Hoje estive vendo e vi que por acaso do destino, um brother que palestrou comigo na OWASP 2010, o AdityaKSood, postou um artigo no blog dele, 30% de um pentest que eu estava fazendo em um cliente há 3 semanas, mas não posso revelar a fonte por NDA.
O que quero dizer que tanto eu e tanto ele, chegamos em parte na mesma conclusão, mas ao longo post, explico que toma caminhos diferentes.
Inclusive, fui na BSides/H2HC 2012 e pensei porque não fazer um paper sobre “Pentest em SAP por scripts e na mão” e tentar um CFP em 2013, mas sem tools ou scanners de SAP, seria na “unha mesmo”…
No meu caso a parte do cenário era em SAP Business Object XI 3.1 for linux e cheguei depois de muito tentar manualmente e sozinho, a postar no linkedin:
Vai o texto:
Has anyone managed to successfully make Pentest manually in an SAP Business Object XI 3.1 for linux?
I end up getting a Google Hacking:
http://www.google.com.br
inurl: “InfoViewApp / logon.jsp”
I have sent to the GHB http://www.exploit-db.com
I’m trying for SOAP or XML Injection Injection because I think the following WSDL URLs PoC (Proof of Concept):
Web Services List
==============
http://localhost:9080/dswsbobje/services/listServices
Web Services
===========
http://localhost:9080/dswsbobje/services/BICatalog?wsdl
http://localhost:9080/dswsbobje/services/Session?wsdl
http://localhost:9080/dswsbobje/services/ReportEngine?wsdl
http://localhost:9080/dswsbobje/services/SaveService?wsdl
http://localhost:9080/dswsbobje/services/Federator?wsdl
http://localhost:9080/dswsbobje/services/LiveOffice?wsdl
http://localhost:9080/dswsbobje/services/managequeryasaservice?wsdl
http://localhost:9080/dswsbobje/services/BIPlatform?wsdl
http://localhost:9080/dswsbobje/services/QueryService?wsdl
http://localhost:9080/dswsbobje/services/Publish?wsdl
I’ve looked at http://www.exploit-db.com and already tested with soapUI, sapyto, erpscan, w3af and other tools.
I have also created an environment for simulating receive information from webservices without success.
Has anyone experienced this or have any idea.
I can also make or brute-force DDoS.
I’ve read this paper, very well done:
http://spl0it.org/files/talks/source_barcelona10/Hacking%% 20SAP 20BusinessObjects.pdf
mas aprofundei mais ainda em coisas que eles não viram e eu acabei vendo.