Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

SAP post exploitation

From: Brian Milliron <Brian () ECRSecurity com>
Date: Thu, 13 Mar 2014 21:58:02 -0500
Recently I ran across some vulnerable AIX SAP servers on a test and
managed to get admin access on the Web GUI.  However, I know very little
about SAP and was unable to leverage SAP admin to get access to the
Oracle DB (it uses a separate credential store) or root on the OS.
Looking through all the available commands for both the web interface
and the SAP telnet interface I didn't see much that looked useful or
interesting.  If I find myself in a similar situation in the future it
would be nice to be able to go a little further.  Anyone care to share a
few post exploitation tips?


-- 
Brian Milliron
ECR Security
http://www.ECRSecurity.com

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: