Technical Analysis of SAP Exploit Script Used in JLR, Harrods Hacks
17 hours ago
- #Exploit
- #SAP
- #Cybersecurity
- The script targets a critical zero-day vulnerability (CVE-2025–31324) in SAP NetWeaver’s Visual Composer Metadata Uploader component.
- The vulnerability allows unauthenticated file uploads to the server’s filesystem via the HTTP endpoint /developmentserver/metadatauploader.
- Attackers can upload arbitrary files (e.g., malicious JSP web shells) to achieve remote code execution (RCE) under the SAP service account privileges.
- The script automates exploitation by crafting HTTP POST requests with embedded payloads and optionally dropping a persistent shell.
- Key functions include initialization and argument parsing, deserialization payload construction (OAST check mode), and web shell file upload.
- Exploitation involves targeting the SAP Metadata Uploader, crafting malicious requests, embedding payloads, and triggering code execution.
- Indicators of compromise (IoCs) include unusual HTTP POST traffic to /developmentserver/metadatauploader and unexpected JSP files on the server.
- Mitigation strategies include applying SAP patches, isolating vulnerable components, enforcing authentication, and monitoring for exploitation signs.
- Detection rules focus on spotting webshell uploads and command execution via JSP files in SAP directories.
- The script exhibits malicious code patterns like obfuscated payloads (Base64 encoding), command injection, and randomization for evasion.