What is Invoker Servlet…?
- The invoker servlet is implemented in the InvokerServlet class that is part of the J2EE Engine’s Web Container.
- It is declared in the global-web.xml descriptor file and is mapped to the /servlet/* URL pattern.
- It can invoke servlets either by servlet name or by fully-qualified class name. This behavior can be controlled by the initialization parameter “InvokeByClassName” defined for the invoker servlet.
- Invoker Servlet feature enables HTTP clients to invoke arbitrary servlets even if not defined in the web.xml file of the application. For security reasons, the Invoker Servlet has to be disabled by default to avoid malicious invocation of application servlets.
About SAPService<SAPSID>:
- Since the SAP system runs as a Windows service, SAP has a special user account in windows environment “SAPService<SAPSID>” and this account helps in running all the Windows services related to SAP systems.
- The account “SAPService<SAPSID>” also administers the SAP system and database resources.
- As said above activities performed via Invoker Servlet will be executed with “SAPService<SAPSID>” rights.
By taking advantage of Invoker Servlet, we demonstrate performing
malicious activities like RCE (Remote Command Execution), create, copy, move,
delete files on the SAP server and even altering SAP System profile parameters
etc.
Creating required
folders within the Server.
Copying files within the server
Renaming the file on server
Deleting any file on the server
Updating SAP System Profile Parameters:
No comments:
Post a Comment