Script http-sap-netweaver-leak
Script types:
portrule
Categories:
safe, discovery
Download: https://svn.nmap.org/nmap/scripts/http-sap-netweaver-leak.nse
Script Summary
Detects SAP Netweaver Portal instances that allow anonymous access to the KM unit navigation page. This page leaks file names, ldap users, etc.
SAP Netweaver Portal with the Knowledge Management Unit enable allows unauthenticated users to list file system directories through the URL '/irj/go/km/navigation?Uri=/'.
This issue has been reported and won't be fixed.
References:
Script Arguments
- slaxml.debug
See the documentation for the slaxml library.
- http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent
See the documentation for the http library.
- smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername
See the documentation for the smbauth library.
- vulns.short, vulns.showall
See the documentation for the vulns library.
Example Usage
nmap -p 80 --script http-sap-netweaver-leak <target>
nmap -sV --script http-sap-netweaver-leak <target>
Script Output
PORT STATE SERVICE REASON 443/tcp open https syn-ack | http-sap-netweaver-leak: | VULNERABLE: | Anonymous access to SAP Netweaver Portal | State: VULNERABLE (Exploitable) | SAP Netweaver Portal with the Knowledge Management Unit allows attackers to obtain system information | including file system structure, LDAP users, emails and other information. | | Disclosure date: 2018-02-1 | Check results: | Visit /irj/go/km/navigation?Uri=/ to access this SAP instance. | Extra information: | ~system | discussiongroups | documents | Entry Points | etc | Reporting | References: |_ https://help.sap.com/saphelp_nw73ehp1/helpdata/en/4a/5c004250995a6ae10000000a42189b/frameset.htm
Requires
Author:
License: Same as Nmap--See https://nmap.org/book/man-legal.html