chore: add new sap http templates

[l4rm4nd]

PR Information

• Added multiple SAPControl unauthenticated exposure templates for SAP Start Service (sapstartsrv) / Management Console SOAP API
  • Basically a port of popular Metasploit modules for Nuclei
    • auxiliary/scanner/sap/sap_mgmt_con_abaplog
    • auxiliary/scanner/sap/sap_mgmt_con_getenv
    • auxiliary/scanner/sap/sap_mgmt_con_version
    • auxiliary/scanner/sap/sap_mgmt_con_instanceproperties
    • auxiliary/scanner/sap/sap_mgmt_con_listlogfiles
    • auxiliary/scanner/sap/sap_mgmt_con_getlogfiles
    • auxiliary/scanner/sap/sap_mgmt_con_listconfigfiles
    • auxiliary/admin/sap/sap_mgmt_con_osexec
• New templates:
  • sap-sapcontrol-abapreadsyslog-log-disclosure
    • Detects unauthenticated access to ABAPReadSyslog, leaking ABAP system log (SM21) entries
  • sap-sapcontrol-getenvironment-env-disclosure
    • Detects unauthenticated access to GetEnvironment, leaking full process environment variables
  • sap-sapcontrol-getversioninfo
    • Detects unauthenticated access to GetVersionInfo and extracts kernel version information for sapstartsrv and msg_server as well as the SAP SID from typical /usr/sap/<SID>/... paths for fingerprinting and recon
  • sap-sapcontrol-getinstanceproperties
    • Detects unauthenticated access to GetInstanceProperties, enumerating all Webmethods vs Protected Webmethods and basic instance metadata
  • sap-sapcontrol-listlogfiles-log-enum
    • Detects unauthenticated access to ListLogFiles, enumerating SAP log and trace files
  • sap-sapcontrol-listconfigfiles-config-enum
    • Detects unauthenticated access to ListConfigFiles, enumerating SAP profile and configuration files
  • sap-sapcontrol-readconfigfile-config-disclosure
    • Chains ListConfigFiles and ReadConfigFile to read DEFAULT.PFL without authentication and extract key parameters
  • sap-sapcontrol-readlogfile-log_disclosure
    • Detects SAP systems where the SAP Start Service (sapstartsrv) SAPControl
      SOAP interface exposes the ReadDeveloperTrace web method without
      authentication to retrieve log files like sapstart.log and many others.
  • sap-sapcontrol-osexecute-unauth-rce
    • Detects unauthenticated OSExecute RCE via a benign proof of concept command (/bin/sh -c id)

---

Template validation

• Validated with a host running a vulnerable version and/or configuration (True Positive)
• Validated with a host running a patched version and/or configuration (avoid False Positive)

Additional Details (leave it blank if not applicable)

• All templates target the SAPControl SOAP endpoint exposed by sapstartsrv and are parameterized via BaseURL or Path plus Hostname
• Matchers are designed to reduce false positives by:
  • Requiring specific SOAP method responses (eg ABAPReadSyslogResponse, GetEnvironmentResponse, ListLogFilesResponse, ReadConfigFileResponse)
  • Checking for expected XML elements and sample content (eg HOME=/home/, <configfiles>, <file>, <filename>, uid= from id output)
  • Ensuring no access denied or authorization errors are present for the RCE check
• The sap-sapcontrol-osexecute-unauth-rce template uses a low impact, read only command (id) for exploitation validation. Have not found a host vulnerable but will update the template once I found a true positive.

Example local test invocation pattern (replace target values accordingly):

nuclei -u https://target:50013/ -t ./sap-sapcontrol-*.yaml -debug

[l4rm4nd]

I've added three more templates to detect SAP technologies like:

• sap-management-console-panel.yaml
  • Detects the SAP Management Console, which also hosts the SOAP API
• sap-message-server-detect.yaml
  • Detects SAP Message Server + returns version from server header
• sap-message-server-console-exposed.yaml
  • Detects SAP Message Server console + returns version from server header

See e0dda3d