Re: SAP Pen Testing

• Previous message: dwarkeeper: "RE: Traceroute"
• In reply to: Yvan Boily: "SAP Pen Testing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sat, 26 Feb 2005 15:48:22 +0100
To: "Yvan Boily" <yboily@seccuris.com>

Hi,

looks like SAP requires the HTTP PUT method on it's J2EE app server. I
just stumbled about it in a pen-test. So maybe you can upload scripts,
if you find a directory with write permissions and run commands using
the uploaded scripts.

Hope that helps ;-)

YB> I know there was a previous thread on this topic, however some of the
YB> information provided was not relevent.

YB> In this case I am pentesting the Enterprise Portal; the actual R/3 database
YB> is out of scope for this engagement. The portal is a J2EE application
YB> server. We will also be testing a TREX system that is part of the
YB> environment.

YB> I am going to be running through the typical stuff for most web
YB> applications, as well as some platform specific issues. Anyone know of any
YB> issues or gotchas with SAP?

YB> Regards,
YB> Yvan Boily

-- 
Mit freundlichen Grüßen
Mailinglisten
mailto:mozilla@ids-guide.de

• Previous message: dwarkeeper: "RE: Traceroute"
• In reply to: Yvan Boily: "SAP Pen Testing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]