SAP NetWeaver Web Dynpro 6.4 < 7.5 - Information Disclosure - 黑帽漏洞数据库

游客您好，欢迎来到黑客世界论坛！您可以在这里进行注册。

赤队小组-代号1949（原CHT攻防小组）在这个瞬息万变的网络时代，我们保持初心，创造最好的社区来共同交流网络技术。您可以在论坛获取黑客攻防技巧与知识，您也可以加入我们的Telegram交流群 共同实时探讨交流。论坛禁止各种广告，请注册用户查看我们的使用与隐私策略，谢谢您的配合。小组成员可以获取论坛隐藏内容！

TheHackerWorld官方

发布于2022年11月4日2年前

# Application: SAP NetWeaver Web Dynpro 6.4 to 7.5 - Information disclosure
# Versions Affected: SAP NetWeaver 6.4 - 7.5
# Vendor URL: http://SAP.com
# Bugs:  Information disclosure (Enumerate users)
# Sent:  2016-12-15
# Reported:  2016-12-15
# Date of Public Advisory: 09.02.2016
# Reference: SAP Security Note 2344524
# Author: Richard Alviarez (SIA Group)
# CVE: N/A

# 1. ADVISORY INFORMATION
# Title: SAP NetWeaver Web Dynpro – information disclosure (Enumerate users)
# Advisory ID: 2344524
# Risk: Medium
# Date published: 20.12.2016

# 2. VULNERABILITY DESCRIPTION
# Anonymous attacker can use a special HTTP request to get information
# about SAP NetWeaver users.

# 3. VULNERABLE PACKAGES
# SAP NetWeaver Web Dynpro 6.4 - 7.5
# Other versions are probably affected too, but they were not checked.

# 4. TECHNICAL DESCRIPTION
# A potential attacker can use the vulnerability in order to reveal
# information about user names,
# first and last names, and associated emails, this can provide an attacker
# with enough information
# to make a more accurate and effective attack

# Steps to exploit this vulnerability

1. Open
http://SAP/webdynpro/dispatcher/sap.com/caf~eu~gp~example~timeoff~wd/ACreate
or
http://SAP/webdynpro/dispatcher/sap.com/caf~eu~gp~example~timeoff~wd/com.sap.caf.eu.gp.example.timeoff.wd.create.ACreate

page on SAP server

2. Press "Change processor" button

3. and in the "find" section, put the initial or name to be searched,
followed by a *

You will get a list of SAP users and information.

登录

游客您好，欢迎来到黑客世界论坛！您可以在这里进行注册。

SAP NetWeaver Web Dynpro 6.4 < 7.5 - Information Disclosure

精选回复

创建帐户或登录后发表意见

最近浏览 0

帐户

导航

搜索