Penetration Testing
SAP post exploitation Mar 14 2014 02:58AM
Brian Milliron (Brian ECRSecurity com)
Recently I ran across some vulnerable AIX SAP servers on a test and
managed to get admin access on the Web GUI. However, I know very little
about SAP and was unable to leverage SAP admin to get access to the
Oracle DB (it uses a separate credential store) or root on the OS.
Looking through all the available commands for both the web interface
and the SAP telnet interface I didn't see much that looked useful or
interesting. If I find myself in a similar situation in the future it
would be nice to be able to go a little further. Anyone care to share a
few post exploitation tips?

--
Brian Milliron
ECR Security
http://www.ECRSecurity.com

------------------------------------------------------------------------

This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus