Pentest SAP via webservices parte II

Aqui está um trecho do bate-papo que tivemos (Aditya K Sood e Eu) sobre o post que ele escreveu no site dele e eu estava para escrever (me inglês não está legal, mas tanto ele e eu entendemos…rss)

(03:46:03 PM) firebits: Good afternoon form Brasil brother!
(03:46:07 PM) firebits: How are you?
(03:46:42 PM) firebits: Can you talk fast?
(11:20:38 PM) firebits: Hello brother. How are you?
(11:25:24 PM) firebits: i see your post http://zeroknock.blogspot.com.br/2012/10/exposed-apache-axis-soap-objects.html
(11:25:32 PM) Aditya K Sood: hey
(11:25:38 PM) Aditya K Sood: all good, how about you
(11:26:12 PM) firebits: alright
(11:26:48 PM) firebits: I saw your post http://zeroknock.blogspot.com.br/2012/10/exposed-apache-axis-soap-objects.html
(11:27:54 PM) firebits: and oddly enough, I was doing a Pentest at and also uses Apache AXIS to be a SAP BO XI 3.1
(11:29:19 PM) firebits: Pentest was doing since 10/22/2012 and I was going to write a post about it and just days Pentest 10/29/2012
(11:29:22 PM) Aditya K Sood: yeah so you should look for that thing
(11:29:30 PM) Aditya K Sood: it is an interesting information
(11:30:32 PM) firebits: then would write something and then you wrote my friend! 🙂 I do not want to copy anything from you, you are a friend and I think it was a coincidence
(11:31:20 PM) firebits: what you wrote was 30% of what I was going to write 🙂
(11:33:20 PM) firebits: I’ll write the post, but some researchers will think I copied you, which actually was not that. I even wrote something on linkedin, really was a coincidence my brother 🙂
(11:35:54 PM) firebits: I wrote a post telling everyone here in Brazil, this coincidence and that I would speak with you, my brother, so I do not have problems in the future. Here in Brazil the researchers fight among themselves too. I find that very sad.
https://firebitsbr.wordpress.com/2012/10/31/pentest-sap-via-webservices/
(11:40:30 PM) firebits: your post very good, brother!
(11:41:51 PM) Aditya K Sood: no worries man
(11:42:25 PM) Aditya K Sood: its all fine, if you refer someone’s work just give him a credit in acknowledgement section or refer his work
(11:42:27 PM) Aditya K Sood: that;s it
(11:43:17 PM) firebits: ok
(11:45:00 PM) firebits: I did not warm up the head with it, but unfortunately here in Brazil are having fights entres researchers because some copy posts of researchers from other countries, so I’m warning you not to get boring between agent brother. After all we are friends!
(11:45:17 PM) Aditya K Sood: ok
(11:46:01 PM) firebits: Sorry to be boring, brother 🙂
(11:46:15 PM) Aditya K Sood: its fine man
(11:46:21 PM) firebits: As has been his lectures lately?

@firebitsbr

 

Pentest SAP via webservices

Hoje estive vendo e vi que por acaso do destino, um brother que palestrou comigo na OWASP 2010, o AdityaKSood, postou um artigo no blog dele, 30% de um pentest que eu estava fazendo em um cliente há 3 semanas, mas não posso revelar a fonte por NDA.

O que quero dizer que tanto eu e tanto ele, chegamos em parte na mesma conclusão, mas ao longo post, explico que toma caminhos diferentes.

Inclusive, fui na BSides/H2HC 2012 e pensei porque não fazer um paper sobre “Pentest em SAP por scripts e na mão” e tentar um CFP em 2013, mas sem tools ou scanners de SAP, seria na “unha mesmo”…

No meu caso a parte do cenário  era em SAP Business Object XI 3.1 for linux e cheguei depois de muito tentar manualmente e sozinho, a postar no linkedin:

http://www.linkedin.com/groups/Pentest-SAP-Business-Object-XI-3177624.S.178039431?view=&gid=3177624&type=member&item=178039431&trk=hb_ntf_LIKED_GROUP_DISCUSSION_YOU_CREATED

Vai o texto:

Has anyone managed to successfully make Pentest manually in an SAP Business Object XI 3.1 for linux?

