CVE-2025-31324｜SAP Netweaver代码执行漏洞（POC）

信安百科

发布于 2025-07-30 15:02:27

8490

文章被收录于专栏：信安百科信安百科

0x00 前言

SAP NetWeaver是基于专业标准的集成化应用平台，能够大幅度降低系统整合的复杂性。其组件包括门户、应用服务器、商务智能解决方案以及系统整合和数据整合技术。

0x01 漏洞描述

SAP NetWeaver Visual Composer Metadata Uploader 存在未授权漏洞，攻击者可构造恶意请求触发反序列化写入恶意文件，执行任意代码，控制服务器。

0x02 CVE编号

CVE-2025-31324

0x03 影响版本

SAP NetWeaver 及其 Visual Composer 组件

0x04 漏洞详情

POC：

https://github.com/redrays-io/CVE-2025-31324

#!/usr/bin/env python3
"""
RedRays Scanner for Vulnerability CVE-2025-31324
-----------------------------------------------
A professional security tool to detect and mitigate critical SAP CVE-2025-31324 vulnerability.

Features:
- Detects vulnerability in Visual Composer component (SAP Security Note 3594142)
- Scans for known malicious webshells
- Follows security best practices

CVSS Score: 10.0 (Critical)
"""

import argparse
import logging
import sys
from typing import List, Tuple
from dataclasses import dataclass

import requests
from urllib3.exceptions import InsecureRequestWarning

# Configure logging
logging.basicConfig(
    level=logging.INFO,
    format="%(asctime)s [%(levelname)s] %(message)s",
    datefmt="%Y-%m-%d %H:%M:%S"
)
logger = logging.getLogger("redray-scanner")

# Suppress only the specific InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

# Constants
KNOWN_WEBSHELLS = ["cache.jsp", "helper.jsp", "nzwcnktc.jsp"]
BANNER = r"""
 ____           _ ____                   
|  _ \ ___  __| |  _ \ __ _ _   _ ___   
| |_) / _ \/ _` | |_) / _` | | | / __|  
|  _ <  __/ (_| |  _ < (_| | |_| \__ \  
|_| \_\___|\__,_|_| \_\__,_|\__, |___/  
                           |___/        
CVE-2025-31324 Scanner v1.1.0
"""


@dataclass
class ScanTarget:
    """Data class representing a scan target."""
    hostname: str
    port: int
    use_ssl: bool

    @property
    def base_url(self) -> str:
        """Get the base URL for the target."""
        protocol = "https" if self.use_ssl else "http"
        return f"{protocol}://{self.hostname}:{self.port}"


def check_vulnerability(target: ScanTarget) -> bool:
    """
    Check if the SAP system is vulnerable to CVE-2025-31324.

    Args:
        target: ScanTarget object with connection details

    Returns:
        bool: True if vulnerable, False otherwise
    """
    url = f"{target.base_url}/developmentserver/metadatauploader"
    vulnerable = False

    try:
        response = requests.head(url, timeout=10, verify=False)

        if response.status_code == 200 and 'Set-Cookie' not in response.headers:
            logger.critical(f"SAP System at {url} appears to be vulnerable to CVE-2025-31324")
            vulnerable = True
        elif response.status_code == 404:
            logger.info(f"Visual Composer at {url} appears to not be installed or unavailable")
        else:
            logger.info(f"SAP system at {url} does not appear to be vulnerable to CVE-2025-31324")
    except requests.exceptions.RequestException as e:
        logger.error(f"Connection error at {url}: {e}")

    return vulnerable


def detect_webshells(target: ScanTarget) -> List[str]:
    """
    Test for known webshells in the SAP system.

    Args:
        target: ScanTarget object with connection details

    Returns:
        List[str]: List of detected webshell URLs
    """
    detected_webshells = []

    for webshell_filename in KNOWN_WEBSHELLS:
        url = f"{target.base_url}/irj/{webshell_filename}"

        try:
            response = requests.get(url, timeout=10, verify=False)
            if response.status_code == 200:
                logger.critical(f"Known webshell found at: {url}")
                detected_webshells.append(url)
        except requests.exceptions.RequestException as e:
            logger.error(f"Error connecting to {url} for webshell testing: {e}")

    if not detected_webshells:
        logger.info("No known webshells found")

    return detected_webshells


def scan_system(target: ScanTarget) -> Tuple[bool, List[str]]:
    """
    Complete scan of the specified SAP system.

