Penetration Testing mailing list archives
SAP post exploitation
From: Brian Milliron <Brian () ECRSecurity com>
Date: Thu, 13 Mar 2014 21:58:02 -0500
Recently I ran across some vulnerable AIX SAP servers on a test and managed to get admin access on the Web GUI. However, I know very little about SAP and was unable to leverage SAP admin to get access to the Oracle DB (it uses a separate credential store) or root on the OS. Looking through all the available commands for both the web interface and the SAP telnet interface I didn't see much that looked useful or interesting. If I find myself in a similar situation in the future it would be nice to be able to go a little further. Anyone care to share a few post exploitation tips? -- Brian Milliron ECR Security http://www.ECRSecurity.com ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- SAP post exploitation Brian Milliron (Mar 14)