder\) if it has web servers on certain ports. Here are some good wordlists provided by the SecLists Project for finding default SAP ICM Paths and other interesting directories or files:
45
51
@@ -143,6 +149,9 @@ BWDEVELOPER:Down1oad:001
143
149
144
150
145
151
- Look for common web vulnerabilities \(Refer to OWASP Top 10\) because there are XSS, RCE, XXE, etc. vulnerabilities in some places.
152
+
- Enumerate SAP Host Agent / `sapstartsrv` endpoints if `1128`, `1129`, or `5<NR>13`/`5<NR>14` are reachable. Useful unauthenticated checks are `GET /SAPHostControl/?wsdl`, `GET /SAPControl/?wsdl`, and `GetComputerSystem`, because exposed SOAP methods often reveal hostname, OS, database, installed instances, and network interfaces.
153
+
- If `/sap/public/info` is reachable, compare the disclosed `RFCSYSID`, `RFCSAPRL`, `RFCDBSYS`, kernel release, and IP data with Host Agent / `sapcontrol` output to build a more complete attack graph before attempting login or RFC abuse.
154
+
- Treat SAP Web Dispatcher / ICM like any other reverse proxy and test parsing edge cases \(verb tampering, path normalization, front-end/back-end desync behaviour, request smuggling on legacy stacks\) in addition to classic web bugs.
146
155
- Check out Jason Haddix’s [“The Bug Hunters Methodology”](https://github.com/jhaddix/tbhm) for testing web vulnerabilities.
147
156
- Auth Bypass via verb Tampering? Maybe :\)
148
157
- Open `http://SAP:50000/webdynpro/resources/sap.com/XXX/JWFTestAddAssignees#` then hit the “Choose” Button and then in the opened window press “Search”. You should be able to see a list of SAP users \(Vulnerability Reference: [ERPSCAN-16-010](https://erpscan.com/advisories/erpscan-16-010-sap-netweaver-7-4-information-disclosure/)\)
@@ -333,6 +342,13 @@ Matching Modules
333
342
exploit/windows/misc/sap_netweaver_dispatcher 2012-05-08 normal SAP NetWeaver Dispatcher DiagTraceR3Info Buffer Overflow
334
343
```
335
344
345
+
### RFC Abuse & Lateral Movement
346
+
347
+
- Check transaction `SM59` for stored credentials, trusted RFC destinations, and destinations with overly broad technical users. A compromise in a lower-tier SAP system is often enough to pivot to a better-trusted one if operators kept RFC trust relationships for transport, monitoring, or integrations.
348
+
- Review whether remote-enabled function modules can be abused from the connector you reached. Historically interesting examples for post-auth testing are `RFC_READ_TABLE`\(data extraction\), `RFC_PING`\(service discovery / callback testing\), and command-execution primitives such as `SXPG_CALL_SYSTEM` or `SXPG_COMMAND_EXECUTE` when the target user is over-privileged.
349
+
- Test RFC callback behaviour when you control one side of a trust relationship. Callback abuse matters because a destination can allow a benign function call but still execute attacker-controlled callback functions on the caller side if callback restrictions are weak or disabled. In practice, validate whether the destination has an active allowlist and whether `rfc/callback_security_method` is enforcing it.
350
+
- If you gain access to one SAP system, try a trusted RFC jump from `SM59`: using the same admin identifier in the already-compromised source system can let you open the trusting target directly with the remote user's privileges. This is especially relevant in landscapes where SolMan, BW, PI/PO, or transport systems maintain long-lived trusted links.
351
+
336
352
- Try to use some known exploits \(check out Exploit-DB\) or attacks like the old but goodie “SAP ConfigServlet Remote Code Execution” in the SAP Portal:
337
353
338
354
```text
@@ -369,8 +385,9 @@ bizploit> start
369
385
370
386
-[PowerSAP](https://github.com/airbus-seclab/powersap) - Powershell tool to assess sap security
371
387
-[Burp Suite](https://portswigger.net/burp) - a must have for directory fuzzing and web security assessments
372
-
-[pysap](https://github.com/SecureAuthCorp/pysap) - Python library to craft SAP network protocol packets
373
-
-[https://github.com/gelim/nmap-erpscan](https://github.com/gelim/nmap-erpscan) - Help nmap to detect SAP/ERP
388
+
-[pysap](https://github.com/OWASP/pysap) - actively maintained Python library to craft SAP NI, Router, Diag, RFC, SNC, HDB and related packets; useful for custom protocol work and SAProuter pivoting
389
+
-[SAPPV](https://github.com/damianStrojek/SAPPV) - lightweight validator for exported `RSPFPAR` XML parameter dumps
390
+
-[ERPScan / gelim nmap-erpscan scripts](https://github.com/gelim/nmap-erpscan) - extra Nmap probes and NSE scripts for SAP / ERP discovery
0 commit comments