Skip to content

SAPs afraid of no Ghost! Or is it?

SAP Summary
While using Firefox in combination with the Add-on Ghostery on Windows10 & Server 2012, it's possible to flood a SAP-System with new sessions.

While opening a expense-report form, the page does not load the PDF, but reloads constantly and creates a new login with every reload.
Valid credentials and authorizations to display the forms are necessary.
There is no direct mitigation for this behavior.


Browser plugins can have some interesting or even unwanted effects on websites.
They can help to protect your privacy, leak your data, stop malware, and much more.
And they can, in the right combination of Browser and Plugin, DoS SAP-Systems!

While doing my expenses, I wanted to print the expense-form from the WEBGUI (using a Webdynpro).
After pressing the show/print button SAP creates a pop-up to load the form as a PDF.

This usually worked without a problem, but apparently I did something different today.
Pressing the button opens a pop-up in a new browser tab, but instead of displaying the PDF, the page stays blank and reloads constantly.

As this was clearly not working and I had to finish my expenses, I closed the blank page and switched grudgingly to IE.
While logging-in in with IE, the system informed me that I was already logged-in...70 times!

Now this was getting interesting - I finished my expenses with IE and did some snooping around!

I was able to replicate this behavior again and again with Firefox.
For every reload of the tab in Firefox, a new user-login was generated and displayed in the transaction AL08.

After a minute, my sessions outnumbered all other session put together!

To get to the bottom of this problem, I played around with a combination of browsers and my installed Add-ons while monitoring the sessions in AL08.
I was able to replicate the behavior reliably, but only with Firefox and Ghostery.
Chrome and Ghostery worked fine.

Tested Versions:
Firefox (49.x)
Ghostery (7.x)
Windows: 10 and Server 2012R2
SAP: ERP 6.0 EHP6, NW7.0 EHP3, Kernel 722_EXT, Basis Release 731 SP18

While browsing the Service Marketplace, the SAP Community Network and other trusted sources, I could not find any further information about this issue.
Either this is something not know to many people, or my google-fu was weak when I searched for a reason.

Looking around in the SAP Community Network and SAP Service Marketplace I found no easy solution for this problem.
I checked the parameter rdisp/max_alt_modes and it was set to "6" - so this parameter has no effect on http-logins.

There seems to be no parameter that can limit the logins via http for a single user, only the total number of http logins.

I have not tested other transactions that display Pop-ups, but I suspect that they are susceptible for this behavior as well.
Kategorien: SAP

Fun with Fiori

SAP Please remember, that this post is for educational purposes only. Only try this on systems that you own, or where you have permission by the owner.

Today I will show you how you can scan for SAP Fiori Launchpads and how we can try to access the systems.

Fiori is a new user experience technology from SAP. To keep it short and to avoid buzzword-bingo: It's used to replace the SAPGUI with a Webapp.
If you want to know more about Fiori, have a look at this website from SAP:

As these Fiori Apps (yes, they call them Apps now) are made for Browsers and have nice graphs, diagramms, lines etc.
many people will not only want to use them internally, but as well when they are on the go.

And as a lot of people who are in charge don't like VPNs, these systems will be exposed to the internet.
They should be behind a reverse proxy, like SAP strongly recommends it, but nonetheless reachable via the internet.

This should be of interest to security-teams and pen-testers as the bad guys will surely know about it.

Early on, many SAP-Partners will rely on SAP Best-Practice solutions, as they have many advantages (faster implementation etc.).
Like with all SAP-Systems, we can assume that instances running Fioris will be patched rather slowly,
so they will offer an attack-surface to the bad guys that they will surely check for default-credentials and vulnerabilities.

Now that the stage is set, let's have some fun:

Let's assume we are members of an internal security-team and have the task to test our shiny new S4-System over the internet.
As our DevOps guys are sneaky bastards (but only from time-to-time) we will want to check all of our public IPs for Fioris.

A simple way to check for Fioris is to manually check our public IPs for the right URLs.

Start your Browser, enter your public IPs and add the following strings:


At least one of them should, depending on the configuration, lead to the Fiori Launchpad.

