You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm exploring a way to trigger an RFC_PING request on an ABAP backend without authentication. Since the profile parameter "auth/rfc_authority_check" states that for certain values (for example 3 or 4) both logon and authorization checks are not performed for RFC_PING and RFC_SYSTEM_INFO.
I modified the value to satisfy this condition but still can not find a way to construct a packet that would trigger an RFC_PING request on the ABAP backend.
For now I tried only with pyrfc using a Connection() object and empty credentials which obviously does not work.
The second try was using pysap by creating a SAPNI socket and sending an RFC_PING request using the SAPRFCPING() class. However I am not sure which arguments could be passed to the object and the analyzed traffic shows two "GW_NORMAL_CLIENT" packets sent before the socket crashes.
What I am trying to achieve is :
An unauthenticated RFC_PING request originating from the target ABAP backend (the idea is to mimic an authenticated user that would simply run the RFM RFC_PING)
An unauthenticated RFC_PING request from the ABAP backend to a specific RFC destination predefined within the system.
The whole purpose is a "coercion" type of attack where I would trigger an RFC_PING request from a target ABAP server to a local server I control to send a modified ping response on RFC destination BACK to escalate my privileges (similar to a callback attack but this time unauthenticated and without compromising any other host for pivoting but simply using it for initial access)
You can find below the sample code that I tried. Do you have any input ? Many thanks in advance !!
from pysap.SAPRFC import *
from pysap.SAPNI import SAPNIStreamSocket
conn = SAPNIStreamSocket.get_nisocket("TARGET_ABAP_SYSTEM", "3300")
p = SAPRFCPING()
response = conn.sr(p)
response.show()
The text was updated successfully, but these errors were encountered:
Hi everyone,
I'm exploring a way to trigger an RFC_PING request on an ABAP backend without authentication. Since the profile parameter "auth/rfc_authority_check" states that for certain values (for example 3 or 4) both logon and authorization checks are not performed for RFC_PING and RFC_SYSTEM_INFO.
I modified the value to satisfy this condition but still can not find a way to construct a packet that would trigger an RFC_PING request on the ABAP backend.
For now I tried only with pyrfc using a Connection() object and empty credentials which obviously does not work.
The second try was using pysap by creating a SAPNI socket and sending an RFC_PING request using the SAPRFCPING() class. However I am not sure which arguments could be passed to the object and the analyzed traffic shows two "GW_NORMAL_CLIENT" packets sent before the socket crashes.
What I am trying to achieve is :
An unauthenticated RFC_PING request originating from the target ABAP backend (the idea is to mimic an authenticated user that would simply run the RFM RFC_PING)
An unauthenticated RFC_PING request from the ABAP backend to a specific RFC destination predefined within the system.
The whole purpose is a "coercion" type of attack where I would trigger an RFC_PING request from a target ABAP server to a local server I control to send a modified ping response on RFC destination BACK to escalate my privileges (similar to a callback attack but this time unauthenticated and without compromising any other host for pivoting but simply using it for initial access)
You can find below the sample code that I tried. Do you have any input ? Many thanks in advance !!
The text was updated successfully, but these errors were encountered: