Home page logo

pen-test logo Penetration Testing mailing list archives

SAP post exploitation
From: Brian Milliron <Brian () ECRSecurity com>
Date: Thu, 13 Mar 2014 21:58:02 -0500

Recently I ran across some vulnerable AIX SAP servers on a test and
managed to get admin access on the Web GUI.  However, I know very little
about SAP and was unable to leverage SAP admin to get access to the
Oracle DB (it uses a separate credential store) or root on the OS.
Looking through all the available commands for both the web interface
and the SAP telnet interface I didn't see much that looked useful or
interesting.  If I find myself in a similar situation in the future it
would be nice to be able to go a little further.  Anyone care to share a
few post exploitation tips?

Brian Milliron
ECR Security

This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 


  By Date           By Thread  

Current thread:
  • SAP post exploitation Brian Milliron (Mar 14)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]