Another fun attack that willis and I found during our SAP BusinessObjects research is that we could do internal port scanning by using Crystal Reports.
The way this works is that when you browse to a Crystal Reports web application (http://hostname/CrystalReports/viewrpt.cwr) there are a few parameters which are used to communicate with the SAP services on the backend. The problem here is that these parameters are controlled by the user. Now a better way to do this is to provide a drop-down list or make all the configurations done by the server.
Now the user can modify the IP and port which the web application is trying to communicate with on the backend. By default the port is 6400. Now the ability to modify the IP and port is good. The next step is to map the responses to open and closed so that we could programmatically map out the internal network.
Here are a few nice Google Dorks:
inurl:viewrpt.cwr
filetype:cwr inurl:apstoken
Here is the resulting mapping :
http://hostname/CrystalReports/viewrpt.cwr?id=$ID&wid=$WID&apstoken=internal_ip_address:445@$TOKEN
Port Open Response:
# Unable to open a socket to talk to CMS $HOSTNAME:445 (FWM 01005)
http://hostname/CrystalReports/viewrpt.cwr?id=$ID&wid=$WID&apstoken=internal_ip_address:80@$TOKEN
Port Closed Response :
# Server $HOSTNAME:80 not found or server may be down (FWM 01003)
Lastly the only thing we need to do is to modify the IP and port to whatever we are trying to scan. This is faster than using BeEF’s JavaScript internal portscanning functionality and it doesn’t require client interaction. Pwn dem v0hns!
Enjoy!
Regards,
Jabra