    Args:
        target: ScanTarget object with connection details

    Returns:
        Tuple[bool, List[str]]: (is_vulnerable, detected_webshells)
    """
    logger.info(f"Scanning SAP system at {target.base_url}")

    is_vulnerable = check_vulnerability(target)
    detected_webshells = detect_webshells(target)

    return is_vulnerable, detected_webshells


def generate_report(target: ScanTarget, is_vulnerable: bool, detected_webshells: List[str]) -> str:
    """
    Generate a text report of scan findings.

    Args:
        target: ScanTarget object with connection details
        is_vulnerable: Whether the system is vulnerable
        detected_webshells: List of detected webshell URLs

    Returns:
        str: Formatted report
    """
    report = [
        "=" * 60,
        f"SECURITY SCAN REPORT: {target.hostname}:{target.port}",
        "=" * 60,
        "",
        "VULNERABILITY ASSESSMENT:",
        f"  CVE-2025-31324: {'VULNERABLE' if is_vulnerable else 'NOT VULNERABLE'}",
        "",
        "WEBSHELL DETECTION:",
    ]

    if detected_webshells:
        for webshell in detected_webshells:
            report.append(f"  - {webshell}")
    else:
        report.append("  No known webshells detected")

    report.extend([
        "",
        "RECOMMENDATIONS:",
        "  1. Apply SAP Security Note 3594142 immediately if vulnerable",
        "  2. Investigate any detected webshells",
        "  3. Consider a full system integrity check",
        "",
        "=" * 60
    ])

    return "\n".join(report)


def main():
    """Main function to parse arguments and run vulnerability checks."""
    print(BANNER)

    parser = argparse.ArgumentParser(
        description=(
            "RedRays Scanner for Vulnerability CVE-2025-31324 (SAP Security "
            "Note 3594142) - CVSS 10 (Critical)\n\n"
            "This tool checks for the presence of the vulnerability and known "
            "webshells in the SAP system."
        ),
        epilog=(
            "DISCLAIMER: This tool is provided by RedRays as a contribution to "
            "the security and incident response community to aid in response to "
            "active exploitation of CVE-2025-31324. This tool is offered as-is "
            "with no warranty or liability."
        ),
        formatter_class=argparse.RawDescriptionHelpFormatter
    )

    parser.add_argument(
        "hostname",
        help="Hostname or IP address of the SAP system"
    )
    parser.add_argument(
        "port",
        type=int,
        help="Port number of the SAP system (e.g., 50000)"
    )
    parser.add_argument(
        "--ssl",
        action="store_true",
        help="Use SSL/TLS for the connection"
    )
    parser.add_argument(
        "--verbose", "-v",
        action="store_true",
        help="Enable verbose output"
    )
    parser.add_argument(
        "--output", "-o",
        help="Save report to specified file"
    )

    args = parser.parse_args()

    # Configure logging level
    if args.verbose:
        logger.setLevel(logging.DEBUG)

    # Create target object
    target = ScanTarget(
        hostname=args.hostname,
        port=args.port,
        use_ssl=args.ssl
    )

    # Run scan
    is_vulnerable, detected_webshells = scan_system(target)

    # Generate and display report
    report = generate_report(target, is_vulnerable, detected_webshells)
    print("\n" + report)

    # Save report if requested
    if args.output:
        try:
            with open(args.output, 'w') as f:
                f.write(report)
            logger.info(f"Report saved to {args.output}")
        except IOError as e:
            logger.error(f"Failed to save report: {e}")

    # Set exit code based on findings
    if is_vulnerable or detected_webshells:
        sys.exit(1)
    else:
        sys.exit(0)


if __name__ == "__main__":
    main()

0x05 参考链接

https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/

https://www.theregister.com/2025/04/25/sap_netweaver_patch/

本文参与腾讯云自媒体同步曝光计划，分享自微信公众号。

原始发表：2025-05-02，如有侵权请联系 cloudcommunity@tencent.com 删除

target