I end up getting a Google Hacking:

http://www.google.com.br
inurl: “InfoViewApp / logon.jsp”

I have sent to the GHB http://www.exploit-db.com

I’m trying for SOAP or XML Injection Injection because I think the following WSDL URLs PoC (Proof of Concept):

Web Services List
==============
http://localhost:9080/dswsbobje/services/listServices

Web Services
===========
http://localhost:9080/dswsbobje/services/BICatalog?wsdl
http://localhost:9080/dswsbobje/services/Session?wsdl
http://localhost:9080/dswsbobje/services/ReportEngine?wsdl
http://localhost:9080/dswsbobje/services/SaveService?wsdl
http://localhost:9080/dswsbobje/services/Federator?wsdl
http://localhost:9080/dswsbobje/services/LiveOffice?wsdl
http://localhost:9080/dswsbobje/services/managequeryasaservice?wsdl
http://localhost:9080/dswsbobje/services/BIPlatform?wsdl
http://localhost:9080/dswsbobje/services/QueryService?wsdl
http://localhost:9080/dswsbobje/services/Publish?wsdl

I’ve looked at http://www.exploit-db.com and already tested with soapUI, sapyto, erpscan, w3af and other tools.

I have also created an environment for simulating receive information from webservices without success.

Has anyone experienced this or have any idea.

I can also make or brute-force DDoS.

I’ve read this paper, very well done:

http://spl0it.org/files/talks/source_barcelona10/Hacking%% 20SAP 20BusinessObjects.pdf

8 dias atrás (24-10-2012)
eu usei o conhecimento e citei a fonte que foi a Equipe do Rapid7 que palestrou na spl0it.org http://spl0it.org/files/talks/source_barcelona10/Hacking%% 20SAP 20BusinessObjects.pdf
mas aprofundei mais ainda em coisas que eles não viram  e eu acabei vendo.
Por se tratar de NDA e já entrei o pentest na segunda-feira 29/10/2012 (por sinal meu aniversário) e não produzi o artigo.
Ainda não falei com , temos um contato bom e comunicação legal e é lógico ele manja mais do que eu, mas já tive poucas oportunidades, devido o meu conhecimento perto do conhecimento dele, de falar algumas idéias e ele achar legal. Nada mais natural.
O que acho legal é que o cara manja muito e PhD e tal e é extremamente humilde.
Mas o que o artigo http://zeroknock.blogspot.in/2012/10/exposed-apache-axis-soap-objects.html tem haver com o pentest em SAP que terminei dia 29/10/2012? Simples, o SAP BO 3.1 XI for Linux (legado por sinal 2003/2004) usa o Apache com AXIS SOAP Objects para o consumo dos webservices.
Eu estava só esperando ter um tempo para criar um post e ele postou uma parte apenas do Apache, mas tem um post meu lá no linkedin e vou fazer novamente o ambiente e detalhar mais isso.
Vou avisá-lo logo que puder pois creio que nem ele e nem queríamos criar posts iguais ou parcialmente iguais um do outros, foi apenas uma coincidência de verdade.
Mas como pode-se ver, num dos foruns do linkedin postei perguntas de coisas que levam a isso, inclusive no proximo post nos proximos dias, vão ver que algumas coisas são iguais por usar o mesmo Apache AXIS, mas que tomam caminhos diferentes e como comecei a pesquisar a 3 semanas atrás, inclusive comentei superficialmente com c00ler o Maycon o que eu estava fazendo.
É uma pena não poder revelar o contéudo de um pentest coberto por NDA, mas consigo criar um ambiente similar e compartilhar as ideias aqui de como fiz.
@firebitsbr