Here is an example with the not-so-public-IP

By default the login-page should be looking something like this:

So now we have confirmation that a Fiori-site is available via the internet.

Besides Fiori that could be other stuff that is published from this system, i.e. a standard-Webgui.

With our example-IP it looks like this:

And Bingo!

Now that we can access the system, do the usual tests with default-credentials etc.

In case you can't find your default-credential cheat-sheet you can use this post as reference:

SAP* 06071992
DDIC 19920706
DDIC Welcome01
TMSADM $1Pawd2&
ADMIN welcome
ADSUSER ch4ngeme
ADS_AGENT ch4ngeme
DEVELOPER ch4ngeme
J2EE_ADMIN ch4ngeme
SAPJSF ch4ngeme
CTB_ADMIN sap123
XMI_DEMO sap123
IDEADM admin
SMD_ADMIN init1234
SMD_BI_RFC init1234
SMD_RFC init1234
SOLMAN_BTC init1234
SMD_AGT init1234
BPINST Welcome1

In case you wonder, this list is nearly identical with the wordlist from the metasploit-framework.
I added the users BPINST and IDESADMIN, as they were missing.

After all this manual labor, you might be wondering if there are no possibilities to automate some of these test.

The metasploit-framework has some modules, that can help us to be more efficient.

First we will add the Fiori-URLs to metasploit in a standalone wordlist.
Create a file in the wordlist-directory of your metasploit-installation.
vim /usr/share/metasploit-framework/data/wordlists/sap_ui5.txt

Add the following lines


We can use this list with the sap_icm_urlscan module of metasploit.

If you want to scan the usual URLs as well, simply add the lines to the file sap_icm_paths.txt

Start metasploit and open the module
use auxiliary/scanner/sap/sap_icm_urlscan

set the IP or Hostname, the Port and the path to the file we just created.
If the system is using SSL configure the setting accordingly.
If its not using SSL WTF is it doing on the interwebs???

set RRPOT 443
set SSL true
set URLFILE /usr/share/metasploit-framework/data/wordlists/sap_ui5.txt

that should be enough for a scan.

You should know how to carry on from here... :-)

Have Fun!
Kategorien: SAP

Finding exposed SAP-Webservices

SAP UPDATE: I found a much quicker way to take the screenshots:
Taking Screenshots from a list of URLs with EyeWitness

ATTENTION: Only scan systems, if you have a mandate to do so! If you don't have permission, it might be at best impolite, at worst illegal to scan any systems!

Now that we have the disclaimer out of the way, let's start...

If you want to find out what Webservices a SAP-System exposes either internally or over the internet, there are a couple of ways to find out. In this post, I will show you two of them.

The slow way is via the SAP transaction SICF:
Execute SIFC, in the selection screen press F8 andf then choose your system in the menu.
You can now click through all the different services.
If the name is greyed out, the service is inactive.
You can enter the path of the server in your browser to have a look at the service.
For example, if you take the path sap/public/icf_info, you can open it by adding the hostname or ip of the system http://mysapsystem.local/sap/publicf_info

If you want to look at all services this way, it would take a long time...

Now for a quicker solution - metasploit to the rescue!

What we need:
Metasploit - obviously
and the Firefox Add-On Grab-Them-All

Start metasploit as usual an open the module sap_icm_urlscan:

msf> use auxiliary/scanner/sap/sap_icm_urlscan
msf> set RHOSTS http://mysapsystem.local
(or whatever)
msf> run

Now you will get a long list with URLs that the module has tested.
At the end it will show you the path to a textfile containing the URLs.

There are many ways to generate Screenshots of the URLs we have found, but this is the one I prefer:
Open Firefox and install the Add-on Grab-Them-All

After a restart of Firefox, press ALT to open the menu and go to Extras -> Grab-Them-All
Press the Button "File with URLs to grab" and select the file that metasploit dumped in the filesystem.
Select as destination-folder for your screenshots and press Lets go!

A preview-window will open and show you the progress.

If a page requires credentials, you will get be prompted for it.

After the tool is finished, you will have some nice screenshots of all pages that were found.

There are other plugins, better ways and so on, but this is the way I used and it worked for me :-)
Kategorien: SAP